According to a new report from the Association of Chartered Certified Accountants (ACCA) and the Institute of Management Accountants (IMA), developing a challenge culture for risk management and oversight is the next logical evolution for finance leaders as they seek to reduce risk in their organization while recovery from the financial crisis continues.
Stakeholders, regulators, and even ratings agencies have a keen interest in the management and oversight of risk – and this interest will continue to grow.
The report, A Risk Challenge Culture to Promote Good Risk Management Practices in the C-Suite and Across the Organization, by Paul L. Walker, William G. Shenkir, and Thomas L. Barton, draws on discussions from the ACCA/IMA Accountants for Business Global Forum and insights from joint roundtables held in Dubai, London, and New York.
It touches upon the difficulties board members and C-suite executives face when critically questioning policies or decisions in their organizations – especially in the event of outsized profits, unprecedented growth, and when bonuses are at stake.
“Organizations should develop a ‘risk challenge culture,’ which provides employees with the opportunity to defy existing conditions,” Raef Lawson, PhD, CMA, CPA, vice president of research and policy at the IMA, said in a written statement. But he noted that this culture is “impossible to achieve if employees are not encouraged, required, and rewarded by management when challenging a negative corporate culture.”
The report identifies the nine key areas for the design and implementation of a risk challenge culture. They are:
1. Professional skepticism and board oversight. A risk challenge culture requires that board members and the C-suite approach their risk oversight responsibilities with a “questioning mind” and make “critical assessments” of the effectiveness of their organization’s risk management process.
2. Board diversity and expertise development, particularly in enterprise risk management (ERM). If it is to avoid being a risk itself, the board should reflect diversity in skills and experience, and be knowledgeable about ERM. Formal training may be necessary to acquire the requisite knowledge.
3. Leadership roles and setting tone at the top in a risk challenge culture. The responsibility for leading and sustaining a viable risk challenge culture lies in the board and its committees, the C-suite, and risk-owning operating management. The board, in concert with the CEO, sets the tone from the top regarding the openness expected in risk discussions.
4. Reporting key risk information to the board on a timely basis. It is important to minimize information asymmetry between the CEO and board in risk reporting. It occurs when the board fails to receive key risk information on a timely basis or at all.
5. Recognizing cognitive biases in decision making and minimizing their impact. Cognitive biases in decision making can be a serious impediment to developing an effective risk challenge culture. It is essential to recognize that these biases exist – and they are well-documented in the literature – and put mechanisms in place to minimize their impact.
6. Diagnosis and awareness of the signs that a risk culture is in need of remediation. When a risk culture is effective, there is an alignment of the common purpose and attitudes toward risk. Signs that a risk culture is lacking or in need of remediation include weak risk leadership, poor risk transparency, and rewarding inappropriate risk-taking.
7. Establishing a formal risk appetite and risk tolerance, communicating them to all levels and updating when necessary. Even though only a minority of organizations have promulgated a formal statement of risk appetite, it is critical that all other organizations begin the process of establishing their risk appetites and risk tolerances, and communicating them to all organizational levels – and then furnishing updates as needed.
8. Performing a thorough risk analysis before setting strategy and re-evaluating often. Strategy and risk are inextricably linked. Setting strategy without performing a thorough risk analysis has often led to massive value destruction. It is the board’s responsibility to ensure that this link is strong and re-evaluated frequently.
9. Carefully constructing incentives to induce behaviors appropriately aligned with strategy and risk appetite/tolerance. As recent history has shown, faulty, unbalanced incentive plans can lead to misguided, excessive, or even ruinous risk-taking. Incentives should be carefully constructed to induce behaviors that are appropriately aligned with strategy and risk appetite/tolerance.