The Institute of Internal Auditors recently published the results of a survey that should leave compliance and audit executives uneasy. Its big finding: that corporate board directors believe their organizations are better at managing key risks than corporate executives do.
...board directors had more faith in the company’s ability to manage the risk than the corporate executives.
The survey polled more than 600 internal audit executives, followed up by in-person interviews with 90 chief audit executives, board directors, and other senior executives. Across all 11 enterprise risks the survey asked about — third-party oversight, corporate culture, data protection, and more — board directors had more faith in the company’s ability to manage the risk than the corporate executives.
The chart below tells the tale. The blue dots represent the confidence of corporate risk management executives; red dots, the confidence of board directors. The bigger the gap between red and blue, the bigger the “confidence gap” between board and management.
Why is this a big deal? Because when we talk about confidence in managing risks, we’re really talking about confidence in the effectiveness of your risk management program — and apparently, we have a systemic disconnect between the board and management about that issue.
In today’s highly regulated, highly transparent business world, that disconnect — the IIA calls it “misalignment on risk” — can lead to disaster.
Third-party risk is a good example. If the board believes that the company’s third-party oversight is great, it might green-light expansion into new products or territories that depend on third parties for success. Why wouldn’t it? As the board understands things, the risks of corruption or sanctions violations are low.
Meanwhile, in reality, the compliance function might be struggling to keep pace with due diligence or monitoring — and now the board has piled on even more work.
Should that stress eventually lead to a compliance failure (FCPA violation, sanctions issue, money-laundering), regulators will ask about the company’s tone at the top and the effectiveness of the compliance program. And if it comes to light that there was disagreement or confusion about those things, that will lead to painful conversations: who knew what about weaknesses in risk management; what the board was told about compliance and risk management; how the board responded, and so forth.
That’s why this IIA study is important. That’s why every corporate compliance and audit executive should gauge how much their own board and management might be misaligned on risk. This allows you to develop one coherent view about the effectiveness of your risk management program, and how well it does (or doesn’t) support your business objectives.
Getting Into Alignment
Where does this misalignment on risk come from? The IIA report proposes two possible causes (emphasis added by me):
"Boards may be failing to critically question information brought to them by executive management due to either receiving insufficient information or from limitations in their own competencies to understand and evaluate risks. The finding also suggests executive management may not be fully transparent with the board about risks and their own reservations about their organizations’ ability to manage them."
OK, none of that is good. But for risk management professionals looking to have a conversation with their boards about program effectiveness, it’s a place to start.
First, does your board really have the right people, and the right structure? Corporate governance theorists talk constantly about the need for a group of directors who are diverse both in demographics and in expertise.
...start by (delicately) asking the board about how confident directors are in their own expertise for issues the company faces.
Well, this is why. Lack of diversity can lead to groupthink, where a homogeneous board sits waiting for management to spoon feed it the next quarterly briefing book. There’s no skilled, probing look at risk assessment, or thoughtful discussion of risk tolerance. So start by (delicately) asking the board about how confident directors are in their own expertise for issues the company faces.
Second, does the company have good escalation procedures? That gets to the “receiving insufficient information” part mentioned above. The good news is that boards do worry about escalation — or, more accurately, they worry that the corporate culture doesn’t encourage timely escalation of risks.
Compliance and risk officers can ask board directors what risk information they want. At the same time, CCOs and CROs should also be clear about the information you believe the board should have, and the processes in place to generate that information.
Third, does management speak in a unified way about risk? That’s not to say all senior executives must parrot the party line to the board at all times. Disagreement is fine, and even healthy — so long as those disagreements are explored in a collegial, seeking-the-best-path-forward manner.
Trouble emerges when different executives spin different narratives about risk, and the management of risk, to the board. That’s the “management may not be fully transparent” part mentioned above. When disagreements are transparent, it’s debate. When they’re not, it’s subterfuge.
Fourth, does the company have a single, trusted source of risk information? The best way to quash misleading narratives about risk management is to draw from a single, complete, accurate source of information about risk.
Sure, executives might still disagree about the correct interpretation of that data, but it’s much harder to spin up entirely new narratives (read: baloney) about risk management when everyone can see the same pool of underlying data.
Will those questions solve all the misalignment about risk? No. But they do put board and management on a path toward reaching consensus — and that’s the key to closing that confidence gap to zero.