This is the first study of risk performance of board risk committees and enterprise-wide risk management. The study opens the “black box” of risk management at the board governance level and reveals new findings and surprising insights into improving board governance and the ERM risk function. Read the Full Report Here
2020 has become one of the most disruptive years in history. A global pandemic, wildfires, cyber threats, social upheaval, and the greatest recession since the Great Depression. Good risk management has never been more important!
Global Compliance Associates, LLC, an enterprise risk management consulting firm, has conducted a first-of-its-kind study examining advancements in risk performance of corporate boards’ risk and audit committees and the risk function.
This study includes an exhaustive literature review of corporate boards and enterprise-wide risk management. The findings are provocative and explain the structural, legal, and conceptual limitations that have hindered good risk management. The study provides insight into incremental advancements in risk practice along with opportunities to enhance board governance and risk management.
Key Takeaways
My first observation is that risk management is thriving even though the discipline of risk has evolved organically or borrowed from other disciplines that are unrelated to traditional risk practice.
This helps explain why corporate risk management has not advanced to the C-suite in the same manner as business disciplines of accounting, finance, and marketing for example.
Secondly, there is a void in existing academic study on the functions, processes, tools, and measures of risk performance at the risk and audit committee level. Additional research is needed to evaluate the processes used by board committees to address key risks for the enterprise.
Questions for Further Study
How can board governance improve financial reporting of the risks that matter to key stakeholders? How is risk information created? Is the information derived purely from internal audit or is there an aggregation of key risks? Are key risks communicated through the CEO, risk/audit committee, or senior risk executives? What are the mechanisms to decide how to mitigate key risks or accept them on an ongoing basis? How does the board measure its own performance in risk reduction? Does the board use risk-adjusted returns on investments?
These and other questions are not addressed in empirical evidence in existing research, suggesting a number of strategies can be deployed to better measure board governance performance beyond trailing metrics of financial results, debt financing or other matters that may be arbitrary to the actual results of the firm. Firms that demonstrate better board risk governance will be better prepared to achieve greater performance for all respective stakeholders.
An Emerging Discipline
Enterprise-wide risk management is an emerging discipline of institutional study that lacks a grounding in science. Enterprise-wide risk management could become a branch of organizational science or organizational behavioral science. Organizational science is both a science and a practice, founded on the notion that enhanced understanding leads to applications and interventions that benefit the individual, work groups, the organization, the customer, the community, and the larger society in which the organization operates.
Organizational behavior (OB) is the multidisciplinary study of employee interactions and the organizational processes that seek to create more efficient and cohesive organizations. Both of these disciplines may be good candidates in which enterprise-wide risk management could become a branch of study and research. It is very surprising that ERM is not rooted in the existing sciences of today.
The Missing Element
Lastly, I am surprised that one of the most recent advancements in risk practice, Prospect Theory, is not recognized as an innovation in risk management. Behavioral science addresses the one element that all other risk frameworks ignore – intentionally or inadvertently – the human element. The common denominator of all decisions, success or failure rests with the human element. If risk management is about the quality of decisions about strategy, risk, controls and so much more why has the risk management industry missed the one element we should not ignore – the people in the organization? A cognitive risk framework for cybersecurity and enterprise-wide risk management was created by the author to fill the gap in existing risk frameworks.
2020 has been fraught with change and disruption creating a great deal of uncertainty which creates an opportunity for good risk management and board risk governance to provide clarity through the fog. Never before have the tools and technology to manage risks been better suited for this time. I hope that this study provides new insights into current risk practices and opportunities to advance your risk program with better clarity as you plan for the future.