Ask not what you can do for the board, but rather ask what the board can do for you…
We are all attuned to the requests that the board makes of risk professionals, but I was asked recently, what should we be asking for from the board. My response was as follows:
In the context that risk management can make a significant difference to the creation of a sustainable organisation over the long term, I developed a risk manifesto setting out what I would like the board to do. It consisted of just four things:
- The Risk Culture: I would like the board to lead by example in creating the space and demand for a balance between the organisational and the risk culture. In other words they need to create the space in the organisation where it is not only acceptable, but it is expected that people will say: “So if we do this to deal with our issues today, what impact will it have on our tomorrow?” The creation of a balance between the “here-and-now” of the organisational culture and the “tomorrow” of the risk culture is of paramount importance. Only the board can can create this space by making the demands of its people to answer the question: “And tomorrow…?”
- Risk Appetite: I would like the board to create and maintain the risk appetite and tolerance framework around which all risk management is undertaken. By doing this they are taking explicit responsibility for the keystone of risk management, and setting the fulcrum for a balance between risk and control, and looking at the capacity of the organisation to withstand risk. The creation of an appropriate risk appetite and tolerance framework will impose a business focus on risk management that otherwise will only ever be a bureaucratic exercise that burns useful time. Risk appetite and tolerance led from the board makes risk management board relevant and therefore organisationally relevant.
- Competence: I would like the board to make sure that everyone is aware of the benefits of doing proper risk management. This will require a significant commitment to training and a major communication effort which must belong to the board (in other words they too must take part and not duck out every time they are asked to attend a session). The board should lead with risk management training for themselves and then cascade it to the entirety of the organisation. This will unlock great potential for change which previously the board could only dream of, because everyone will understand better the new culture balance and the new approach to risk appetite and tolerance.
- Investment: And last but not least, I would like the board to commit to investing in risk management in the same way that they do for the backward-looking discipline of accounting. If we can count our past so effectively that we can count the cost of everything that happened up until just two nano-seconds ago, why wouldn’t we spend just as much time on the forward-looking discipline of risk management? After all, for those of us that aspire to lead long term, sustainable organisations, most of our value is based on what we will do tomorrow, not on what we did yesterday.
Are there caveats around this? Of course there are: before answering the question, the board has already to understand that we are talking about a series of activities and a culture that underpin decision-making in a complex environment. They need to understand that this is not a colouring-in exercise where they debate the colour of risks on a risk register. We have to be operating in an environment where the board is preoccupied about creating a long term, sustainable organisation. Only then is it worth answering this question. And I suppose once we have that clear, there is a fifth answer as well which is: “Hierarchy: I would like the board to think of me as helping them to achieve their objectives…”
This might leave you with two questions:
- What happens if my board is not asking me what I want them to do? Then that tells me that there is a lot of work to do on the board first. Getting to the point where they are asking exactly this will be your tipping point towards implementing great risk management. And
- Just how will we know when we have “great” risk management? You will know when risk management has moved from being the bureaucratic department of “No” to being the disruptive intelligence that pierces perfect-place arrogance.
You can download a copy of this manifesto here.
Richard Anderson is the former Chairman of the Institute of Risk Management and the founder of AndersonRisk.