Who owns risk management

Source: CFO.com

CFO's new risk management editor surveys a scene that now includes internal auditors, senior management, and employees -- as well as traditional corporate risk managers.

Caroline McDonald

After writing about risk management for more than a decade, I’m well aware of a disconnect often present between risk management and a company’s executives and board.

The situation has improved as more companies are focusing on risk—all risks, not just financial—in the wake of a number of natural, environmental, and fiduciary disasters.

After the BP Deepwater Horizon disaster, the Japan earthquake and tsunami, and floods in Thailand, for example, organizations are more aware than ever of reputational risks, supply chain issues, and protecting their infrastructure, to name a few of the most worrying concerns.

Risk managers have been advised to find, if not create, “a seat at the table” to make sure an organization’s risks are identified enterprise-wide, categorized, prioritized, and dealt with effectively. Getting the attention of executives can be difficult, however.

Last week at the Institute of Internal Auditors international conference in Boston, I heard a similar lament from another group of professionals—the internal auditors.

Because they report to the board, they are often charged with overseeing a company’s risks, from the identification process to mitigation. This is an aspect of their responsibility, but not their true function, they say. Instead, internal auditors are focused on objectively evaluating the effectiveness of risk management, control and governance processes, and to make sure the company’s organizational objectives are met.

True, the CFO, chief executive officer, chief information officer, and board all have a stake in knowing and understanding their risks, but they need to be sure they are adequately informed. Too often upper management doesn’t really get interested until it’s too late, I’ve been told.
After the flood, fire, or earthquake, they get very involved. But it’s better to learn from the lessons of others who have been through these situations than to experience them first hand. That’s what risk management is all about.

What can executives do? Find out who in their organization is charged with identifying their varying risks. Is it the independent auditors? Are risk managers involved? Is it left up to managers to do alone?

Risk managers have traditionally been seen as insurance buyers. But with the rise of enterprise risk management, they’re becoming more involved in their company’s overall risk profile. Managers, who generally work in specific areas of the company, may not have a good overall view of the risks.
What key questions should be asked about potential risks to the company? These can range from whether the company can obtain parts for manufacturing in an emergency, to the security of their information technology, to the safety of employees.

Who should be asked these questions? Is it the managers, or should employees working in the field be involved in this identification process as well?

Pet Risks

Asking only those at the top can result in a list of “pet risks” that may or may not be what should be focused on. A manager with a rundown garage in his department may be focused on having it fixed up, for example.

In fact, one speaker at the conference said that he focuses first on those risks placed at the bottom of the list in importance—which would vary by company and industry. One reason, he says, is that managers trying to get things done in their departments may place those projects high on the risk list.

Also, executives should find out about the method being used to prioritize and mitigate risks. These processes vary, and what works for one company may not be suitable to another. The important thing is that the risks are viewed in detail, looking at the impact across the organization, not just one area.

Most importantly, how much backing does a risk committee have from top management? If the backing isn’t there, system-wide implementation of programs, such as making sure employees use safety gear when necessary, is most likely spotty. The results can leave a company open to potential lawsuits, damage to property, injury to employees, customers or worse.

As many have discovered, “I didn’t know” is a poor defense. It’s like waving a red cape in front of a jury. But executives have discovered it’s never too late to get involved.