Without effective risk governance, you can forget about effective risk management. One definition of general governance is the process of decision-making and how decisions are implemented. This activity generally involves actors and structures, or people completing tasks that make the process effective and efficient within specific methods or processes.
Another more risk-specific view on this comes from the International Risk Governance Council, an organization devoted to this important aspect of our discipline. IRGC defines risk governance as "a systemic approach to decision-making processes associated to natural and technological risks, based on the principles of cooperation, participation, mitigation and sustainability, adopted to achieve more effective risk management that is convergent with other public and private policies. It seeks to reduce risk exposure and vulnerability by filling gaps in risk policy, in order to avoid or reduce human and economic costs caused by disasters."
While that's a mouthful and may not focus on the entire span of risks with which many of us are concerned, the depth of their view highlights the importance of ensuring that governance around your risk strategy and plan is fully developed and deployed before you move too far down the road of tactical execution.
As in most business functions, organization, structure and rigor are needed to drive consistent, value-added, impactful results from the management of an entity's risks. Without these efforts are likely to be scattered, hard to interpret, lacking integration with other stakeholder disciplines like audit and compliance, inconsistent and even unhelpful.
At the point that any of these attributes attach to your risk management efforts, you're in trouble. Least affordable in today's stressed business environment are staff services that don't contribute to the effective and efficient performance of the company.
But, you ask: isn't governance a board function and doesn't that suffice for governing the management of risk? In fact, a good strategy for governing the risk management process rests heavily on the integration and alignment of corporate governance with compliance, audit and risk management.
This is the essence of the governance, regulation and compliance concept that has become in vogue in the last few years, and which has merit. The difficulty of course is that most often these disciplines are managed by separate functionaries with their own agenda, many of whom don't see the value of this alignment. True integration is not easily achieved under these circumstances, but can be well worth the pursuit when done with commitment.
Three key points about governance from the American Institute's text on enterprise risk management that relates as much to risk governance as general governance are:
-- Governance is not just about regulation and legislation but "involves doing what is right for stakeholders" governance is broader than boards and committees.
-- Compliance controls and audits.
-- Good governance requires "transparency of disclosure, effective communication and proper measurement and accountability."
Before you go too far in executing a risk strategy, you need to ensure that you have a risk governance plan that encompasses all of these elements. Failing to do so will expose you to executional failure and ultimately, an ineffective approach to managing risk.
CHRIS MANDEL is principal of Excellence in Risk Management LLC. He is a long-term senior risk manager and former president of the Risk and Insurance Management Society Inc.
February 17, 2011
Copyright 2011© LRP Publications