Risk Governance in Risk Management
Hello and welcome to this session. What I am going to address today is an area that is not really understood, as the function that it is and that is risk governance. Now, we all understand the term governance, about how organisations are directed and controlled. Well risk management needs the same governance approach. Because ultimately, the inputs of risk, particularly at the operational level are going to inform risk decisions or decisions made at the higher levels. So you need a governance structure on top that identifies or that is able to assure that; a. everything is being done, b. that the inputs that are being provided are of a quality that allows decisions to be made and that c. those decisions are actually being made and that all of the reporting is moving up the chain.
Now, I have seen models where we have used first line of defence, second line of defence, third line of defence. The first line of defence is our risk owners; they understand the inputs that are required from them. The second line of defence is risk is the line management and they are challenging the assumptions; they are challenging the inputs and the data that is being captured by the first line of defence. Then the third line is the external, the third party or somebody within the organisation like an internal audit organisation that is looking at whether you are compliant with what you are saying you were going to do in your risk policy and how mature is your approach to risk management.
Now, what we also see is a whole range of committees that are set up, what we need to make sure in those risk or audit committees is that those people on those committees have the necessary level of skill to; a. challenge what is put in front of them and b. make decisions about the information that is put in front of them. Simply having an audit and risk committee doesn’t mean that you have that level of skill. You need to have those skill levels at the board or committee level so they know what they are looking at and how to interpret it. What troubles me is what I am seeing from a number of organisations where the same things are being reported, up the chain, 6-12 months in a row. As a monthly or a quarterly report, and nobody amongst that government chain, is challenging to say, “well hang on, why am I getting the same risks at the same level, all of the time.” Because by definition, if those risks are outside of our risk appetite then we should be doing something to bring that risk level down.
If we don’t challenge the people to say, “Well what have you done about it? Why is it at that same level? Why haven’t you brought this risk down?” Then the audit and risk committee and the risk governance structure is just in name only, it doesn’t add value to the organisation. So regardless of the inputs below, the reporting becomes reporting for reporting’s sake. So if you have got an audit and risk committee and you really don’t have a very sound risk management framework, then my question and my challenge to you is what does your audit and risk committee actually do? Because if you don’t have a framework (an effective framework) your internal audit is not aligned to your risk management framework and therefore it is not an risk based approach even though you might call it that.
Essentially what I am saying, and it goes with the blogged that I talked about skilling at all levels of the organisation, you need to understand what it is that you are looking at and what do you want to do with it. And if there is no action or if there is nothing happening as a result of that reporting it becomes reporting for reporting’s sake. The people down below get disenchanted with the risk management frame work and it starts to fall apart. The risk governance aspect is an absolutely critical part of the effectiveness of your risk framework. So you need to think about those governance structures but you also need to make sure that everyone in that chain has the necessary skills to be able to do their part. That’s all I have got for this session, I hope you found it informative, and as always, let’s be careful out there.