I find myself being asked more and more to undertake reviews of risk processes. What some (who don’t know my views on the Three Lines of Defence) might call “second line reviews”. I always enjoy these reviews because they almost always get to the heart of three of my favourite subjects:
- The interaction between governance and risk (in other words board composition, board interest in risk and the board’s ability to engage with risk);
- Risk appetite (in my terms creating a “fight or flight” response in the organisation – with the necessary cognitive skills); and
- Risk culture.
Risk cannot be managed properly unless there is a good consistency between all three of these: the board needs to be the corporate brain setting the structure and enabling the sensory organs (everyone else in the organisation) to respond appropriately to risk. And the risk culture bit? Well that is the bit that organisations are really struggling with because they do not know what the difference is between risk culture and organisational culture – a question that, dare I say it, even the IRM’s guidance on risk culture struggled to answer. On the other hand, I think I have defined the difference: the organisational culture manages how people respond to the here and now. The RISK culture manages how people respond to the stress of multiple futures. We all have multiple futures. The trick is making sure that they reduce to the best present.
Anyway, carrying out these second line reviews inevitably creates tension because so often the board and senior management think that you are reviewing the operational risk, whereas in fact you have to get to the heart of the organisation if you are going to review how well the firm manages risk.
This was beautifully illustrated recently where the reluctant CEO and CFO of a client had had a review forced on them by some wary non-execs. The aforementioned executives manfully resisted all recommendations until it came to the Audit & Risk Committee meeting at which point the CEO declared that my review had been a “wake-up call” and the CFO advised the Committee that all of the recommendations were being dealt with.
Job done! Bring on more second line reviews!