I am speaking tomorrow to directors and officers about oversight of risk management by boards of directors. I prepared a list of 25 reasons that risk management failure happens, based on my experience assisting boards, including boards that have failed and boards that cannot afford to fail. Almost all of what follows below is based on real examples. I have never encountered a risk management failure where the board was not at fault, based on what the board said or did, or failed to say or do.
Here are 25 reasons for risk management failure:
- Lack of enterprise risk management expertise on the board.
- Governance gaps over a material risk(s) within the board or across committees.
- Directors incapable of identifying and fully understanding the risks, or worse yet, don’t want to understand. Committees show no interest when they should be shocked.
- Internal oversight functions reporting to management instead of the board. A complacent board does not correct.
- Directors do not insist on a real-time line of sight over material risks and their mitigation/treatment.
- Not upgrading information systems to track, monitor, integrate risks.
- Lack of oversight of the process by which management identifies, assesses and actions the risks.
- Lack of conversations, common vocabulary and prioritization of the risks.
- Lack of internal audit, or not listening to internal audit.
- Internal controls that are weak, even non-existent, or capable of management override.
- Not addressing interaction of risks, their speed, and exogenous shocks in modeling and scenario planning.
- Not considering impact on reputation, which can be greater than the primary impact considered.
- Immature controls over non-financial material risks, especially safety, operations, reputation, terrorism, bribery, technology.
- Risk appetite frameworks do not result in known thresholds, beyond which senior management and when necessary the board is notified.
- Lack of independent, coordinated assurance of internal controls provided directly to the board.
- Risk culture defective (toxicity, bullying, risk-taking behaviors) and not remedied.
- Whistle-blowing defective (not anonymous, no independent channel, no proper investigation).
- Risk not based on the strategy, business model and key performance indicators.
- Key performance indicators, and pay incentives and vesting of equity, not risk-adjusted.
- Board or committee cannot direct a third party review of risk governance, a specific risk, or a set of controls.
- Failure to anticipate and integrate risks. Pockets of acute, unknown catastrophic risk. (This item equals 13 + 6.)
- Enterprise risk management not really implemented but everyone thinks it is. False sense of reality.
- Tone at the top tolerates exceptions, complacency, and unequal treatment. Limited downside for excessive or imprudent risk taking. Encouragement, enabling or dependence upon high performing risk-takers.
- No sense of urgency to remedy the foregoing.
- The board does not know how bad it is.
The author thanks an anonymous senior risk executive for review of the foregoing items.