Board members embrace a risk challenge culture when they approach their responsibilities for risk oversight with a healthy professional scepticism. They set the tone at the top and must ask challenging questions.

'What if’ not ‘why’

A productive line of challenging questions is ‘what if’ rather than ‘why’ questions. ‘Why’ questions tend to be judgemental whereas ‘what if’ questions indicate a desire to learn new insights.

A board should embody a diversity of skills and experiences and be knowledgeable about ERM (enterprise risk management). Without both, the board itself may be a risk factor.

Every risk identified must have an owner, and the owner/manager is the first line of defence in an effective risk-management process, the second line is the functions that oversee risks, and the third line is internal audit

Cognitive biases

Cognitive biases that can commonly affect decision making are a significant impediment to the success of a risk challenge culture.

Risk is susceptible to the follow common biases:

  • anchoring: an overreliance on one trait or piece of information
  • loss aversion: more aggressive in avoiding losses than in seeking gains
  • overconfidence: exaggerated faith in one’s own solution to problems
  • confirmation: the tendency to seek out evidence that confirms an initial decision
  • rushed problem solving: an over-eagerness to solve a problem quickly.

Fix the culture

When the risk culture is working properly, there is an alignment of the common purpose and attitudes towards risk.

ERM itself has been linked to better profitability, fewer surprises, less volatility, and overall improved performance. A misaligned risk culture is a key risk indicator of future problems.

An organisation cannot manage risk effectively if the decision makers do not know how much risk it is willing to assume in pursuit of gain.

Yet studies show that fewer than a third of organisations have developed and implemented formal risk-appetite statements.

About Jamie Lyon, lead author, ACCA