Seasoned risk and internal audit leader Chris Corless discusses the road block most risk managers have come up against—the resistant risk owner.
I have a vivid memory of meeting with a senior leader, shortly after joining an organisation and prior to putting together board reporting, who said to me: “Well, it is nice to meet you, but I’m not sure why we need to having this conversation, as I don’t have any risk in my area of the business.” By the end of my time in the organisation, this same senior leader was one of the biggest proponents of risk management and used a structured approach to understand how the risks that were owned by his lead team were managed on a regular basis.
Does everyone feel this way?
From my experience, there can be several factors that can lead to this type of road block, and I believe the first step is to seek to understand why the risk owner is taking this stance – do they understand the risk framework, what is the culture around risk in the organisation, and what is the culture around self-reporting? Also, consider if this is the lone view of one risk owner or if it is something that is shared by multiple risk owners across the organisation. Once you understand the reason behind the road block and its extent across the business, you will have a much better idea of how to overcome it and the effort required to do so.
Give them a framework
One common problem that I have come across is that the risk owner is not clear on the risk framework or the requirements that are expected of them. Having a simple, clear risk model (I am a fan of the Harvard Model by Kaplan and Mikes) that helps to drive consistent purpose, language and accountabilities in the organisation will be helpful to remove any ambiguity about what is required and why. As you build up your framework of functional accountabilities, it is important to develop training to help support an inevitable turnover of risk owners. Fortunately, this problem is mostly in the control of the risk function and relatively straightforward to resolve – it is entirely in the remit of the function.
Are they afraid to self-report?
Cultural causes of these road blocks can be more challenging to resolve. Organisational culture can have a significant impact on risk management in organisations and much has been written about it (see another piece I wrote: “What the heck is risk culture ”). A command and control culture that leads by fear can often create real challenges for risk management because self-reporting a potential vulnerability to your part of the business or an area where you need help could be a career-ending decision. This quickly leads to a less-than-transparent organisation. This is a very tough problem to crack and will need the help of the CEO and senior lead team to turn around.
Fight a fear-led culture
The first step is removing the management-by-fear doctrine. The risk management function can support this by highlighting that a risk owner raising their hand about a problem that needs addressing should be celebrated instead of punished. By defending those who are actively managing their risks there will be less and less reluctance by risk owners to acknowledge their risks and report any problems that are identified.
Cultural transformation isn’t easy but by being deliberate and consistent it will change over time and remove one more reason you could run into a reluctant risk owner.