Most Boards & CEOs Fail With Risk Management

Key Takeaways

• Ineffective Risk Programs Are Widespread: Surveys show most organizations say their risk processes do not provide a strategic edge, with only 11% reporting a competitive benefit.
• Accountability Sits With Leadership: Norman Marks argues the CEO and the board are ultimately responsible for whether risk management delivers the information leaders need for success.
• Compliance Is Not Enough: Meeting regulatory, framework, and policy expectations does not guarantee that risk management supports strategic and tactical decision-making.
• Supporting Roles Must Step Up: CROs and CAEs need to challenge ineffective programs, assess whether risk management adds value, and push for change when it falls short.
• Structural Obstacles Undermine Effectiveness: Regulatory expectations, mandated independence, siloed board risk committees, and over-reliance on risk registers and heatmaps all contribute to risk management that protects assets but doesn’t create value.

Deep Dive

In this article, Norman Marks looks into why so many organizations continue to operate with ineffective risk management programs, even while acknowledging the consequences. Drawing on industry survey data and decades of experience, he explores how boards and CEOs often settle for compliance-driven approaches that fail to support decision-making, and why meaningful change must start at the top.

Why Leadership Accepts Ineffective Risk Management and What Must Change

Time after time, surveys show that the vast majority of risk management programs are neither mature nor effective in providing the information the board and other leaders need to manage and direct the organization to success.

For example, the latest survey from the ERM Initiative at North Carolina State University and the AICPA says, "In today’s rapidly evolving risk environment, most organizations still fall short. Only 11% say their risk processes offer a strategic edge."

Whose Fault Is That?

There are many you could blame for this failure to provide leaders and decision-makers with all the information they need, including the Chief Risk Officer—if There Is One

But first ask whether there are strong mitigating factors that should reduce their sentence, such as:

• Mandates imposed by the regulators
• Budgetary and other resource constraints imposed by top management with the approval of the board
• Their lack of experience and training in effective risk management. Maybe all they know is how to develop a list of risks. Is that entirely their own fault when that is the expectation from the board and CEO?
• Direction from the CEO with the support of the board that limits what they do to developing a periodic list of risks

On the other hand, if the CRO doesn’t know how their program should be improved and made effective (or worse, knows but doesn’t try to change), then they should carry much of the blame. But not all, as the CEO and the Board should be demanding change and might be content with an ineffective program.

The CRO needs to learn what an effective risk program looks like and put a plan in place to get there.

• The CAE (Head of Internal Audit): Who has not informed the CEO and the board that risk management is not effective. Maybe they have reported on its compliance with regulatory expectations. Maybe they have reported on its compliance with company policies and risk limits. Maybe they have assessed compliance with an industry standard or framework. But that is not the same as assessing whether it meets the needs of the organization when it comes to running and directing the business for success. (See How Do You Audit Enterprise Risk Management?)
• The Regulators: Because they are demanding structure and processes that are not conducive to effective risk management for success. For example, mandating the total independence of the CRO from management can inhibit trust (especially by management of the CRO) and their ability to work together. Mandating a board risk committee that has separate and siloed conversations about risk while strategies are discussed in another committee is hardly the path to success. The regulators focus on protecting the assets of the organization rather than creating value while effective risk management should do both. The additional red tape imposed in processes that focus on managing risk instead of managing the business can make it more difficult to make the necessary and timely decisions to seize opportunities.
• COSO and ISO: While you could blame the organizations behind the standards and frameworks, these are only tools. Blame those who don’t use them well or hide behind them.
• The CEO and the Board

My vote goes to the CEO and the Board.

The CEO is responsible and should be accountable for the management of the organization, and that includes whether it has the people, processes, systems, and information it needs to be successful – including effective risk management.

Maybe I should explain what I mean by ‘effective risk management’.

It’s effective when management and decision-makers have the information they need about what may happen (a.k.a. risk and opportunity) to make both the strategic and tactical decisions necessary for success.

You can comply with all the standards, frameworks, and regulations but fail to help people make the informed and intelligent decisions necessary for success. Blaming the regulators is insufficient, as you can comply with their demands and also help management be successful.

By the way, a periodic list of the most significant risks (those meriting close attention) is useful as it provides information for decisions to be made about managing them. But it is insufficient as risk occurs and changes every minute across the extended enterprise. It is also insufficient as each decision-maker needs to know about the risks and opportunities specific to their current decision – and that’s not delivered by a high-level list of risks.

When risk management is assessed by executives and/or the board as less than effective, that is the responsibility of the CEO and the Board. I blame:

• The CEO for failing to ensure its effectiveness, and
• The Board for not demanding change. They are complicit in the CEO’s failure.

Maybe they can say they don’t know better. They don’t know that it can and should be better. Is that a viable excuse?

If they know it doesn’t meet their needs and don’t take action to find out what needs to be done (by asking the right people, not your local CPA firm), then they deserve what they get. Some practitioners believe that Boards and CEOs are complacent. They know risk management is ineffective and either don’t care or are happy with it that way.

I find that hard to believe. I think the issue Is:

• CEOs and board members have only seen ineffective risk programs.
• They are getting bad advice from self-styled experts (including their CRO, COO, and CFO; consultants; software vendors; and academics who teach risk management) who preach risk registers and heatmaps.
• Their experience is that risk management doesn’t add value beyond compliance, and therefore they are unwilling to invest additional resources to it.
• They accept ineffective risk management because they don’t realize how it can provide “a strategic edge”, and they are unwilling to spend any of their time getting it fixed.

What Needs to Be Done?

• The CAE needs to assess and report on the effectiveness of risk management. The best way, in my opinion, is to ask members of the board and management whether risk management is helping them succeed, not just be in compliance or avoid hazards. Is the money invested in risk management well spent, and should it be increased? When that inevitably comes back in the negative, then the audit team needs to see where the problems are. What needs to be done. Help them get there.
• The Board needs to ask the CEO whether they believe risk management is effective, helping the management team make the informed and intelligent decisions necessary for success. Does risk management deliver more value than it costs, and does it provide a strategic edge? When the CEO admits that there are challenges, then the Board should demand action. When the Board recognizes that it is not getting the information it needs, it must demand action and hold the CEO accountable.
• The CEO should take the first step in any recovery program and admit that there’s a problem. Figure out who is needed to lead the revolution.
• The CRO needs to take the initiative. Self-assess the program (using the guidance I suggested earlier) and work with the CEO to effect the necessary change. In many cases, the change starts with the person in the mirror!

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.