After a crisis, a typical question is, ‘Where was the board?’ Developing a challenge culture for risk management and oversight is an imperative for boards and C-suite executives as they seek to manage risk.
Board members embrace a risk challenge culture when they approach their responsibilities for risk oversight with a healthy professional scepticism. They set the tone at the top and must ask challenging questions.
'What if’ not ‘why’
A productive line of challenging questions is ‘what if’ rather than ‘why’ questions. ‘Why’ questions tend to be judgemental whereas ‘what if’ questions indicate a desire to learn new insights.
A board should embody a diversity of skills and experiences and be knowledgeable about ERM (enterprise risk management). Without both, the board itself may be a risk factor.
Every risk identified must have an owner, and the owner/manager is the first line of defence in an effective risk-management process, the second line is the functions that oversee risks, and the third line is internal audit
Cognitive biases that can commonly affect decision making are a significant impediment to the success of a risk challenge culture.
Risk is susceptible to the follow common biases:
- anchoring: an overreliance on one trait or piece of information
- loss aversion: more aggressive in avoiding losses than in seeking gains
- overconfidence: exaggerated faith in one’s own solution to problems
- confirmation: the tendency to seek out evidence that confirms an initial decision
- rushed problem solving: an over-eagerness to solve a problem quickly.
Fix the culture
When the risk culture is working properly, there is an alignment of the common purpose and attitudes towards risk.
ERM itself has been linked to better profitability, fewer surprises, less volatility, and overall improved performance. A misaligned risk culture is a key risk indicator of future problems.
An organisation cannot manage risk effectively if the decision makers do not know how much risk it is willing to assume in pursuit of gain.
Yet studies show that fewer than a third of organisations have developed and implemented formal risk-appetite statements.
"When a subordinate is afraid to ask senior management about perceived risks or when a board member is satisfied with the CEO’s facile answer to a serious risk issue or when board members ‘rubber stamp’ management’s critical actions without serious debate that is not a challenge culture."
Information asymmetry between executives and the board means that some never see all the information, or they may get the information too late to influence their decisions.
The gap between what the executives know and what the board knows is growing larger.
Information asymmetry can occur because executives filter what the board sees or because they delay passing the information to the board.
Some risks can materialise so quickly that delay can be devastating for a company.
Excessive filtering of data that goes to the board is a serious problem.
Ensuring that boards have extensive access to management is one way to mitigate filtering.
Boards should ask if there is a trickle-up mechanism in place – so that key risk information does not get stuck with middle management.