No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

5 Key Principles of Successful Risk Management

by Jim DeLoach
December 6, 2017
in Featured, Risk
people pushing boulder up hill

Building A Strong Strategy From the Ground Up

There is no one-size-fits-all solution for risk management function, how risk is governed varies across industries and organizations. But there are five interrelated principles that underlie effective risk management within organizations in both good times and bad – integrity to the discipline of risk management, constructive board engagement, effective risk positioning, strong risk culture and appropriate incentives.

Below, we discuss these five fundamental tenets integral to ensuring the success of the independent risk management function.

Integrity to the Discipline of Risk Management

Integrity to the discipline of risk management means having a firm grasp of business realities and disruptive market forces, engaging in straight talk with the board and executive management about the related risks to achieving the organization’s objectives and the capabilities needed to reduce those risks to an acceptable level.

Integrity to the discipline follows from a strong tone at the top – what the C-suite stands for, how senior executives provide leadership with respect to the appropriate governance and behavior around doing the right things in the right way, and ensuring the affairs of the business are conducted in a fair and transparent manner and at arm’s length. If tone at the top is lacking, the executive team isn’t paying attention to the warning signs and the organization’s affairs are so complex that few can understand them, then risk management faces an almost insurmountable challenge to making a difference.

Consider the following common examples, some strategic and some tactical, of integrity failures:

  • Not grasping business realities clearly – The global financial crisis is a good example of what can happen when the inherent risks associated with aggressive, growth-oriented market strategies are discounted, ignored or never considered. Breakdowns in time-tested underwriting standards, failures to consider concentration risks and excessive reliance on third-party assessments of structured products are among the root causes of the crisis. In many financial institutions, risk management was irrelevant.
  • Not integrating risk with strategy setting – When risk is an afterthought to strategy, risk management fails to reach its full potential as a discipline. The critical assumptions underlying the corporate strategy must be understood at the highest levels of the institution and the external environment must be monitored to ensure that these assumptions remain valid over time. This era of disruptive change necessitates raising the line of sight for risk management to a strategic level.
  • Not tying risk tolerance to performance – Risk is often an appendage to performance management. How does an organization even know that it is doing an efficient job of managing risk when it hasn’t delineated its risk appetite and risk tolerances at the level at which decisions are made? Performance and risk must be integrated, and to that end, defining thresholds linked to performance objectives is essential.
  • Limiting risk management to a compliance activity – Integrity to the discipline means knowing that undertaking initiatives to manage uncertainty (risk) in the pursuit of business objectives is not strictly a regulatory compliance measure. Viewing risk management as a “regulatory” check-the-box exercise restrains its value proposition and contribution to the entity’s success.

These examples illustrate that integrity must permeate every aspect, every level and every action within the organization as it relates to managing risk. Hoping that risks are managed sufficiently while knowing that business realities are not actively monitored, risks are not really understood, tolerance levels are not set (or are ignored) or projects are performed solely to meet regulatory guidelines is an indicator that integrity to the discipline of risk management is lacking.

Constructive Board Engagement

Effective board risk oversight begins with defining the role of the full board and its standing committees with regard to the oversight process and working with management to understand and agree on the types (and format) of risk information the board requires. Directors need to understand the company’s key drivers of success, assess the risks in the strategy and encourage a dynamic dialogue with management regarding strategic assumptions and critical risks.

The scope of the board’s risk oversight should consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources to deliver on expectations. The board should pay attention to the potential risks in the company’s culture and monitor critical alignments in the organization – of strategy, risk, controls, compliance, incentives and people. Finally, the board should delineate the most critical enterprise risks from the day-to-day risks of managing the business and consider emerging and interrelated risks – i.e., what’s around the corner?[1]

Effective Risk Positioning

While the positioning of the risk management function is not a one-size-fits-all prescription, there are fundamental principles that make it work. The board’s and executive management’s expectations for the chief risk officer (CRO), or equivalent executive, and the risk management function must be carefully considered, and given those expectations, the function must be positioned for success as a separate line of defense. To this end, six key success factors increase the function’s chances of success:

  • The CRO (or equivalent executive) is viewed as a peer with business line leaders in virtually all respects (e.g., compensation, authority and direct access and reporting to the CEO) and likewise down through the business hierarchy and across the organization.
  • The CRO has a dotted reporting line to the board or a committee of the board and faces no constraints of any kind in reporting to the board.
  • The board, senior management and operating personnel believe that managing risk is an organizational imperative and everyone’s job.
  • Management values risk management as a discipline equal to opportunity pursuit.
  • The CRO is clearly viewed as undertaking a broader risk focus than compliance.
  • The CRO’s position and how it interfaces with senior line and functional management is clearly defined.

While these attributes may not be exhaustive, they represent a significant step forward in ensuring the risk management function is impactful, setting the tone for effectively functioning risk management. Taking one or more of these elements away produces a red flag that the risk management function may be unable to fulfill its expected role and lacks real authority or influence. Depending on the expectations, the function may be set up to fail.

