Categorizing risks can seem alluring. Credit risk in this column. Liquidity risk in that one. Operational risk over there. Yet, beyond the scope of a single loan file at a single bank, there is no such thing as “just credit risk.” Risks are not isolated entities: they interact in complex ways, and organizational risk underlies most manifestations of risk across categories.
What is organizational risk? Put simply, it’s the risk that sub-optimal governance will lead to sub-optimal function of an organization, with other risks manifesting as a result.
Mitigating organizational risk means improving governance structure and function. There are several ways to do that, most notably:
Establish and reinforce tone at the top that aligns with the organization’s risk appetite and risk tolerance.
Allocate adequate budget to support and reward risk management functions and employees (aka put your money where your tone at the top says it should go).
Establish independent reporting lines where appropriate.
Report vital information promptly to all relevant stakeholders.
We’ll cover each of these in detail.
Establish and reinforce tone at the top that aligns with the organization’s risk appetite and risk tolerance.
What the CEO and senior management say and do matters. What the board of directors says and does matters. Who they support. Who they don’t support. How employees perceive their statements compared to their actions. Whether explicitly stated or implicitly inferred, the tone at the top steers an organization.1
Tone at the top also should align with the organization’s risk appetite and risk tolerance, which should be clearly and explicitly stated in writing and then socialized throughout the company by managers at all levels. Metrics should measure alignment with the risk appetite and risk tolerance. And risk mitigation should aim to keep the organization within the bounds of its risk appetite and risk tolerance.
On the other hand, if senior management professes the importance of risk management publicly, but their internal statements and actions don’t match those public proclamations, then tone at the top is contradictory, organizational culture will likely veer away from the stated risk appetite and risk tolerance, and organizational risk could balloon.
Tone from the top is also instrumental in setting and reinforcing cultural norms in an organization. For example:
Since a culture of fear tends to shut down questions preemptively and allow risk to build unnoticed and unremarked upon, how can the organization make it safer to ask questions, highlight potential risks, and make reasonable mistakes? For example, if someone observes a nascent risk, it should be easy and low-risk to escalate that observation.
Will the default presumption be that “risk wins” if there’s a major disagreement between business and risk managers, unless the business can muster a sufficient counter-argument? Or, will the default presumption be that “the business wins” unless risk can muster a sufficient counter-argument? These approaches may sound similar but lead to quite different outcomes. An organization should assess its risk appetite and risk tolerance when determining which approach it intends to build in to its tone at the top (even if it does not make a conscious choice, it likely will make a subconscious one, so it’s better to be conscious of what is happening).
Allocate adequate budget to support and reward risk management functions and employees (aka put your money where your tone at the top says it should go).
Budget is the concrete expression of management’s stated risk appetite and risk tolerance. If risk functions are budget-starved, it is nigh-impossible for them to keep an organization aligned with its stated risk appetite and risk tolerance. Yet, when money is tight, risk functions can sometimes find their budgets squeezed. If revenue-generating functions’ budgets prove more resilient, the logical outcome is that risk management functions will struggle to keep up with revenue-generating functions, and controls will struggle to keep up with innovation. That situation may be inconsistent with the organization’s risk appetite and risk tolerance.
Also, beware simply anchoring to last year’s budget numbers as a determinant of adequacy. Instead, ask how budget needs have changed since last year. What is now required, and why? In some companies, risk can change significantly from year to year, and budgets should be responsive to that reality, not reactive based on past history alone. Risk quantification can help to justify budget requests.
Establish independent reporting lines where appropriate.
If budgeting is the concrete expression of the organization’s stated risk appetite and risk tolerance, independent reporting lines enable the concrete implementation of risk management. That’s because independent reporting lines give risk functions the clout to stand up to revenue-generating functions and have a chance to prevail.
So, what do independent reporting lines look like? There are many possible permutations, but in essence, risk managers should report to risk executives, who might report to the CEO or another C-level executive, and the chief audit executive ideally should report functionally to the Board Audit Committee and administratively to the CEO.
That doesn’t necessarily mean, for example, that a chief information security officer (CISO) must report to the chief risk officer (CRO) if the CRO is primarily a finance or energy expert. Each organization will need to assess its own executives’ knowledge and capabilities and establish the best reporting structure given those constraints. One option is for the CISO to report directly to the CEO, which is the approach Forrester recommended in a 2023 article. Another option is for the CISO to report to the chief information officer (CIO), although a 2022 report from Cowen states that CISO-CIO reporting is becoming less popular. Yet another option is a reporting line to the chief counsel.
Although there are many options, the key point is that burying risk functions within business functions with competing priorities is likely to fail. As an egregious example, you wouldn’t want a CISO reporting to the head of technology research, whose incentive is probably to push the company’s technology innovation forward.
In a related vein, it’s important to guard against letting one person wear too many hats within the organization, especially across business and control functions. Separation of duties enables checks and balances, which are vital for risk management.
As a final note, the stronger the revenue-generating functions are, the stronger the second and third lines of defense (independent risk management and internal audit, respectively) also need to be. A significant imbalance means organizational risk can skyrocket—and it can be surprisingly easy for the second and third lines of defense to start feeling aligned with revenue-generating functions. Standing up to people who are bringing in massive revenue is hard but vital for managing organizational risk.
Report vital information promptly to all relevant stakeholders.
If independent reporting lines are highways within organizations, then communication along reporting lines is the traffic on those highways. Ideally, this consists of rapid, focused reporting of well-supported2 risk metrics to all relevant stakeholders. Rather than ending up siloed, suppressed, or minimized, reports that flow along well-structured paths can more easily reach the highest levels of the organization—and if tone from the top is risk-mindful, audiences at all levels will be more likely to welcome and act on risk reports.
This is probably not my final word on this topic. I keep coming up with more to say. But, for now, it’s time to send out this essay. I’ll re-visit this topic again in the future, likely with system dynamics diagrams and analysis.
For the avoidance of doubt: if your company’s tone at the top is implicitly inferred rather than clearly stated, it needs improvement.
If risk metrics are supported with traceable evidence based on accurate data and rigorous modeling, those metrics—and decisions made based on them—are far less likely to be dismissed or overruled.
The question of whether “risk wins” or “the business wins” when there is a disagreement between them was an interesting one for me to ponder. My company most often lets the business win, which puts tremendous pressure on the team executing projects to get the thing off the ground even under difficult circumstances because of the amount of risk taken on. The high risk and no margin is exhausting for people, even when the result is still success.
A very timely article for me, thank you. I am currently working with a team, in an industry not particularly well known for a collective view on risk, where I simply couldn't find the correct articulation. Now I see a few bits of the jigsaw I was probably trying to place forcibly, perhaps even incorrectly. This has helped me to a very large extent, so again, thank you.