What to Do When the Board Demands a List of Top Risks
Tim Leech recently asked this question in a LinkedIn post: "What should a CRO or CAE do if the board insists they still want a list of 'top risks' plotted on a color risk profile; and soundly reject the ISO view 'risk' is 'effect of uncertainty on objectives,' and COSO position 'risk' as 'the possibility that events will occur and affect the achievement of strategy and business objectives.'
My response was: The roles of the chief risk officer (CRO) and chief audit executive (CAE) should not be mixed up like this.
If the company is managing a list of risks instead of the business, I believe the CRO has a clear opportunity and obligation to show a better way.
Provide the list of risks (it still has some value), but team with performance management to also provide a list of objectives, their current status, and the likelihood they will be achieved by the end of the period.
The CAE is in a very different position, unless they are also CRO (in which case, the above applies).
The CAE should not assess and provide an opinion on whether the company is in compliance with its risk management policies.
Instead, the CAE should provide an opinion on whether risk management practices meet the needs of the organization. That will entail pointing out how a list of risks fails to drive decision-making and success.
The Boss Doesn't Always Know What They Need
While it is difficult, as Tim points out, to tell the boss they are wrong, whether we are the head of risk management (CRO) or internal audit (CAE), we have a professional responsibility to provide leaders with what they need.
Sometimes, they don’t know what they need! Their experience, which may be at other organizations, has put them in a box. If they liked what they had before, it can be difficult to change.
Related Article: Cybersecurity Isn't an IT Risk, It's a Business Risk
Defining the CRO Role
As I said in my comment, we shouldn’t mix up the roles and responsibilities of the CAE and CRO.
The CRO is responsible for helping management and the board understand what might happen, so they can make the appropriate strategic and tactical decisions necessary for success.
The CRO helps management and the board take the right level of the right risks.
While a list of top risks has some value, it is not enough to inform decision-making. In fact, it is rare for a decision-maker to refer to the list of top risks in making an important business decision — whether strategic or tactical. In fact, a list of top risks is going to be out of date very soon after it is prepared, since business conditions and risks are changing all the time.
A list of top risks has value when it comes to making sure the risks that merit specific and continued attention are getting it.
But the business is run every day.
Every day, decisions have to be made that not only need to consider what might happen (risk and opportunity) but will also create or modify existing sources of risk and opportunity.
Addressing Employee Needs and Wants with a Digital Workplace
The workplace is getting more and more digital – both in how we work and where we work
Maintaining a Human-Centered Approach During Digital Transformation
When it comes to digital transformation - people drive change, not technology
The Evolution of Employee Recognition
Leveraging the power of appreciation to improve the employee experience
How to Build a More Innovative and Resilient Workplace Culture
What would happen if every member of your team came to work focused on finding solutions and creating better results?
The CRO and their team add more value when they enable daily activities and decisions to be of high quality.
I have advised CROs, management teams and boards to integrate performance and risk management. The CRO should work with the CFO and others to ensure leaders understand whether, considering current status and what lies ahead, the organization is likely to achieve its objectives for the period.
When I have shown them examples of such reports, they have embraced them.
A list of top risks becomes a secondary source of information.
Related Article: A Simple Risk-Driven Decision Technique
Defining the CAE Role
The CAE is in a different position.
The CAE has a responsibility to provide assurance to the board and management that risk management practices are effective. But that isn't achieved when it is limited to the periodic review of a list of top risks. When that is all the board receives, board oversight of risk management is insufficient.
My advice to the CAE is to work with the CRO first. Try to get the CRO to provide the board and top management with an integrated risk and performance report. After all, it is risk to objectives that needs to be addressed, not risk in a silo, out of context of running the business.
I would also work with the CEO (or other top management influencer, but the CEO is going to be the decision-maker), to help them understand what is missing. Help them understand how effective risk management helps them succeed, not just avoid hazards and tick the compliance box.
The CAE should audit risk management and report its deficiencies, the primary one being that a list of risks (or a heat map) is insufficient.
So much more value can be derived.
I welcome your thoughts.
Learn how you can join our contributor community.
About the Author
Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.