A new report from Tomorrow’s Company analyzes the role of risk leadership in non-financial companies, and provides a risk leadership toolkit for use by board members. Their analysis is based on consultations with 58 CEOs, CFOs, CROs and others. The authors state:
It explores the case for a distinct and more specialist role within non-financial services to support the board in their risk leadership role, recognising there will be differences in how risk is managed and roles are structured across organisations and sectors.
I read the report, and I recommend you do too. It is an easy read, and is full of insightful quotes from a wide range of business leaders. Though not specific to the communications sector, the report does not suffer most of the usual problems of generic risk management guides. In particular, it does not confuse the particular needs of the financial sector with what is needed by other kinds of businesses, and it does not advocate the mindless ‘box-ticking’ exercises that have to come to dominate so much guidance. These are the seven key takeaways from the report.
1. Risks should not be managed in silos, though many businesses still suffer a risk silo mentality
Recent research has demonstrated that not all boards are navigating the uncertainties inherent in this changing risk landscape effectively, resulting in significant loss of value. There is a danger that different risks are still being dealt with in silos. Yet risks are interdependent and do not respect functional boundaries.
The heart of understanding the changing risk landscape is to recognise that not only are the risks interconnected but the way to resilience is also through greater connectivity inside and outside the organisation.
2. Risk management has strategic relevance and must be done at board level; it cannot be wholly delegated
Boards agendas are already being stretched but boards cannot delegate their ultimate responsibility for risk management and internal control.
The determination of the risk appetite and consideration of risk must take place in the context of the organisation’s strategy and is therefore an integral part of the board’s strategic debate. Neither can boards delegate their responsibility for ensuring that an appropriate risk culture has been embedded throughout the organisation – the tone has to start at the top.
3. Risk managers will fail if they are reactive and driven by externally-imposed compliance goals
[To succeed] involves a transformation of the risk function:
- moving from a reactive, often compliance-driven, approach to one that is more proactive and focused on building collaboration and creating integration across functional silos; and
- embedding an appropriate risk culture at every level of the organisation and ensuring that the right roles, responsibilities and controls are in place.
4. Risk management needs an executive champion who can challenge others
We believe the transformation required to the risk function to reflect the changes in the risk landscape requires a strong executive voice of risk to help drive the success of the business.
At its heart, the role is about leading the risk agena by being a voice of challenge as well as a business educator and enabler, fully empowered to help the business gain a deeper appreciation of the relationship between risk, reward and strategy to take better and more informed decisions. It is therefore about helping build risk capability at all levels of the organisation so that everyone can identify and manage risk more effectively rather than building a large risk ’empire’.
5. The risk leader must be close to the board and must have a channel to non-executive board members
Whilst different organisations have different structures and relative roles and responsibilities for risk, we suggest that to be fully effective the risk leadership role needs to be close to the board or at board level. At the very least it is important that they have senior NED [Non Executive Director] engagement and support to ensure that they have both the express and implied authority to act.
6. The attributes of an effective risk leader cannot be listed on a CV
We have identified 4 key components to such a role:
- strategic partnership
- executive leadership
- organisational capability
… and five key qualities:
- organisational and stakeholder navigation
- integrity, ethics and values
7. They include a brilliantly succinct risk leadership ‘toolkit’
The toolkit is designed for the board, and it lists the essential questions that an organization needs to consider when judging the quality of its risk leadership. If you are currently a risk leader, or intend to become one in the future, you should download the toolkit and use it to assess your personal objectives and performance.
The full Tomorrow’s Company report on risk leadership can be downloaded from here.