The four capabilities shaping the agenda for assurance functions in 2014
In today's ever-changing business environment, we don't have to look any further than current headlines to see that business-related risks have grown substantially - in size, immediacy and effect. From regulatory inconsistency, to more interconnected supply chains, to hyper-transparency, many organisations' risk and assurance functions continue to struggle with navigating the complex risk landscape. For example, we struggle to adequately manage the downside of risk and are uncertain about taking the right risks which causes decision paralysis, and results in missed growth opportunities.
The upside is that we now recognize the shortcomings of this approach. In fact, CEB research shows that 91 percent of organisations plan to reorganize and reprioritize their approach to risk management in the next three years. However, no consensus exists on how to move forward. Some companies will attempt to improve their existing processes or buy technology solutions that promise "risk information integration." Others may create more governance structures to strengthen the 2nd and 3rd lines of defence, but none of these will get to the heart of the problem.
We need to focus on raising awareness about emerging risks, increasing the level of co-ordination among different risk and assurance functions and creating greater management awareness to increase risk taking within corporate tolerances. Simply put, we need to build a stronger culture for risk. It needs to be embedded in every decision we make.
The word "risk," after all, comes from the early Italian word "risicare," meaning "to dare." Risk is a choice, not something left to fate. Companies that have a strong culture of risk choose their risks well and aren't impeded by trying to quantify the possibility of unlikely events. They succeed because they do a better job of taking risks, not avoiding them. In particular, we've found that the best risk leaders focus on four key areas for creating a strong culture for risk:
1. Turning Information into Insight
Risk leaders take a fact-based approach to risk management. While many assurance functions are relying less on a judgment-based approach and more on data-driven guidance, they often run into challenges with shortfalls in staff skills, program maturity and resources. Risk analytics isn't about hyper-focusing on risk quantification; rather, it's about having the skills and data to turn risk information into meaningful insights.
2. Aligning Risk with Business Strategy to Create Influence
Faced with the dual mandate of meeting increasingly complex regulations while reducing the burden on managers, risk and other assurance professionals must develop skills to deliver greater influence over business decisions. This can be done by clearly aligning risk management with business value drivers, sharing best practices, streamlining risk assessments and removing barriers for timely escalation of risk issues.
3. Fostering Informed Risk-Based Decision Making
Assurance functions often find they don't have sufficient resources to cover all possible risks, resulting in a control environment that effectively paralyses - or, at worst, impedes - business leaders from making decisions quickly. In fact, our data reveal that 38 percent of executives said that they have difficulty making decisions, which costs companies half their potential growth rates. To balance risk and opportunity, companies must help front-line managers make more consistent, risk-informed decisions and identify individuals in the business who can be "multipliers" of good risk management behaviour and give them the right support and tools to succeed.
4. Building a Culture of Integrity
Organisational culture is the root cause of many risk events. CEB insights suggest that if employees could freely speak up on potential risk issues, corporate integrity would increase significantly. We call this having integrity capital and it's a key talent metric for CEOs and boards because of its influence on total shareholder returns. To build "integrity capital," assurance professionals need to focus on fostering a culture where speaking up about misconduct is accepted and encouraged, and invest in ethical leadership development to build integrity into individual and corporate performance standards.
Ian Beale is a London-based senior director in CEB's Legal, Risk and Compliance practice. Read our Risk Intelligence Quarterly, which provides the latest insights and peer-led recommendations for managing enterprise risks.