Ignorance Is No Longer an Excuse for Poor Board Oversight
Steven Minsky | Nov. 17, 2015
Gerry Grimstone, keynote speaker at the IIA’s recent conference in London, has a message for senior executives.
“You can’t easily blame a board member for not knowing something,” Grimstone said. “But you can blame a board member for creating a culture where he doesn’t know something.”
Grimstone spoke at length about the latest example of poor board oversight, Volkswagen’s recent side-steps in ERM and increasingly costly emissions scandal. “Do you really think there weren’t people who didn’t know that was going on?” he asked. “This wasn’t something that one rogue trader did on a Friday afternoon – this is much more extensive than that.”
To foster an environment in which key risks are identified and mitigated, what processes must be put in place to effectively manage risk?
The truth is that even the most robust Enterprise Risk Management programs will suffer if they’re not supported by a sustainable infrastructure. An organization can, and often must, conduct hundreds of risk assessments over the course of a year. Without a method of standardizing and relating front-line input, assessments become little more than an organizational survey, hiding valuable insights in disparate spreadsheets.
Grimstone also discusses the “tone from the top;” a need for an organizational culture where assumptions are challenged and ethical risk management practices are acclaimed, not neglected.
Organizations can measure their adherence to proven risk management principles with tools like the RIMS Risk Maturity Model (RMM). The RMM’s framework asks risk managers to assess a company’s ERM program by comparing it to best practices, such as whether risk management competency is part of performance reviews or the degree to which the company promotes internal self-governance.
Boards cannot be scouring the front lines for unreported risk, so it’s the job of risk management to be diligent in the risk assessment process and notify senior leadership if the program lacks the necessary maturity. A mature ERM program is a safety net. It protects boards and senior leadership from accusations of negligence by demonstrating a clear dedication to uncovering risk. It also provides transparency and assurance of on-time and on-budget achievement of corporate performance objectives.