In a short video, Watson Wyatt's ERM Services Leader asserts that these are the characteristics of a world-class risk management function:
- A culture that encourages enterprise risk management and communication.
- Integrated risk functions that coordinate and cooperate with each other.
- An expansive risk management framework that considers all the risks that can impact the enterprise.
- A clear understanding of the connection between risk and enterprise value.
- A Chief Risk Officer that reports to the board or CEO and strongly influences all aspects of enterprise risk management.
- Pervasive use of risk information in decision-making across the enterprise.
- Incentives that reward effective risk management.
While allowing that the speaker, Sim Segal, only has 4 minutes to speak, I believe there are some HUGE gaps!
Let's start with the primary issue.
There is a HUGE difference between a "world class risk management function" and an organization that manages risk in a world class manner to drive value. I hold to the belief that the only true measure is whether the organization is able to make better decisions because of the way it considers and addresses uncertainty.
You can have all of the characteristics listed by this speaker without the organization being effective in managing uncertainty.
As my good friend Grant Purdy told me, the organization can have NONE of these and still be pretty good at managing uncertainty.
I suggest that rather than focusing on a world-class risk management function, we should recognize that operating and executive management, with board oversight, are responsible for the management of uncertainty (i.e., risk) as an integral part of running the business.
That means that we should focus on the world-class management of uncertainty as part of how the organization drives to and delivers optimal performance and value.
That's the next objection I have to the Watson Wyatt list: it's all about risk management and not about performance. (I would accept the Deloitte concept of risk-intelligent management.)
Incentives that reward "risk management" (#7 on the list) may incent people not to take risks they should. Risk management is not about avoiding or mitigating risk: it is about taking the right risks!
Finally, why is it necessary for the Chief Risk Officer to report to the board or CEO if everybody is responsible for the management of risk? This is only necessary if the CRO is set up as the policeman to monitor management and balance their predilection for taking inappropriate risk. It is not necessary if the risk officer is a facilitator that helps and mentors management in addressing uncertainty and its potential effects. (Yes, I am fully aware that regulators of the financial services sector insist on a CRO "cop" that reports to the board, but am hopeful that over time we can move even financial services to seeing management as responsible for both risk and performance — rather than using risk as the enforcer of risk limits, which requires the CRO to have a voice outside management.)
I welcome your comments.