Someone is looking over your shoulder, and you know who it is. If you're the CEO, it's your board and shareholders. On the factory floor or in the cubicles, it's the foreman or the supervisor. But just as often these days, the sources of anxiety and caution confronting risk managers may not be corporate employees at all. Rapidly shifting technology that is often difficult to understand and measure, unfamiliar demographics, expanding globalization, and ever more stringent regulatory compliance requirements are now part of an anxiety- producing stew that organizations' risk managers must understand and deal with. All these forces threaten a corporation's revenue, margins, profitability, and overall competitiveness more quickly and unpredictably than ever.
Consequently, if you are an internal auditor - the person responsible for assessing and helping improve the risk management process - your chair these days may feel more like a hot seat. Which of the decisions daily barraging a modern corporation should be the higher priorities? And how, in a business world of frequent disruption, will you, your superiors, and those who report to you weigh and mitigate the waves of serious risks facing the company nonstop? What are the most important metrics to use for any given risk issue? Can the company rely solely on its in-house staff to analyze and resolve unforeseen and often unforeseeable problems?
Just as important, how will the enterprise as a whole handle these issues and make necessary decisions? How does company culture get in the way of using risk management effectively, to reach the decisions that will help the company grow and become more competitive, and how can sustainable risk management (SRM) assist?
Company managers often are not encouraged to exercise independent judgment, even when they are the acknowledged experts. Without transparency and effective multilevel communications in their company, managers are likely to be wary of crossing unseen boundaries, suspect that hidden agendas are controlling important decisions, or feel isolated and unsure of the enterprise objectives that should help guide their decisions. Moreover, anxiety about making important decisions is common in organizations that don't give their decision-makers the tools and data required to make intelligent risk analyses. Without confidence that they understand the risks associated with a decision, and in a culture where the consequences of a bad outcome are punitive, managers understandably are likely to be cautious.
Behind employees' hesitation to make and express independent judgments or to make decisions can be a corporate culture of mistrust, caution, and covering one's backside. In other words, a culture of fear - fear of losing face, losing a contract, losing revenue, losing political advantage, losing a job.
A culture of isolation and timidity defeats collaboration, creativity, transparency, and the ability of a corporation to objectively analyze the broad range of risks it faces each day. It can render the internal audit function far less effective and useful than it should be and can be. In this environment, the internal audit function may mistakenly be seen solely as a means of uncovering errors, assigning blame, and enforcing penalties. Managers may be understandably reluctant to provide anything other than the most general and diluted information about their operations and decisions.
One need not wade through the scientific research about the impact fear has on decision- making to understand how destructive it can be. The brain has separate centers for processing fearful and rewarding experiences. As Dr. Gregory Berns, director of the Center for Neuropolicy at Emory University, has explained, "The most concrete thing neuroscience tells us is that when the fear system of the brain is active, exploratory activity and risk-taking are turned off." Good decisions in this state are unlikely. "Fear prompts retreat. It is the antipode to progress," said Berns. "Just when we need new ideas most, everyone is seized up in fear, trying to prevent losing what we have left."
In this way, fear can nullify or dilute a company's risk management processes. An effective SRM program, however, encourages and supports an environment that minimizes fear, reduces uncertainty, and increases transparency and confidence in decision-making throughout the enterprise.
Barriers to Solutions
It may seem that established tenets of good corporate governance already include rooting out the fear, indifference, lack of collaboration, and siloed decision-making that stand in the way of optimizing risk management. After all, most companies talk an excellent game when it comes to collaboration and open and honest risk analysis. Too few, however, have developed the internal mettle to tolerate it.
Starting with assessing corporate culture and change management practices, internal auditors can play an important role in transforming the boilerplate talk into sustainable programs. They can provide unbiased, to-the-point assessments, independent of internal politics. The problems they find and the solutions they recommend can be critical for a company seeking to develop the capacity for SRM. But whether from too much caution and resignation or just fear of change, many internal auditors say the structure of their jobs discourages them from alerting their companies to critical gaps in risk assessment and mitigation.
