Four foundational elements frame what executive management and directors need to consider when implementing enterprise risk management (ERM). They are process, integration, culture and infrastructure. After discussing process and integration in the past months, we’re moving forward to culture today.
Even the best-designed risk management process can be compromised if dysfunctional organizational behavior exists and is allowed to fester. If the CEO is not willing to pay attention to the warning signs posted by the risk management function, if the reward system is not sufficiently balanced with the long-term interests of shareholders, if the board is not asking tough questions about the assumptions and risks underlying the strategy, or if risk management is so mired in the minutiae of compliance that it is not focused sufficiently on strategic issues, it is not likely risk management will have a meaningful impact at the crucial moment when a strong contrarian voice is needed.
Blind spots exist in an organization when executive management misses or chooses to ignore warning signs that something is either wrong or isn’t working. Objective parties, with the benefit of 20-20 hindsight, can see this easily from a mile away. A culture that is conducive to effective risk management encourages open communication, sharing of knowledge and best practices, continuous process improvement, and a strong commitment to ethical and responsible business behavior.
The message is clear: Effective risk management doesn’t function in a vacuum and rarely survives a leadership failure. The risk management function can review, inform, advise, monitor, measure and even resign. It cannot control and decide; that’s management’s job.
Without an effective internal environment in place to ensure that adequate attention is given to protecting enterprise value, entrepreneurial behavior can run amok, completely unbridled and without boundaries or constraints. By “internal environment,” we mean the whole package – the control environment, management’s operating style, the incentive compensation structure, a commitment to ethical and responsible business behavior, open and transparent reporting, clear accountability for results, and other aspects of the organization’s culture.
Ensuring an effective risk culture is an important task for executive management and the board. Following are 10 key indicators that collectively provide red flags signaling that potential issues and organizational “blind spots” may exist within the organization:
Culture makes a difference. While the above list is not intended to be all-inclusive, the overall message is that risk culture is really about striking an appropriate balance between creating and protecting enterprise value. For example, if management’s focus is always on the short term (i.e., the next month or quarter), the organization could end up undertaking risks or ignoring emerging risks that mortgage its future to benefit the present. While balancing value creation and preservation, as well as emphasizing short-term and long-term objectives, is a relatively straightforward concept, it requires effective leadership and discipline to pull it off.
About the Author
Jim DeLoach has more than 35 years of experience and is a member of the Protiviti Solutions Leadership Team. His market focus is on helping organizations succeed in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner that reduces risk to an acceptable level. He also assists companies with integrating risk management with strategy setting and performance management. Jim also serves as a member of Protiviti’s Executive Council to the CEO.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Jim DeLoach has over 35 years of experience and is a member of Protiviti's Solutions Leadership Team. With a focus on helping organizations respond to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner, Jim assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2016.