In my last post I discussed how critically important risk taxonomy is for the success of an ERM program – the need for the organization to agree on risk-related terminology, formalizing it as part of the organization’s risk management practices, obtaining formal sign-off from executive management and the board of directors, communicating it to stakeholders, and operationalizing it within the organization’s governance tools.
Another critical aspect of ERM program enablement is the attitude and commitment of the organization’s senior leadership. This “Tone at the Top” significantly influences the effectiveness of an organization’s ERM program in the following ways:
- The scope of the ERM program. To truly be an ERM program the scope must be holistic and include all operating units, geographies, risk types, products, processes, etc.
- The degree to which managers feel responsible for risk management. Optimally, risk management should be the responsibility of each and every manager, regardless of their position within the organization, and as risk managers, each manager should be accountable for understanding their key risks and maintaining the appropriate internal controls within their domain of responsibility.
- The consistency of risk decisions. Consistent risk decisions are encouraged by establishing and enforcing aligned risk appetite, tolerance, and delegated management risk-taking authorities, and escalating decisions to successively higher authority as thresholds are exceeded. The degree to which the “official” risk management rules are set aside to fast-track an initiative, accommodate a pet project, or avoid confronting an exceptional, difficult, or politically connected manager will undermine the effectiveness of the ERM program.
- Risk management agility. The probability of the organization meeting its objectives, whatever they may be is dependent on how quickly management becomes aware of and responds to changes in its risk profile. Fostering the necessary information transparency throughout an organization and the accountability to respond when appropriate, requires the commitment of senior leadership.
- The amount of resources committed to manage risk. Capital investment and human resource commitments should be aligned consistent with the degree of effectiveness necessary to manage risk within the appetite and tolerance of the organization.
- Aligning compensation to desired behavior. Incentive compensation that influences risk taking outside desired boundaries or potentially compromises the role of persons in control positions is inconsistent with sound risk management practice.
Individuals charged with the responsibility for the effectiveness of the organization’s ERM should seek to secure a tone at the top, both in word and action, that leaves no doubt about the organization’s commitment to risk management best practices. Fortunately, executive management and boards of directors have plenty of obligations and incentive to establish a strong tone at the top including regulatory obligations, threat of shareholder suits, and empirical evidence of the superior performance of organizations practicing ethical business and holistic risk management. Focusing senior management’s attention on these obligations and incentives may go a long way to secure the necessary commitment, if such commitment is not everything it should be today.