- Board Commitment: I am not talking about your board passing a resolution. Every board does that. What you need to assess is whether the board actively supports risk management. Does risk management have at least two channels of communication with the board, one of which does not pass through the CEO? Can you identify an instance where a recommendation originated within risk management and was implemented by the board? Has the board ever requested specific information from risk management, or do they passively accept whatever reporting you provide? If this is an area where you need help, ask me about my Board Partnership Building program.
- Independence: Everyone agrees independence is important, but what does it mean? To avoid conflicts of interest, keep risk taking and risk management functions separate. Start with lines of reporting. Optimally, the risk management function should report directly to the board. Barring that, having it report directly to the CEO or CFO are common solutions. Risk management should have its own budget and resources. Risk taking units should have no input on risk management staff performance evaluations. To prevent the common problem of risk management staff shopping themselves to risk taking units, there should be strict controls over internal transfers involving risk management staff. Make sure you have formal policies and procedures on this and assess if they are working.
- Transparency: This is practically a litmus test: firms that lack transparency lack effective risk management. It’s as simple as that. To manage risk, you need to shine a light on problems, on uncertainties, on mistakes, on conflicts of interest. This can be challenging. Transparency is not about keeping a couple executives informed. It is about keeping the board, management and staff informed. Private conversations are not transparent. Detailed risk reports are. If you are not there yet, expect resistance—or at least some hesitation. The benefits are enormous. If you need help, ask me about the Transparency Challenge, a consensus-building program for your management team and/or board.
- Accountability: The single most effective way to manage risk is to hold people accountable. If employees feel that reputation, their bonus, or their career is on the line, they will take risk seriously. How do you make people accountable? Plenty of ways! Don’t let people hide behind group decisions. Insist that one person’s name goes on any important decision. Don’t let people hide behind plausible deniability either. Inform people about what is going on. Document that you informed them. A daily risk report is an excellent vehicle for doing so. The entire company needs to get behind this. Start with the board and senior management. Don’t attempt to impose accountability. That will lead to conflict. Instead, make accountability part of your corporate dialogue—persuade people—long before you propose changes.
- A Good Corporate Culture: It is surprising how much you hear about this, as if the secret to risk management is corporate culture. Far from it! But corporate culture and risk management go hand-in-hand. Where one is strong, the other is usually strong as well. I can visit a company and, just talking to employees, get a good sense of how effective risk management is—Is there candor? Is there fear? Is there enthusiasm? Is there politics? Is there teamwork? Do people look me in the eye? Things you do to develop effective risk management also develop a positive culture. Don’t think of them as separate tasks. Pursue them together. If you need help with this, ask me about my Risk Culture 360 & Action Plan. It starts with me visiting your company—and just talking to employees.
Change does not come easily. If your organization is missing any of these, you need to provide leadership. Set a long-term goal. Carefully plan how to achieve it. Start with communication, education and persuasion. Proceed to implementation only when your organization is ready. Don’t be shy about asking me for help. That’s what I am here for.