While developing a robust approach to risk may begin with the board, it’s up to the CEO and senior executive team to lead by example so that policies and behaviours are both consistent and joined-up. Unfortunately, this is something that many organisations struggle to get right, which results in a disturbing lack of clarity about how to report on and effectively manage the multiple risks every business faces.
Paul Cardoen, Managing Director at the Bank of Tokyo-Mitsubishi, says that “it’s not the policies and rules that create prudent risk behaviours, it’s the culture in which people operate,” and firms struggle when there is no alignment between the two. He explains: “You can say: ‘This is the risk tolerance we have,’ but if you then heavily incentivise the same person to rapidly expand the business and double the budget, you will sooner or later face an issue.
“Risk is not just about putting up a framework of rules, it’s about having a communication and leadership style that creates appropriate behaviours which are embedded in the culture.”
A framework should be used to identify, manage and communicate risks, but it needs to be linked from the top to the bottom of an organisation. Ruth Murray-Webster, Director for Risk in the Boardroom at KPMG, comments: “Risk appetite should be expressed in the units of measurement used for normal performance tracking – it then becomes much clearer what the risks are and which ones it is important to focus on.
“For risk management to really work it needs to be aligned with business objectives and performance management… Organisations that only think about frameworks tend to be… very good at doing analysis and understanding the potential risks, but are not actually doing anything about them.”
A CEO needs to have the assurance that the people are in place to act when necessary. Steven Cooper, CEO of Personal Banking at Barclays, says: “Ultimately I’m accountable for the risk of the business, but that doesn’t mean I have to run the risk function.
“But I want the Chief Risk Officer… to sit on my executive committee. I want them to inform and educate the rest of the executive committee [about] the importance of risk and what the risk position is, and to help the business grow but in a controlled way.”
John Shelley, Chief Risk Officer of RBS, Asia Pacific, comments: “I believe the Chief Risk Officer’s job is to… call it out if it's not happening, but it’s a CEO’s job to own risk. If it’s not something they live and breathe, then it won’t be part of the culture for that organisation.
“It’s all very well for the CEO, board of directors and the executive committee to say: ‘Right, we’re this kind of organisation, we operate this way,’ but do their people in the field actually act like that?”
It’s fundamental that risks are identified and that the policies in place clearly reflect the company’s standpoint. “Helping people avoid risk is our first approach, but… there have to be sanctions, people need to know that if they cross these lines there will be consequences,” John says.
“For example in a bank trading room… the severity of a risk breach will be assessed at level one, two or three… Everybody gets it wrong now and again, but if you have a couple of level ones in close succession then we’ll be looking very closely; if you’re level two or three, then we’d probably be into formal disciplinary proceedings.”
Stay in touch
The flow of information across a company should be transparent, so employees feel they can provide feedback on where they believe unnecessary risks are being taken. John Kinirons, Chief Industrial Safety Officer at EDF Energy, comments: “The employees on the frontline… have a part to play, not only in recognising what the company is trying to achieve, but also the sanctions or consequences of not achieving those. [Then they need] to understand what support mechanisms are in place and what they can report on.”
It's something that ultimately has to come from the top. Heather Benjamin, Non-executive Director at Portsmouth Water, says: “The key people should drive this by demonstrating that it’s not just something that they say, but something they do. And making sure it’s [seen] at all levels of the organisation.”
Paul says: “It’s about leadership, communication, and transforming good risk management into good business practice… It needs to become an automatic discussion at every contact point in the lifecycle of a firm. It starts [during] recruitment, and that… continues with evaluation, it’s in the writing of a policy, it’s in the CEO’s speech; it’s in the values set by the board.”
I hope to see you soon