For some time, I have been recommending the work of Deloitte around "Risk Intelligence," and now am pleased to thoroughly recommend these:
- Risk-Intelligent Decision-making. Deloitte has produced a series of products around "risk intelligence," a description I personally like a great deal. The link will take you to their Center for Corporate Governance, and I suggest reviewing all of their related publications, including Risk Intelligent Governance and the whole white paper series on risk intelligence.
- The People Side of Risk Intelligence covers a critical aspect of risk management — people and their behavior.
Here are a few nuggets I particularly like:
The degree of recent loss and public outrage has caused many to cast the failure to properly understand and manage risk as the root cause, the enemy of order and, therefore, the most compelling and top-of-mind business issue of our time.
Enterprise survival is about more than just staying out of trouble; it is also about creating new and future value to ensure the highest return on investment. New business models, shifts in the competitive landscape, consumer preferences and behaviors, and new technologies all demand enterprise agility and resilience.
Conventional approaches to risk management tend to separate the discussion of value and risk. But when risk management is viewed as a discipline for improving an enterprise's chances of survival and success, risk intelligence counters conventional wisdom with new ways of thinking about risk: primarily as the potential for failure in terms of both loss and missed opportunity.
Risk includes the potential for failure that could result in loss, harm or missed opportunity — the risk of inaction. Risk intelligence is both the capability to produce and then effectively act upon such intelligence in order to achieve the desired results. Some level of failure is essential for innovation and experimentation. The enterprise needs to determine acceptable versus unacceptable differences between actual and expected performance. Otherwise, intolerance of any level of failure will lead to risk aversion and competitive disadvantage.
In this broad context, success often requires the embedding of risk intelligent capabilities throughout all levels of the organization — from directors to executive leadership to business units and all employees.
... the risk ownership level includes everyone in the organization, across all functions and business units. Many organizations believe risk management is handled by specific functions, such as compliance and internal audit. But risk ownership doesn't end — or even start — with them. Virtually everyone, from the CEO down to the newest temporary employee, is likely to have some kind of risk ownership responsibility, whether it's carrying out an internal control, documenting information needed for risk management, or simply locking the office door at night.
Effective risk ownership depends on everyone understanding what their risk-related responsibilities are, knowing how to carry them out, and having recourse to appropriate guidance if and when the "standard" risk management processes break down. The challenge of educating employees about their individual responsibilities, in a way that is focused and relevant to each person's specific role, can be enormous — but it's one that an enterprise must overcome to behave as a truly Risk Intelligent Enterprise, day after day, and under the near-infinite range of possibilities that may arise in today's environment.
What distinguishes the Risk Intelligent Enterprise is that leaders recognize that risk needs to inform rewards for everyone — from the senior levels of executive management to the call center and the shop floor. Every employee plays a part in managing risk. So should every employee's rewards.
The words and actions of employees' immediate supervisors have an especially important impact on employees' own behavior; boards and executives need to monitor the "tone in the middle" so that managers all along the chain of command know to "walk the talk" of ethics.
The Risk Intelligent Enterprise understands that employee health and safety is a business risk, not just a compliance risk. Treat it that way, and your people will thank you — and so should the marketplace.
Culture, while not easy to master, is crucially important in taking Risk Intelligence beyond the mechanical articulation of rules and regulations. In the end, culture is what makes Risk Intelligent behavior "the way we really do things around here" — the hallmark of the truly risk intelligent enterprise.
Success tends to breed complacency and a resistance to change that which has produced past success. Effective signal detection systems are a challenge to develop, but if people can become more alert to signals that may contradict their current worldview, it can lead to major opportunities and better defenses.
Risk appetite defines the types of risk that leaders are willing to take (or not take). Risk appetites will vary according to the type of risk under consideration. Using a risk intelligent approach, companies need to have an appetite for rewarded risks, such as those associated with new product development or new market entry, and ought to have a much lower appetite or tolerance for unrewarded risks, such as non-compliance or operational failures. While the CEO proposes risk appetite levels, the board ought to approve them — or challenge them and send them back to the CEO for adjustments — based on an evaluation of their alignment with business strategy and stakeholders' expectations.
By treating risk as intrinsic to the conduct of day-to-day business, executive leadership effectively elevates risk management from an exercise in risk avoidance to an essential consideration in every decision, activity and initiative of the organization, i.e., risk intelligent enterprise management. Risk intelligent executives develop policies and practices that integrate these skills into risk management capabilities, which in turn become an integral part of core decision-making processes throughout the enterprise. They are accountable for their decisions and for providing timely, relevant, value and risk-related information as appropriate to the board that ultimately translates into cost savings and revenue and market share gains.
Risks must be taken to seize opportunities, and they must be managed not simply avoided
And this, for the internal auditors:
Directors need to have reasonable assurance that executives are appropriately managing the risks that do not need to come to the board's attention. It is also essential that the board obtain independent reassurance that management's reports are reliable.
Providing assurance on risk management will be a step into a new world for many internal auditors. The Deloitte publications are, in my opinion, essential reading and will help everybody understand not just the mechanics, but the essence of effective risk management.