When the board insists on a list of the top risks

Recently, Tim Leech asked this question in a LinkedIn post:

What should a CRO or CAE do if the board insists they still want a list of “top risks” plotted on a color risk profile; and soundly reject the ISO view “risk” is “effect of uncertainty on objectives”, and COSO position “risk” is “the possibility that events will occur and affect the achievement of strategy and business objectives.”

My comment in response was:

The roles of the CRO and CAE should not be mixed up like this.

If the company is managing a list of risks instead of the business, the CRO has a clear opportunity and obligation (IMHO) to show a better way.

Continue to provide a list of risks (it still has some value), but team with performance management to provide (as I explain in my books) a list of objectives, their current status, and the likelihood they will be achieved by the end of the period.

The CAE is in a very different position, unless they are also CRO (in which case, the above applies).

The CAE should not assess and provide an opinion on whether the company is in compliance with its risk management policies.

Instead, the CAE should provide an opinion on whether risk management practices meet the needs of the organization. That will entail pointing out how a list of risks fails to drive decision-making and success.

While it is difficult, as Tim points out, to tell the boss that they are wrong, whether we are the head of risk management (CRO) or internal audit (CAE), we have a professional responsibility to provide leaders with what they need.

Sometimes, they don’t know what they need!

Their experience, which may be at other organizations, has put them in a box. If they liked what they had before, it can be difficult to change.

As I said in my comment, we shouldn’t mix up the roles and responsibilities of the CAE and CRO.

The CRO is responsible for helping management and the board understand what might happen, so they can make the appropriate strategic and tactical decisions necessary for success.

The CRO helps management and the board take the right level of the right risks.

While a list of top risks has some value, it is not enough to inform decision-making.

In fact, it is rare for a decision-maker to refer to the list of top risks in making an important business decision – whether strategic or tactical.

In fact, a list of top risks is going to be out of date very soon after it is prepared, since business conditions and risks are changing all the time.

A list of top risks has value when it comes to making sure the risks that merit specific and continued attention are getting it.

But the business is run every day.

Every day, decisions have to be made that not only need to consider what might happen (risk and opportunity) but will also create or modify existing sources of risk and opportunity.

The CRO and their team add more value when they enable daily activities and decisions to be of high quality.

I have advised CROs, management teams, and board to integrate performance and risk management. The CRO should work with the CFO and others to ensure leaders understand whether, considering current status and what lies ahead, the organization is likely to achieve its objectives for the period.

When I have shown them examples of such reports, explained in my books (such as Risk Management for Success), they have embraced them.

A list of top risks becomes a secondary source of information.

The CAE is in a different position.

The CAE has a responsibility for providing assurance to the board and management that risk management practices are effective.

But that is not achieved when it is limited to the periodic review of a list of top risks.

When that is all the board receives, board oversight of risk management is insufficient.

My advice to the CAE is to work with the CRO first. Try to get the CRO to provide the board and top management with an integrated risk and performance report.

After all, it is risk to objectives that needs to be addressed, not risk in a silo, out of context of running the business.

I would also work with the CEO (or other top management influencer, but the CEO is going to be the decision-maker), helping them understand what is missing.

Help them understand how effective risk management helps them succeed, not just avoid hazards and tick the compliance box.

The CAE should audit risk management and report its deficiencies, the primary one being that a list of risks (or a heat map) is insufficient.

So much more value can be derived.

I welcome your thoughts.