Do I have a risk Governance and a risk culture?
Do stakeholders know the culture? Is the company organized correctly? Why do we think so widely about risk? Important questions to answer to know where you actually are.
Let’s focus on governance first
The first part of the question stated in our title is easy to answer. Do we have the documentation relative to the governance in place? Do I have the committees in place? But then comes the trickier part. Does it work?
When the risk governance and risk culture work, stakeholders to the company know what risk is, how to handle it and when to escalate it. Let’s decompose this statement.
Let’s get the Stakeholders in the picture
Why do we talk about stakeholders, and not just people working in the company? As any company is part of an ecosystem, the way it manages its risks also impact the parties outside of the company. Symmetrically, the way the parties outside the company transact with the company modify its risk profile.
For example, say you build public lighting devices. To limit your risk of delivering a defective pole, you will set a default rate on the light bulbs of 1 per 1 million. But, if you do not produce the light bulbs yourself, you will impose this defect rate on your provider. Hence, you need to explain part of your risk policy to one of your stakeholders.
What is the handling of the risk, at high level?
The handling of the risk is the way a company will react to a specific risk. There are four ways to handle a risk:
- Accept it,
- Avoid it,
- Mitigate it,
- Transfer it.
The correct handling of the risk requires that stakeholders know what the company will do with the specific risks. If no guidance is given, the company can end up reacting differently to the same risk in different segment of the organization, generating de facto uncertainty. Similarly, without instruction a group can end up taking default actions that actually are opposite to the company’s best interest.
The escalation process
Escalating, for those not familiar with the term, is the fact that one level makes the level above him, or a level specifically in charge of items, aware of something. For the escalation to take place, one needs to know who to escalate to, and how to do it.
Anecdotally, a company I worked with had to follow a specific accounting procedure that was building up foreign exchange positions for no specific reason but the ease of reporting on a specific item. As the position grew, the manager in charge did not know who to refer to to check what to do. When he finally figured that one out, he unwound the foreign exchange position, fortunately making a profit on the way. Would he have known who to escalate this to, the issue would have had been closed way quicker?
In our following article, we will detail a bit more what are the actions that can be taken for managing the risk.
Co-Founder & Partner
After 13 years as CFO of The Bank of New York Mellon, I had several positions that allowed me to cover a wide range of topics: general management of entities, Risk and finance management, corporate taxes, supervision of IT and operations, accounting, budgeting, creation and restructuring of legal structures, regulatory reporting, acquisition of companies, operational statistics, and management accounting.
My strengths are in Finance and Risk Management