VIEW: On the ultimate responsibility for risk
Written by Julia Graham, deputy CEO, Airmic
The role of senior management in ensuring companies manage their risk successfully is of critical importance. Encouragingly, the Financial Reporting Council’s 2014 risk guidance stated that the board should take “ultimate responsibility for risk”. Its more recent document, ‘Corporate Culture and the Role of Boards’ published in July, states that senior executives should “get out of the boardroom” to understand how their firms are behaving.
The importance of this is backed up by Airmic’s ‘Roads to Ruin’ report, which studied the underlying causes of high-profile corporate crises. One trait common to almost all case studies was ‘board risk blindness’, which resulted from a ‘risk glass ceiling’. In other words, risk information did not flow freely up to senior management, usually due to cultural and structural barriers. The result was a failure of the board to recognise and engage with risks inherent in the business.
Recognising if your company suffers from board risk blindness is not always easy, but there are red flags to look out for. Two key indicators, for example, are tracking how and when people speak up and how their words are responded to, and how risk responsibilities are embedded in role responsibilities and reward systems. Furthermore, lessons can be learnt from the most successful organisations. In Airmic’s subsequent ‘Roads to Resilience’, researchers found that the key to achieving resilience is to focus on behaviour and culture. Risk culture is not new but it has gained traction and importance as a concept since the financial crisis. Risk culture is dynamic, it can be a mixture of formal and informal processes and may exist in more than one form. However, it is important that risk culture is set within the overall framework of the organisation’s vision, mission, corporate culture and risk management system. And most importantly, it comes from the boardroom.
The next step for the risk community is to further understand the 'why, what and how' of risk culture and to develop standards for best practice in the assessment, measurement and reporting of this complex issue – a subject on the Airmic technical agenda.