Four foundational elements frame what executive management and directors need to consider when implementing enterprise risk management (ERM). They are process, integration, culture and infrastructure. After discussing process and integration in the past months, we’re moving forward to culture today.
Even the best-designed risk management process can be compromised if dysfunctional organizational behavior exists and is allowed to fester. If the CEO is not willing to pay attention to the warning signs posted by the risk management function, if the reward system is not sufficiently balanced with the long-term interests of shareholders, if the board is not asking tough questions about the assumptions and risks underlying the strategy, or if risk management is so mired in the minutiae of compliance that it is not focused sufficiently on strategic issues, it is not likely risk management will have a meaningful impact at the crucial moment when a strong contrarian voice is needed.
Blind spots exist in an organization when executive management misses or chooses to ignore warning signs that something is either wrong or isn’t working. Objective parties, with the benefit of 20-20 hindsight, can see this easily from a mile away. A culture that is conducive to effective risk management encourages open communication, sharing of knowledge and best practices, continuous process improvement, and a strong commitment to ethical and responsible business behavior.
The message is clear: Effective risk management doesn’t function in a vacuum and rarely survives a leadership failure. The risk management function can review, inform, advise, monitor, measure and even resign. It cannot control and decide; that’s management’s job.
Without an effective internal environment in place to ensure that adequate attention is given to protecting enterprise value, entrepreneurial behavior can run amok, completely unbridled and without boundaries or constraints. By “internal environment,” we mean the whole package – the control environment, management’s operating style, the incentive compensation structure, a commitment to ethical and responsible business behavior, open and transparent reporting, clear accountability for results, and other aspects of the organization’s culture.
Key Indicators That Blind Spots Exist
Ensuring an effective risk culture is an important task for executive management and the board. Following are 10 key indicators that collectively provide red flags signaling that potential issues and organizational “blind spots” may exist within the organization:
- Management does not involve the board in strategic issues and important policy matters in a timely manner.
- Risk management responsibility is not adequately defined or linked to the reward system or, worse, the compensation program incents unbridled risk-taking that the board does not understand.
- “Star performers” are making a lot of money achieving an unexpected or unusually high level of profitability and no one understands why.
- Risk is an afterthought to strategy-setting and business planning, i.e., risk is not considered explicitly by management when updating the business strategy or plan, or when evaluating whether to enter new markets, introduce new products or consummate a complex acquisition involving a completely different line of business.
- Risk management is an appendage to performance management, leading to a lack of focus on the potential for changes in existing risks or the emergence of new risks.
- There is evidence of unhealthy internal competition and/or significant pressure to achieve unrealistic targets, fostering a “warrior culture” or an “eat what you kill” environment that can lead to unacceptable business behavior and the undertaking of inappropriate risks.
- There exists a “tunnel vision” line of sight on “making the numbers,” which can result in missing shifts in the business environment that affect the critical assumptions underlying the business strategy and give rise to emerging risks.
- There is senior executive resistance to bad news, such as a dominant CEO who resists contrary facts suggesting the current strategy requires adjustment to conform it to market realities.
- There are known gaps and overlaps in responsibilities for managing significant risks that are left unaddressed.
- There is tolerance for conflicts of interests in the execution of significant business activities.
Culture makes a difference. While the above list is not intended to be all-inclusive, the overall message is that risk culture is really about striking an appropriate balance between creating and protecting enterprise value. For example, if management’s focus is always on the short term (i.e., the next month or quarter), the organization could end up undertaking risks or ignoring emerging risks that mortgage its future to benefit the present. While balancing value creation and preservation, as well as emphasizing short-term and long-term objectives, is a relatively straightforward concept, it requires effective leadership and discipline to pull it off.
About the Author
Jim DeLoach has more than 35 years of experience and is a member of the Protiviti Solutions Leadership Team. His market focus is on helping organizations succeed in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner that reduces risk to an acceptable level. He also assists companies with integrating risk management with strategy setting and performance management. Jim also serves as a member of Protiviti’s Executive Council to the CEO.