Corporate boards must increasingly oversee and govern unfamiliar and complex risks as businesses expand to new markets, outsource larger portions of their processes, and face new technological threats.
Many of these risks have the potential to very quickly disrupt a business, damage its reputation, and destroy value.
In the UK, where the Financial Reporting Council urged boards in 2014 to beef up their risk management and internal controls, a group of thought leaders organised in the Tomorrow’s Company’s Good Governance Forum suggested that companies appoint executive risk leaders to support their boards.
“Board agendas are already being stretched, but boards cannot delegate their ultimate responsibility for risk management and internal control,” the forum’s guide on risk leadership reads. “… Having in place an executive voice of risk in the organisation that leads the risk agenda helps deliver the business model and drive business performance.”
That executive voice of risk does not exist at many organisations. Fewer than half (46%) of organisations that participated in a global CGMA survey by the Enterprise Risk Management Initiative at North Carolina State University’s Poole College of Management had designated a senior risk executive such as a chief risk officer in 2014. Larger companies were more likely to have taken that step (58%), and the designations were most common among financial services organisations (80%).
Risk officers most often report to the CFO, the board of directors, or the CEO, according to a 2014 survey by the Federation of European Risk Management Associations.
A CFO and senior risk executive can build on each other’s skills, according to Gillian Lees, head of research and development at the UK Chartered Institute of Management Accountants, an American Institute of CPAs partner.
“For example, the CFO and CRO should review strategy, implementation risks, and performance and consider whether additional mitigation or contingency actions need to be recommended to keep the strategy on track – and whether there are emerging opportunities that could be seized,” Lees said in the forum’s guide on risk leadership.
But an executive risk leader can be a tough appointment. To be successful, according to the forum group, he or she must be:
Independent and influential. Understand all parts of the business, its stakeholders, and its drivers to create and maintain a pragmatic, business-focused framework. Align the business with a balanced risk/reward approach for effective commercial business decisions. Take ownership of the risks and continually improve, adapt, and evolve.
A clear and concise communicator. Build a network across business functions to embed the appropriate risk culture. Drive a strategy to a mature risk culture that is right for the business.
A standard bearer for what’s right. Establish a culture where learning from mistakes is possible. Help the board set the risk appetite in line with the business model and act as wise counsel and effective challenge to the CEO, board, and broader business.
Credible. Create vision and purpose for the risk function and tackle challenges including succession and “future-proofing” functions.
To determine whether their organisation’s risk leadership should be enhanced, how to find the right risk leader, and what a risk leader needs to be successful, the forum’s guide to risk leadership suggests that board members should:
- Consider risks and opportunities in the context of the organisation’s strategy, which will allow them to align their business model, strategy, and risk agenda.
- Assess how well their vision for the risk function and its leadership is aligned with the visions of the chair and the CEO, to avoid unnecessary challenges for a newly appointed risk leader.
- Define the role of the risk leader based on the organisation’s risk maturity.
- Build effective relationships with all those in the organisation who can give an early warning of quickly changing risks and identify opportunities.
- Make sure the organisation’s culture supports establishing a role for a risk leader.
- Set the risk leader’s mandate based on how the organisation’s risk culture should evolve.
Related CGMA Magazine content:
“Why Risk-Management Leaders Generate Higher Profits”: Executives and corporate directors believe business uncertainties and threats are increasing, a PwC survey suggests. The survey results explain how improved risk-management programmes can improve financial performance.
“Risk Management Provides New Opportunities for Internal Auditors”: Business leaders would like more substantial risk-management input from internal auditors, a PwC survey shows. Although barriers can discourage internal auditors from increasing their influence, a growing number of business risks present an opportunity for them to add value.
“Five Key Defences Against Risk”: Maintaining a healthy tension between entrepreneurial risk and protection of enterprise value is a challenging task for risk management and internal control. Organisations can use five lines of defence to achieve the appropriate tension.
—Sabine Vollmer (firstname.lastname@example.org) is a CGMA Magazine senior editor.