Risk Reporting – The Double Edged Sword

“To be, or not to be, that is the question:
Whether ’tis nobler in the mind to suffer
The slings and arrows of outrageous fortune,
Or to take arms against a sea of troubles,
And by opposing end them?”

 – By Shakespeare in Hamlet

Risk managers frequently contemplate on same lines as Hamlet when they are issuing risk reports. They shouldn’t be facing dilemmas when issuing reports, because it is a cut and dried subject. However, organization culture and politics play a deep role in ensuring effective risk reporting. The culture can either give the freedom and courage to honestly report, or cause fear of reporting bad news.

The problem is big. In just around 50% of the organizations risk reporting is effective. The Economist Intelligence Report – “Too Big To Fail? survey of financial institutions supports my point. The report states that:

  • 53% of boards have become more demanding about risk reporting.
  • 55% respondents state that chief risk officer has the mandate to report directly to the board.
  • Just 13% respondents say that risk reporting is very effective and 41% consider it effective.

This shows that though boards are demanding better reporting and giving support, risk reporting is still ineffective. Hence, the question is – in what conditions risk reporting is effective, and what is deterring risk managers from properly reporting? I am giving here three scenarios – good, bad and ugly – of risk reporting.

1.    The Ideal Situation

The tone at the top determines risk-reporting effectiveness. In such a scenario, senior managers encourage juniors to give negative feedback, maintain transparency with employees and set up a healthy organization culture. The board takes its risk management responsibilities seriously. Senior managers discuss risk reports and address negative observations. Key attributes are:

> The organization’s constructive culture ensures issues are systematically analyzed and solutions implemented. People do not become targets due to lapses identified in the report.

> The Chief Risk Officer (CRO) and/or Chief Audit Executive sits at board level, reports to the CEO, has adequate authority and political clout to drive risk management initiatives.

> The board/ senior managers accept CROs opinion contrary to their ideas and encourage constructive confrontation in the board.

> The organization has effective policies to prevent retaliation against risk managers and employees who report negative aspects to senior management.

In such a scenario, risk managers confidently issue accurate reports on a timely basis and present it to senior management.

2.    The Mixed Bag

An organizations internal politics and power structure affects the way management deals with a risk report. If culture is excessively aggressive and political, when a risk report is issued, a few business executives’ jobs are on the line. To save his/her own skin each executive gets a poodle in the fight. The board is somewhat focused on risk management but don’t have their total act right. Management implements some reports and pushes others under the carpet. Key attributes are:

> The politics in the organization is stronger and affects the outcome of the report. Sometimes employees of another senior managers group are targeted to settle personal agendas. The level of disengaged employees is high.

> The CRO is either not appointed or does not have board level visibility. Therefore, the CRO lacks authority and political power within the organization.

> Multiple stakeholders within the organization have different and conflicting perceptions of business benefits of risk management function.

> The CROs presence in board meetings is for namesake and he/she is not allowed to present contrary views to the board views. CROs are expected to toe the line of senior management.

> Risk managers ideas can be killed due to death-by-association, as risk management function is either not respected or perceived negatively. To some level, business executives gang up against risk managers and may retaliate if risk managers push them.

In such situations, risk managers do tight rope walking and may only submit partially accurate reports to senior management. Key issues that sometimes trigger political warfare may not be disclosed to protect themselves.

3.    The Horror Scene

The organization has a destructive or deviant organization culture where senior management and/or a group of employees are hell-bent on sabotaging the company for personal gains and revenge. The other executives become silent spectators and go along to get along with the destructive group. The destructive group exercises power through threats and punishment. Risk reporting in such situations is in name only and destructive group permission is sought before circulating the report.

>  Two situations can occur. First, senior management or a senior manager is leading the behavior and the tone is set at the top. Second, risk managers i.e. fraud investigators, information security officers and internal auditors turn deviant. They become stronger than the business executives by using their reports, skills (example – hacking threats) and company resources to damage business executives.

>  Risk management function heads do not directly report to the CEO. Various heads exist for different risk functions with each playing their own game. This reduces their responsibility and accountability to senior management.

>  A CRO hasn’t been appointed and risk management heads do not report to the board. The board as such does not consider risk management a useful function for business.

>  If senior management/ managers have inculcated the deviant culture, the retaliation against risk manager or business executive who refuses to conform is strong. The concerned employee will be harassed, bullied, threatened and terminated.

The situation becomes explosive and CEO/board may hear the bad news only when shit hits the roof. The legal and reputational risks are high, as risk managers do not submit authentic reports. Hence, CEO/board may be taken by surprise at anytime, especially if the organization is spread across different geographies.

A good indicator for CEO/ senior managers to check whether things are going wrong is when they hardly hear any bad news. All business and risk managers report that things are honky dory. This means that business and risk managers are in collusion to hide negative information from management. Most of the fraud symptoms prevail in the organization.

Closing Thoughts

While the first responsibility of risk reporting lies with risk managers, the circumstances surrounding them must be looked into to check for reasons for failure. The tone at the top matters a whole lot, and if perception exists that senior managers have a cavalier attitude towards risk management, the same will flow down the organization. In such situations, it will become difficult for risk managers to maintain their independence and integrity while reporting.


The Economist Intelligence Report – Too Big To Fail?