As organisations have struggled with the well-known ‘three lines of defence’ model for risk governance, it could be time for a less segregated approach
This article was first published in the September 2019 UK edition of Accounting and Business magazine.
Risk management is fundamental to the success of organisations in every business sector. This is a complex world, full of uncertainty, so whatever the business does and whatever its size, it must manage risk.
Risk is present in every corporate process, activity and decision, and that means that all staff will have some responsibility for taking and controlling risk. Whatever the organisation’s overarching approach to risk, these day-to-day behaviours matter greatly. If an organisation is to manage its own unique risks effectively, it must encourage a culture where staff are actively engaged in the management of risk and are coordinating their risk-taking and control decisions. When an organisation achieves this state, good risk management practices are embedded across the business. The question, of course, is how to get there.
That is the challenge that lies at the centre of a new ACCA report, Risk and performance: Embedding risk management. It follows on from a 2018 study on board-level risk management practices, and examines how board-level risk-taking and control objectives translate into the risk management activities performed within organisations.
As Jamie Lyon, interim director of professional insights at ACCA, says in his introduction to the report, embedding risk practices successfully can be challenging. ‘A key issue is how we translate the management of risk from a theoretical exercise to an activity that has resonance and meaningfulness right across the organisation, at all levels,’ he says.
If risk management is to be truly effective, it must be managed as an inherent part of delivering day-to-day business activities. In other words, risk management processes must take place at every level of the organisation.
One size doesn’t fit all
It is well understood that no two businesses are the same, which means there is no standard blueprint for good risk management. Instead, the report uses four in-depth case studies and input from risk management professionals to explore how organisations have sought to embed risk management and share best practice.
The study found that while the case study organisations had similar objectives in terms of risk management, the paths they took to embed risk management practices varied widely, depending on their external environment, leadership tone, and the success or failure of past risk management initiatives.
The report explains that effective risk management requires the use of complementary formal mechanisms (such as risk registers, control assessments and internal audits) and informal mechanisms (such as social networking and influencing techniques).
The informal relationships are seen as particularly important in embedding a risk management culture. ‘If [the process] was just formal, it wouldn’t be as embedded in the business,’ a board member of one case study company told the report’s authors. ‘Because there is that informal ability to pick up the phone to somebody who might help you chew a problem over, it just works.’
The study also found that communication is absolutely essential to effectively embedding risk management throughout the organisation – and not just communication between the risk management function and internal audit, but also between business units and functions. Overall, the risk management function should play a key role in communication and in building risk management relationships.
‘The function operates as a nexus for risk management communication,’ says the report. ‘A risk management function that cannot build effective relationships across an organisation will not be able to embed effective risk management practices.’
The function must not only design and implement risk assessment and reporting tools, it must also work hard to explain and sell the benefits of risk management to the wider organisation.
In every case study, it was stressed that as little technical language as possible was used. One risk manager declared that when communicating with other parts of the business he rarely used the work ‘risk’. ‘We just ask the question: tell me what can go wrong?’ Embedding tools, procedures and software is most effective when it is not described as risk management, the report adds, because labelling it as risk suggests it is the responsibility of a risk manager.
Risk governance’s ‘three lines of defence’ model (that is, operational management, internal monitoring/oversight, and internal audit) is a well recognised methodology, but the report stresses that this has not been particularly helpful in practice. Every case study organisation, it says, struggled with the requirements of this model; in fact, none had adopted a pure ‘three-lines’ approach. ‘We observed in each organisation a struggle to reconcile the theoretical idea of a three-lines approach with the practical realities of implementing one,’ says the report.
Instead, the report’s authors propose a less segregated option, which they call a ‘modes of accountability’ approach. In this approach, the risk management function is accountable for designing the organisation’s formal risk management mechanism and overseeing the risk-taking and control decisions made by business units and functions. Business units and functions are in turn accountable for using these mechanisms to make decisions about risk that are consistent with the organisation’s objectives. And finally, the internal audit function is accountable for providing assurance that all risk-taking and control decisions, and the mechanisms used to support them, are appropriate.
‘An important difference between the three modes of accountability and the three lines of defence is that the former overlap in how accountability is distributed, though the degree of overlap can vary,’ the report states.
It concludes that there are ‘no quick fixes’ in embedding risk management, as what works differs between organisations. Even so, it lays out a number of recommendations that highlight best practice, including rethinking risk governance as ‘integrated accountability’. Overall, the report illustrates the challenges of translating business theory into workable practice, but it can be done.
Liz Fisher, journalist
"One risk manager rarely uses the work ‘risk’. ‘We just ask the question: tell me what can go wrong'"