A recent global study by The Institute of Internal Auditors (IIA) Research Foundation spotlights some of the problem areas. Not even two-thirds of the surveyed chief audit executives (CAEs) said they consult with division or business heads when they develop audit plans. Only slightly more than half said they consult with audit committees. There may be many reasons for this audit-in-isolation phenomenon, but it commonly occurs in companies that do not value the risk management process and therefore do not prioritize it. The phenomenon occurs in companies where key players are not encouraged to speak up.
Just one-third of audit plans are updated three or more times a year, the study found. This means that CAEs may be overlooking important changes in the business environment. No wonder only 57 percent said that their internal audit departments were "fully aligned or almost fully aligned" with the enterprise strategic plan. This kind of exclusion signals that leadership does not embrace the people responsible for monitoring management of the company's risk and that the audit function is not seen as a critical part of the management process.
Our experience with clients reflects these findings and shows that risk management professionals themselves may be at least partially responsible for the isolation and erosion of their programs. They could assume, for instance, that the value and relevance of SRM are obvious and not consistently sell a program that's underway, neglecting to point out its continuing value, highlight its successes, and develop metrics that are easily understandable.
The program itself may not be as inclusive as it should be. Sometimes risk management processes are not designed to seek out and incorporate the views of front-line employees. Any effective SRM process, however, must reach into the depths of company operations. At the same time, employees at all levels often are not trained well in how to assess and evaluate risk. Employees may be able to calculate some risk in dollar terms without appreciating that they also should be looking at, for example, threats to customer satisfaction, employee safety, and regulatory and contract compliance.
Too often, as well, an unappreciated or ineffective risk management program does not account for the unique characteristics and business objectives of the corporation. Organizations sometimes employ a cookie-cutter approach to developing a risk management framework that's not calibrated to address essential and distinctive company attributes.
Sometimes risk reporting to the board and top executive levels may be so extensive and detailed that no one reads the reports. Or risk reporting may be so superficial that its assessments and proposed solutions carry little weight. When risk management is not seen as a source of continuous improvement for the organization, risk management funding may be erratic or inadequate, its staffing just an afterthought, and its placement in the corporate hierarchy too isolated to be effective.
Working Toward a More Viable Program
An SRM program protects and advances the organization's primary business objectives. To do their job effectively, risk management leaders must be included as members of the executive management team. Their inclusion helps to ensure that consideration of risks is incorporated into every significant strategic decision.
It is also possible that a company and its leadership simply are not prepared for the important cultural shift required to champion SRM. All too typically, executives are experts at shifting blame, pointing fingers, and covering their reputations when something goes wrong or hard decisions must be made.
SRM requires a no-blame environment, a collaborative process in which personnel work together to assess and solve problems without fear that their careers will suffer or they will lose the confidence of their peers. A frank and constructive assessment of an operational failure, for instance, is possible only when, instead of trying to find fault, the evaluation concentrates on solutions to keep the failure from happening again. This collaborative approach is not common enough in modern corporations.
Why SRM Is Worth It
The benefits of developing an open, fearless, and transparent SRM program ripple through every level of the enterprise. The program helps ensure that the company can perform with confidence and agility in the face of unpredictable events and shifting economic conditions. It supports the development of accurate, timely, and relevant metrics that reduce uncertainty in decision-making. It provides an effective process for dealing with emerging technologies, surprising moves by competitors, market uncertainties, natural disasters, and even internal scandals. When the program is working, the board, C-suite executives, and managers at all levels understand the kinds of risks the company must deal with and then use that awareness when making their decisions.
An active and embedded SRM program, visibly supported by leaders, regularly refreshes the managers' awareness and stimulates their insights concerning the shifting market and business conditions that pose the greatest risks to the company's operations. Employees work collaboratively with their supervisors and are asked to help solve missteps rather than being blamed or punished for them.
SRM offers continuing opportunities to save costs and improve productivity. It can reduce operational and material losses and waste and spotlight process improvements. SRM more closely aligns people, assets, processes, and technology with the organization's business strategies. It also reassures the board and other stakeholders that compliance issues are being addressed and that company assets and reputation are being protected. The results - which we see time and again - include increased growth, improved profitability, and higher staff morale.
