One gauge of how successful a company is at creating a risk management culture is the extent to which risk management within the company is regarded as something positive, an added value, or whether it is seen, at best, simply as non-negative. Creating that internal culture can be challenging.
I believe communication is the key, and communication and reporting standards emerged as a significant focus of concern in the study on risk management leadership in which FERMA and the public sector risk management association PRIMO collaborated with Harvard Business Review Analytics and insurer Zurich.
To create an enterprise wide risk management culture, communication needs to be encouraged in three directions, top-down, bottom up and between the audit committee and the board.
The top down part communicates the company’s goals and tools: how we do it, why we do it and so on. Then everybody knows not just that risk management is supported by the board, but also that it is an added value for the group.
Bottom up communication encourages business unit and function leaders to ‘own’ risk. This means they understand that if they raise an issue within their own purview, their action will be seen as an effort to improve and protect the company’s position, rather than a treated as source of blame.
Finally, the third communication channel ensures that the board hears about and discusses risks detected by the audit committee, and that the audit committee is aware of resulting decisions.
It was encouraging to find the majority of companies in the survey have education and review processes that keep the board and senior management regularly informed about their risk exposures. Three-quarters per cent of the responses said that the risk function is a channel through which senior management gathers information, intelligence and advice on risk.
Yet, there is considerable room for improvement. It is less encouraging that 40 per cent said that their organisation had not yet set up a broad-based cross-functional risk committee. This committee, which must be independent and derive its authority from the board to be effective, plays a crucial role in making sure all relevant levels of management discuss the company’s risk profile thoroughly and pass on information that enables the board to make evidence-based decisions.
Without a risk committee, there is less opportunity for a company to have extended discussions in respect to its risk appetite and risk tolerance across functions, and so for the board to get an enterprise-wide perspective.
Next year, FERMA will conduct its seventh pan-European risk management benchmarking survey and it will delve further into some of these issues. It will be interesting to see how our results relate to the findings of this work.
The report is available : Leadership in Risk Management report
The results are available here
For more information, visit the page https://www.ferma.eu/leadership-in-risk-management