In today’s highly complex and global business environment, risk management is increasingly recognized as a strategic priority for executive leadership. From climate risk and geopolitical shifts to supply chain disruptions and a rapidly changing regulatory landscape, risks are emerging faster and more frequently than ever before. In response, forward-looking organizations are taking a top-down approach to enterprise risk—and increasingly elevating risk to the C-suite.
Risk management in the C-suite can take many forms. A recent global survey found that risk management most commonly falls under the responsibility of the chief financial officer or finance department, while only 7% of organizations reported having a chief risk officer. At the same time, there has been a meaningful shift toward risk management reporting directly to CEOs (from 15% in 2017 to 27% in 2019), reflecting the growing importance of risk in supporting long-term growth and business strategy. Many companies have also adopted a formal or partially formal approach to risk oversight and management at the board level—for example, by creating an enterprise risk committee that regularly reports to the board.
However, these organizational shifts alone are not enough. Governance is perhaps the most important factor in ensuring effective risk management across the organization. Here are six governance principles to help your company unlock the full potential of risk in the C-suite.
Elevate the role of risk manager
By redefining and elevating the role of the risk manager, organizations will be better able to identify, assess, and manage enterprise risk. Risk managers are positioned to provide significant value by taking a holistic and enterprise view of risk; by embracing new risk techniques (such as data analytics and risk modeling); and by rethinking access to capital to match risk-management needs. When the executive team empowers risk managers across the organization, risk management can serve as a strategic benefit and a competitive advantage in the market.
Establish clear ownership and accountability
Effective risk management calls for clear ownership and accountability at the executive level, backed by incentives tied to key risk metrics. Regardless of where risk sits in the organization, every person in the C-suite and below should be able to identify the primary owner of enterprise risk. Ownership is more than a title or a job description; it needs to be backed by strong performance management, including incentive alignment and accountability mechanisms that are measured against key risk metrics.
Integrate risk with the business
Risk is everyone’s business, and each member of the C-suite should recognize that managing risk is a crucial part of their job. This requires a deep understanding of risk as it relates to their respective function or department, as well as frequent, two-way communication with the enterprise risk owner. When this is done well, each executive owns a piece of the puzzle. Those pieces can then be integrated into a holistic and comprehensive view of the organization’s risk.
Build alignment on risk prioritization
Enterprise risk ownership starts at the top, and enterprise risk priorities must be purposefully cascaded and aligned across all levels of the organization. Too often, there is a disconnect between the top risks defined by the C-suite and the set of risks that are prioritized by the rest of the organization, which can lead to blind spots and inefficient allocation of resources. Leaders can bridge this gap by creating broad awareness of the top enterprise risks and emphasizing the role that every employee plays in effective risk management.
Set the tone and the culture
The executive team plays a crucial role in setting the tone for a healthy risk culture—the day-to-day mindsets, attitudes and behaviors that sustain effective risk management. In addition to creating awareness and alignment on risk priorities, leaders can provide ongoing training and education, model transparent communication, and champion strong risk management practices. When risk management is embedded in the DNA of the company, every employee will be able to make decisions through the lens of risk.
Define clear goal posts to evaluate decisions
Companies must determine and quantify their risk appetite by defining clear goal posts that reflect the amount of risk they are willing to take on. Then they can put a process in place to ensure that strategic decisions are filtered through this risk framework. For example, any proposed capital investment project above a certain amount would need to be evaluated against risk thresholds before being presented to the board.
Such risk management processes often force executives to shift from quarter-to-quarter thinking to a long-term view of strategic decisions and their associated risk impacts. Indeed, organizations that proactively adjust their strategies to the evolving risk landscape will have a better chance of surviving and thriving in the decades to come.