One small step: Improving your risk governance practices has been saved
One small step: Improving your risk governance practices
Boost performance I Be responsible I Build trust
ln today's environment of ongoing uncertainty and pervasive risk, senior executives and boards need to govern risk in ways that not only protect assets but boost organizational performance, while being responsible to–and building trust among–stakeholders.
Recent years have severely tested risk governance and risk management capabilities at most organizations. Given the impacts of the COVID-19 pandemic and various cyberattacks, weather-related events, and political and social developments, it's a wonder that risk managers and the executive teams and boards who oversee them can keep pace with the challenges they face. In fact, some have not kept pace; others have been led to question risk approaches.
Under these circumstances, senior executives and boards often need to improve their approach on risk governance, which sets the tone for and oversees risk management. This does not necessarily mean either tightening or loosening your grip on governance. It means establishing and maintaining optimal risk governance.
Optimal risk governance boosts performance by enabling risk-based decision making, which balances value creation and asset protection. It enables the executive team and board to fulfill their risk-related responsibilities by clarifying risks to the enterprise and obtaining assurance that those risks have been addressed. It builds trust by providing visibility into risks as well as assurance to stakeholders that they are being addressed.
The connection between minds, people, platforms and companies has changed the way we interact with the modern world.
Improving your approach to risk governance often entails reviewing, refreshing, and revising risk-related practices. Our research and our experience on client engagements indicates that this process is best undertaken with the goal of enabling risk-based decision-making to reinforce the resilience of the enterprise in the face of risk events.
If your business has been thriving, you may see it as immune to risk events and see little need to focus on risk governance. On the other hand, if your business must regain lost ground, you may believe you have higher priorities. In the former case, your organization may simply have been lucky; in the latter, trying to regain lost ground without more robust governance may imperil the enterprise.
Whatever your current situation, risk events may well have exposed gaps, inadequacies, vulnerabilities, and inefficiencies in risk management and governance in your organization.
Where and how to start
To start, considering your current approach to risk governance, ask yourself and your leadership team the following:
- Have you automated regulatory (and internal) compliance to the greatest extent possible?
- Have you taken full advantage of risk scanning, sensing, and reporting technologies? Do you link risk monitoring with clear issue escalation and risk remediation procedures?
- Do you feel you have adequately identified risks beyond those well-known in your industry and organization, including economic, environmental, social, political, and reputational risks? Do you identify and track emerging risks?
- Have you aligned your risk strategy and your business strategy?
- Have you linked hiring practices, incentives, rewards, and other behavioral levers with your risk and business strategies?
Improving your approach to risk governance depends on how clear, practical, and robust your existing system of risk governance is. One good place to start making it clearer, more practical, and more robust would be to consider your existing governance framework. To assist you in this process, we provide our governance wheel.
Deloitte Governance Wheel
Forces within the governance wheel must be properly balanced to do the job. That means understanding where attention, investment, and work is required, while recognizing that the executive team and the board must do the driving.
Aligning your risk strategy:
- Align your risk strategy with your business strategy in practical, as well as conceptual, ways.
- Identify the interplay among mission and values and the risk culture you are creating through leadership example, hiring practices, performance incentives, and other levers.
- Assess how you are using technology to enable processes, controls, and early warnings regarding risks across the enterprise—and to automate compliance and assurance.
- Develop a clear taxonomy of risks and translate risks that are inherently “technical” into business impacts.
- Encourage frontline workers to flag risks and challenge decisions.
- Consider your risk profile and where your organization could be taking more risk to drive greater reward. Look for the industry event that could undo your business model or empower competitors.
- Ask trusted stakeholders, such as key customers, suppliers, or investors about your risk posture; consider conducting a risk assessment by a qualified external resource.
We trust that the foregoing will position your executive team and board to improve its approach on risk governance to enable your enterprise to thrive. We also stand ready to assist you in any aspect of this process as you move forward.
This article is part our Integrated Risk Management series, which explores various themes and approaches to management and governing risk.