5 COMMON RISK MANAGEMENT FAILURES
It is always interesting to put on our “all-seeing glasses” and look at situations when risk management failed. By doing this, we have the opportunity to identify warning signs of common failures. The following are five common risk management failures and some warning signs of each. The warning signs are organized into organizational, process and behavioral indicators.
#1: POOR GOVERNANCE AND “TONE OF THE ORGANIZATION”
Governance is the act or process of providing oversight, authoritative direction or control. The term itself is often used to describe what the Board of Directors and executive management do to oversee the enterprise’s planning and operations and ensure the effectiveness of strategy-setting and the organization’s other management processes.
Executive management’s “tone at the top” provides a vital foundation for the transparency, openness and commitment to continuous improvement that are so necessary for effective risk management. However, the tone at the top must be complemented with an effective “tone in the middle.” No matter what leaders communicate to their organizations, what really drives behavior and resonates with employees is what they see and hear every day from the managers to whom they report. If the behavior of middle managers contradicts the messaging and values conveyed from the top, it won’t take long for lower-level employees to notice. Because the top-down emphasis on effective risk management is only as strong as its weakest link, it is vital that this emphasis be translated into an effective tone in the middle before it can be expected to reach across the organization. Therefore, a strong “tone of the organization” is needed.
Here are a few indicators of dysfunction in governance and tone of the organization:
#2: RECKLESS RISK-TAKING
Reckless risk taking is an enterprise value killer. It represents undertaking risks that the Board of Directors and/or executive management neither understand nor approve. A lesson we keep learning, time and again, is the need for more disciplined risk-taking during periods of rapid growth and favorable markets. For example, every MBA program features case studies of companies re-learning a time-honored lesson:
Although competent people are an important aspect of managing risk, management’s reliance on them without limits, checks and balances and without independent monitoring and reporting is as ill-advised as not understanding the risks inherent in their activities.
It is interesting that companies, even entire industries, keep learning this fundamental lesson. In the financial crisis, there is evidence that some institutions fared better than others and we can learn from what they did.
Key indicators of this problem include:
#3: INABILITY TO IMPLEMENT EFFECTIVE ENTERPRISE RISK MANAGEMENT (ERM)
Most efforts to implement ERM are unfocused, severely resource-constrained and pushed down so far into the organization that it is difficult to establish their relevance. The near-term result is “starts and stops” and ceaseless discussions focused on understanding what the objective is. The longer-term result is that risk management is rarely, if ever, elevated to a strategic level and continues to be driven by functional silos within the organization.
Common indicators of this potential failure include:
#4: NONEXISTENT, INEFFECTIVE OR INEFFICIENT RISK ASSESSMENT
This failure arises when risk assessment activities are not identifying the critical enterprise risks effectively, efficiently and promptly. Or, worse, nothing happens when a risk assessment is completed beyond sharing the most current list of risks with company executives.
Some key indicators of this failure include:
#5: NOT INTEGRATING RISK MANAGEMENT WITH STRATEGY-SETTING AND PERFORMANCE MANAGEMENT
This failure occurs when risk is treated as an afterthought to strategy-setting, resulting in strategic objectives that may be unrealistic and risk management becoming an appendage to performance management. The consequences of this failure include a strategy the organization is unable to deliver, a deteriorating competitive position, an inability to adapt to a changing business environment and a significant loss of enterprise value.
Key potential indicators of this failure include:
We have discussed five common risk management failures:
The warning signs provided for each of the above failures provide a high-level diagnostic for the Board and management to check the health and vitality of their organization’s risk management.
 “Improving Organizational Performance and Governance: How the COSO Frameworks Can Help,” James DeLoach and Jeff Thomson, thought paper sponsored by the Committee of Sponsoring Organizations (COSO), 2014.
MORE BY JIM DELOACH
Jim DeLoach has more than 35 years of experience and is a member of the Protiviti Solutions Leadership Team. His market focus is on helping organizations succeed in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner that reduces risk to an acceptable level. He also assists companies with integrating risk management with strategy setting and performance management. Jim also serves as a member of Protiviti’s Executive Council to the CEO.