Strong Risk Culture

An actionable risk culture helps balance the inevitable tension between (a) creating enterprise value through the strategy and driving performance on the one hand, and (b) protecting enterprise value through risk appetite and managing risk on the other hand. While risk culture has gained traction in terms of relevancy in financial services in the post-global financial crisis era, the occurrence of reputation-damaging incidents, the decision-making processes preceding those events and the lack of response readiness once those events occurred has made risk culture a topic of interest in other industries, as well.

Culture is influenced by many factors. We’ve discussed two – the tone at the top and the quality of the board’s risk discussions. Other factors include:

  • Accountability – Successful risk management requires employees at all levels to understand the core values of the organization and its approach to risk, to be capable of performing their prescribed roles, and to be aware that they are held accountable for their actions in relation to expected risk-taking behaviors.
  • Effective challenge – A sound risk culture encourages an environment in which decision-making processes allow expression of a range of views, manage the effect of bias and facilitate reality-testing the status quo.
  • Collaboration and open communications – A positive, open, collaborative environment engages the most knowledgeable people and leads to the best decisions.

Incentives that encourage risk awareness and risk-informed decisions help shape risk culture as discussed below.

Appropriate Incentives

Performance and talent management should encourage and reinforce maintenance of the organization’s desired risk behavior. The old saying, “What gets rewarded gets done” is as true with risk management as it is with any other business process. Disconnections in the organization’s compensation structure and an excessive near-term focus can lead to the wrong behaviors, neutralizing otherwise effective oversight by the board, the CRO and other executives.

For example, if lending officers are compensated based on loan volumes and speed of lending without regard for asset quality, reasonable underwriting standards and process excellence (e.g., their compensation is not adjusted for borrower and collateral riskiness, portfolio concentrations and the likelihood of unexpected losses), the financial institution may be encouraging the officers to game the system to drive up their compensation and thus expose the company to unacceptable credit risk.

This principle requires more than focusing on C-suite executive compensation and upper management. Just as important is an understanding of the incentive plans driving behavior in the sales force and on the “factory floor” where production occurs, as this is where individual “moments of truth” occur that add to, reduce or neutralize the buildup of risk within the organization every day.

Questions for Executives and Directors

In summary, following are some suggested questions that executive management and boards of directors should consider:

  • Does executive management openly support each line of defense to ensure it functions effectively – e.g., the primary risk owners (lines-of-business leaders and process owners whose activities create risk), independent risk and compliance management functions and internal audit? Is there timely consideration of escalated matters by executive management and the board (the final line of defense)?
  • Do primary risk owners identify and understand their respective risks and risk appetite? Do they escalate issues to executive management in a timely manner? Is the board of directors engaged in a timely manner on significant risk issues, particularly the critical enterprise risks?
  • Are there any elements of ineffective positioning of the risk management function present in the organization? Is the CRO (or equivalent executive) viewed as a peer with line-of-business leaders? Does the board leverage the CRO in obtaining relevant and insightful risk reports? Does the CRO have a direct reporting line to the board?
  • Is risk management a factor in the organization’s incentive and rewards systems? Is the risk/reward balance an important factor in key decision-making processes? Do information systems provide sufficient transparency to the entity’s risks?
  • Has the board articulated its risk oversight objectives and evaluated the effectiveness of its oversight processes in achieving those objectives? Is the board receiving the information and insight it needs? If there are any gaps that may impede risk oversight effectiveness, is the board taking steps to address them?

[1] National Association of Corporate Directors, Risk Governance: Balancing Risk and Reward, 14-19: www.wlrk.com/docs/1605831_1.pdf.


Tags: Business Continuity PlanningRisk Assessment
Previous Post

AI & Data Analytics: The Fraud Mitigation Dream Team

Next Post

TRACE: Menendez, McDonnell and Anti-Bribery Efforts in the U.S.

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

credit score gauge

Sales at All Costs? Unified Credit Risk Management Can Squash Bad Deals Before They Happen

by Matthew Debbage
March 15, 2023

The collapse of a business doesn’t usually happen all at once. There are warning signs. Late payments, legal filings and...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

ACGS-strikes-riots-civil-commotion-report-2023_f

Strikes, Riots & Civil Commotion 2023 Report

by Corporate Compliance Insights
March 1, 2023

Is your business prepared for permacrisis? Drivers of Civil Unrest Strikes, Riots & Protests Expected to Test Business Resilience What’s...

The 16th ACES Compliance Summit

The 16th ACES Compliance Summit

by Aarti Maharaj
March 1, 2023

Lean-in and actively engage with today's most innovative and experienced trade compliance professionals during this 3 in 1 event. Featuring...

Next Post
justice scale

TRACE: Menendez, McDonnell and Anti-Bribery Efforts in the U.S.

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT