A risk challenge culture
This report – drafted in partnership with ACCA – discusses the need to develop and implement effective risk oversight since the financial crisis.
"A risk challenge culture" draws on discussions from the ACCA–IMA Accountants for Business Global Forum and insights from ACCA–IMA roundtables held in Dubai, London, and New York City in late 2013. In these sessions, the participants discussed the following essential elements of a risk challenge culture: professional skepticism and board oversight of risk; board diversity and expertise development in enterprise risk management (ERM); conversations and roles in a risk challenge culture; information asymmetry and risk reporting; decision making and cognitive biases; risk culture – assessment, diagnostics, and signs; risk appetite; strategy and risk; and incentives and risk.
- A risk challenge culture requires that board members and the C-suite approach their risk oversight responsibilities with a ‘questioning mind’ and make ‘critical assessments’ of the effectiveness of their organization’s risk-management process.
- The board, if it is to avoid being a risk itself, should reflect diversity in skills and experience, and be knowledgeable about ERM. Formal training may be necessary to acquire the requisite knowledge.
- The responsibility for leading and sustaining a viable risk challenge culture lies in the board and its committees, the C-suite and risk-owning operating management. The board, in concert with the CEO, sets the tone from the top regarding the openness expected in risk discussions.
- It is important to minimize information asymmetry between the CEO and board in risk reporting. It occurs when the board fails to receive key risk information on a timely basis or at all.
- Cognitive biases in decision making can be a serious impediment to developing an effective risk challenge culture. It is essential to recognize that these biases exist – and they are well documented in the literature – and put mechanisms in place to minimize their impact.
- It is critical that organizations begin the process of establishing their risk appetites and risk tolerances, and communicating them to all organizational levels, and then furnishing updates as needed.