The C-level executives guide the company regarding its objectives and plans.
This information is critical in developing an effective risk management frame-
work. After all, if you don’t know where you’re going, it’s hard to figure out
what might try to stop you or slow you down.Strategy and planning starts at the top, but it builds on input from the whole
company. Line of business executives do their budgets as input to the corpo-
rate budget. Plans and objectives are set at the top, but also at the depart-
mental level.48 Part I: Governance, Risk, and Compliance Demystified
Reticence about risk
Not all corporate cultures are willing to talk
about risk. Here are some attitudes that prevent
frank discussion of risk:
Risk is negative.Some people think that risk is
negative and so, in order to be “positive,” they
avoid discussions of risk. Such thinking reflects
an outdated understanding of risk in which risk
is viewed as something bad rather than as a
positive force that can both protect value and
actually create value by helping companies find
new opportunities and manage those opportu-
nities effectively.I don’t want to be the bearer of bad news.If we
have a corporate policy of shooting messen-
gers, there will be some fear about bringing up
what can go wrong. This requires cultural rein-
forcement that we want to know what the risks
are: how the deal could possibly fall through,
what factors might cause the product to be late,
or whether our supplier is showing signs of
instability and may not be able to supply. The
point to make here is that we are trying to take
into account all risks at an early stage to see
how we can mitigate the risk and increase our
chances of success. Remember that even
promising new business opportunities can be a
risk if we don’t prepare for the increased capac-
ity that success will require.If you know my risks, you know my strategy.
Who wouldn’t like to be in the other team’s locker
room and find out what plays the coach is plan-
ning to use in the Super Bowl? Information about
risks is strategic, so it must be treated as privi-
leged information, just like any other aspect of
corporate strategy. For this reason, although you
want risk to be part of the culture, you have to
think about who is trustworthy enough to have
the complete picture of all the risks. Educating
people about risk should include a vetting
process that employees go through before being
included in risk management discussions.
Furthermore, risk information may sometimes fall
under attorney-client privilege and thus must be
managed within the legal department; it’s impor-
tant to support this kind of clear authorization.
I can’t let my risk managers network.Risk man-
agers obviously must be discreet and savvy
enough to know what they can network about
and what they can’t. Although risk information
is strategic, competing companies face many
of the same risks, particularly regarding com-
pliance with the ever-increasing number of reg-
ulations. Networking about best practices —
while not revealing corporate secrets — is
key to developing in-house expertise in risk
management.