Risk Governance: The Importance of Acknowledging Risk

Strong risk governance is about risk acknowledgement, accountability and clear mechanisms for risk-based escalations and delegations. Under a well-built governance framework, acknowledged risk-taking can be rewarded - even when the results may be considered failures. Surprises, moreover, can be attributed to their accountable owners.

Effective risk identification processes will yield issues, sometimes referred to as problems, cases, incidents, risk responses and findings. Risks and issues differ. A risk is a potential failure, while an issue is the actual failure.

Issue management is the identification statement of problems that require remediation to achieve the following objectives:

• Reduce residual risk;
• Remedy an internal audit finding;
• Address external environmental change, such as regulations;
• Eliminate or reduce a cyber vulnerability; and
• Ensure third parties operate within contractual boundaries.

All business areas and functional groups can be the sources of issues. Figure 1 provides some illustrative examples.

Figure 1: Illustrative Sources of Enterprise Issues

Issues are risks that have occurred, and they emanate from across an organization's core business and functional groups.

Through formal and informal channels, customer compliants will reveal unmet expectations and business failures. Risk management identification and assessment processes, meanwhile, will reveal issues in business processes and from loss events. (Issues should be triggered by risk levels exceeding appetite.)

Internal audits will generate findings, typically around control enhancements. Third-party management, on the other hand, will typically generate many issues related to procurement, onboarding, monitoring and offboarding - but there may be a dollar threshold for reporting.

Human resources management will manage cases (often highly confidential) related to employee conduct and complaints.

The mature issue management process typically includes the steps highlighted in Figure 2.

Figure 2: Issue Management Process

Let's now take a closer look at each of these steps:

Identify Issue. The groups shown in Figure 1 will have different approaches to identify issues. Issues can be linked to a standard risk and root-cause taxonomy. Regardless of the source, issues should be documented with the same metadata. Smart phones allow all employees to participate in this process, and external data sources - such as social media and press coverage - should be considered.

Rate Risk Level. Issues should be prioritized based on a risk rating. A common data model for collecting data about an issue, regardless of the source of the issue, can ensure standardized issue and action plan tracking and reporting.

Create Action Plan. Regardless of the source of the issue, the action can be proactive or reactive. In forming the action plan, a firm should not only consider how it's going to halt the source (or sources) of an issue but also establish a strategy for mitigation and insurance.

Estimate Remediation Costs. Cost estimates can help ensure costs of remediation are understood and weighed against benefits. Costs should be characterized as operation and maintenance (O&M) or capital - or both. Aggregate costs can also be evaluated versus total capital budgets.

Gain Approvals. Issues and related action plans should be approved by both the issue owner and action-plan owners to reinforce accountability.

Report. Issue data should be aggregated and reported centrally. Artificial intelligence techniques can help identify related issues and overlapping action plans. To re-emphasize strong risk governance, reporting can be gamified as timely remediation leaderboards attributable to business owners and regions.

Parting Thoughts

Like everything else in enterprise risk management, there's both relevant behavioral analytics and a lot of art in ensuring that strong risk governance is supported by a comprehensive, timely (yet simple) process for tracking issues and completed action plans.

Action plan remediation reinforces strong risk governance and allows risk owners to demonstrate credibility, even in the most challenging business environments.

Brenda Boultwood is the Director of the Office of Risk Management at the International Monetary Fund. The views expressed in this article are her own and should not be attributed to IMF staff, Management or Executive Board.

She is the former senior vice president and chief risk officer at Constellation Energy, and has served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP. Currently, she serves on the board of directors at the Anne Arundel Workforce Development Corporation.

Earlier in her career, Boultwood was a senior vice president of industry solutions at MetricStream, where she was responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial services. She also previously worked as the global head of strategy, Alternative Investment Services, at JPMorgan Chase, where she developed the strategy for the company's hedge fund services, private equity fund services, leveraged loan services and global derivative services.