No. 4: Align risk management and performance management
Without a full understanding of the implications of how risks impact the performance of business units and individuals in meeting their goals, the entire company will have difficulty meeting its long-term strategic objectives.
Companies must explicitly identify how risk influences the behaviour and ability of individuals in achieving their goals.
For example, during the years leading up to the financial crisis of 2008, many mortgage banking companies based performance goals for loan originators solely on the quantity of loans issued without regard to the quality of supporting loan documentation or the underlying risk of the mortgage itself.
Lacking this risk awareness, these companies unwittingly increased their overall risk exposure.
No. 5: Clearly articulate risks encountered versus authorised risk appetite
Many boards and senior leaders have argued vehemently over the tolerance for risks associated with strategic opportunities. With the risk linkages firmly and concretely articulated, the next logical action at the board level is the review of senior leadership’s assessment of how the risks actually encountered correlate with the risk appetite of the company.
The board should create simple, straightforward risk appetite statements that provide clear guardrails for the company’s senior leadership. Then, senior leadership has the responsibility to articulate how their strategic initiatives fall within the established risk appetite.
Any areas of ambiguity should be the primary focus of joint discussions to develop greater clarity around the risks to be taken to achieve the desired business outcome.
No. 6: Organise for enterprise-wide risk identification and accountability
The deep delegation of risk-related performance management goes hand in hand with the organisational understanding and assignment of risk responsibilities, from the boardroom to the shop floor.
The clear allocation of risk-related decision rights and responsibilities gives the board and senior leadership a means of understanding who in the organisation owns the various risks of the company.
No. 7: Use technology as an enabler of risk oversight activities
While technology is often viewed as a panacea for risk oversight challenges, it is most useful and cost-effective when deployed as an enabler of well-defined risk oversight activities.
Too often, companies will over-engineer the supporting risk oversight processes based on a particular technology solution, resulting in greater bureaucracy and wasted investment.
Incorporating these elements into your risk management program will improve not only the quality of business outcomes, but will also ensure the sustainability of the program itself.
With an ongoing, disciplined approach, senior IT and business leaders can drive their companies not only to improve their risk oversight practices, but also to gain added insight into how to achieve their strategic objectives.
By John A. Wheeler - Research Analyst, Gartner