Questions to ask about GRC – #9: Voice of Risk
9. Is the voice of risk heard?
Some of the failures of governance and risk management have occurred when those responsible for understanding risk (whether in a risk office or in management) have not been heard. More senior management has either overridden or suppressed their views; in some cases, risk officers who have spoken up have been terminated.
The essence of this point is to ensure that those responsible for governing and managing the organization receive reliable risk information. If management filters risk information inappropriately, the impact on the quality of decisions can be significant.
The voice of risk needs to be heard both by top management and by the board. Each organization will need to determine how best to achieve this. For example, should the Chief Risk Officer report at a level within the organization that effectively guarantees he will be heard? What ability does the risk officer have to discuss risk with the board – and how appropriate is that? Care has to be taken to ensure that management retains responsibility for managing risk, and that can be damaged if a Chief Risk Officer is seen as being accountable for risk management.