Our Study found that it’s not uncommon for multiple executives and board committees to bear accountability for aspects of the same risks—especially when those risks, such as cybersecurity or privacy, span the global organization. At the same time, regulators and other stakeholders are increasingly insisting that an organization have a cohesive point of view and undertake clear accountability for such responsibilities as protecting consumer privacy and demonstrating operational resilience.
Adding to the disconnects, senior executives receive—with regard to the same risks—different insight from different risk functions, and the risk insight they receive may not be well-aligned with the organization’s business strategies or its risk appetite.
“We all need the same risk heat map and risk teams need to make that map come alive with specifics about what could go wrong and the coverage they are providing.”
Kate Walsh, board member, Wellcare Health Plans
Consider these steps to make sure a collaborative tone and appropriate governance of risk management are in place.
If perspectives on risk vary from one executive to the next, it’s time to hone risk-management program governance to ensure everyone’s clear understanding of, and accountability for, risk. This starts with setting a collaborative tone and boards and executives play major roles in pushing for collaboration between risk functions.
Boards and senior executives should insist on a consolidated view of their organization’s risk profile. To meet that requirement, an organization has to enforce the use of a shared data model as well as common risk assessment, issue management, and key-risk-indicator frameworks in order to aggregate and report in a comprehensive and coordinated manner.
The board, senior executives and risk executives must see eye to eye on risk priorities across the entire organization and risk landscape. Consolidated reporting facilitates that process because a holistic view of risk enables company leaders to have robust discussions and make informed decisions on where the company should focus its efforts. Such steps are the linchpins to making quick decisions that can then be formally communicated to cross-functional company leaders who own—and contribute to managing—the risks.
An organization should ensure that an enterprisewide risk appetite is well-defined, understood across the leadership team, and relied on throughout the organization to make collaborative, intentional, and unified trade-off decisions. Once the organization’s risk appetite is determined, risk functions should help monitor risk to that appetite and communicate whatever actions have to be taken when triggering events occur that could increase risk beyond the organization’s risk appetite level.
Risk Assurance Leader, PwC US