The Institute of Internal Auditors just dropped an unsettling new report on the state of risk management. Namely, corporate board directors believe their organizations are better at managing key risks than corporate executives do — and an uncomfortably high number of executives and directors say that misalignment is OK.
The report, OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk, surveyed more than 600 internal audit executives and followed up with 90 in-person interviews of audit executives, senior executives, and corporate directors. It makes for dense and abstract reading at some points, but also raises thought-provoking questions about risk management systems and how well information is rising to the proper levels within an organization so senior leaders can understand what’s going on.
Start with that finding that board directors and executives have different perceptions about how well their companies are managing risk. Figure 1, below, tells the tale. The blue dots represent management’s confidence in risk management. The red dots are board directors. As you can see, across 11 enterprise risks, boards are more confident than executives — which is alarming, since executives are closer to the organization’s reality than board directors.
So where might that discrepancy come from? The IIA report has a few theories, none of them good.
Boards may be failing to critically question information brought to them by executive management due to either receiving insufficient information or from limitations in their own competencies to understand and evaluate risks. The finding also suggests executive management may not be fully transparent with the board about risks and their own reservations about their organizations’ ability to manage them.
“Limitations in their own competencies” — quit snickering, people! It’s a valid point. Corporate governance theorists talk all the time about the need for cybersecurity, compliance, and technology expertise in the boardroom. They also talk about the need for more diverse boards, with more women, minorities, and young executives.
Well, if the alternative is a bunch of semi-retired fossils who sit around waiting for management to spoon-feed them the latest briefing book, that alternative would look a lot like what this data is telling us. It also looks a lot like that Marchand v. Barnhill decision from the Delaware Supreme Court a few months ago, which reminded all boards that they have to, ya know, look around and ask about stuff.
And before management executives pat themselves on the back, notice that the two risks where management gives highest marks are board information and corporate culture. As the IIA report notes, those are subjects “often correlated with executive management performance.” One wonders what lower-level employees would say about management’s ability to know which end of the corporate culture is up.
The Perils of Misalignment on Risk
The IIA report also found that a majority of survey respondents said misaligned views about risk are inevitable; some even considered such misalignment “healthy.”
Oh, hell to the no. That attitude is the start of a slippery slope that leads to an organization suffering some risk management failure that seems painfully clear in hindsight, with lots of insiders pointing fingers at each other while investors, consumers, and regulators scream bloody murder.
As the IIA report astutely noted, misalignment around individual knowledge of a risk is to be expected, because executives will have various perceptions of a risk based on their various roles.
But that’s not what we’re talking about. We’re talking about different opinions on the organization’s ability to manage a risk. On that subject, the IIA report says, “misalignment on the perception of the organization’s capability to manage a risk is a serious concern.”
For example, if the board believes the company is great at addressing cybersecurity risk, while management is freaking over an inability to address insider threats abusing poor access controls — that’s a recipe for disaster. It could lead to a data breach, followed by enforcement actions from the Justice Department, with the SEC tacking on some disclosure violation to add insult to injury. Meanwhile, your brand reputation is in ruins while executives try to pin blame on each other. Awesome.
“Acceptable misalignment on risk is a risk itself that’s shortsighted and simply unacceptable,” IIA president Richard Chambers said in a press release accompanying the report, and I couldn’t agree more.
“The burden is on management to provide the board with an accurate picture of risks that may negatively impact the organization as well as those that present opportunities,” Chambers said. “But board members also must seek out informed and objective assurance on the information they receive, and internal audit is uniquely positioned to provide that truly independent and enterprise-wide perspective.”
Which is pretty much what the Delaware Supreme Court said in its Marchand decision, really. (Plus a plug for internal audit since this is an IIA report, after all.)
How This Matters
This matters because enterprise risk management — that is, gathering together data about all the risks the company has, so senior leaders can steer the business forward more effectively — is becoming more important to a company’s success. Yet this report raises serious questions about a company’s ability to do those things.
First, remember why risk management is becoming more important: because companies’ stakeholders are saying it’s more important.
Now, those stakeholders may not always understand that’s the message they’re delivering — but it is. When the SEC dinged Mylan $30 million the other week for disclosure failures related to pricing questions over its EpiPens, that was a stakeholder saying enterprise risk management matters. When consumers screech about a data breach because the company was PCI compliant, but didn’t understand the security risks in its network architecture, that’s a stakeholder saying enterprise risk management matters.
We could go on all day, but you get the basic point: when one part of the company believes a risk is under control, but that same risk resurfaces in another part of the business and causes a mess — that’s a failure of enterprise risk management. More and more often we then see others say, “How could you let this happen?”
Well, at least partly, they let it happen because the company’s senior-most leaders had different perceptions about the ability to manage risk.
Which is what the IIA report concludes, and that conclusion is worth thinking about, because it’s not like enterprise risks are going to recede in 2020s. Companies need to understand how well they’re responding to risks. Right now, they don’t.