The 2008 global financial crisis exposed weaknesses in risk management across a wide variety of industries and corporate cultures. There is a growing perception that much of the weakness stems from deficient governance practices for managing risk. Some organisations that claim to have a robust risk governance structure have one in name only; the directors are not as actively engaged in risk oversight as they need to be. They often lack adequate training in risk issues and may receive unduly optimistic risk reporting. After a crisis, a typical question is, ‘Where was the board while this was happening?’
The need to develop and implement effective risk oversight has continued since the financial crisis. Organisations are still searching for systems that work well for their cultures and strategies. A promising model for the strengthening of risk oversight is the risk challenge culture.
A challenge culture is an environment that encourages, requires, and rewards enquiries that challenge existing conditions. When a subordinate is afraid to ask senior management about perceived risks, that is not a challenge culture. When a board member is satisfied with the CEO’s facile answer to a serious risk issue, that is not a challenge culture. When board members ‘rubber stamp’ management’s critical actions without serious debate, they have not acted as befits a challenge culture.
Developing a challenge culture for risk management and oversight is the next logical evolution for boards and C-suite executives as they seek to reduce risk in their organisations while recovery from the financial crisis continues. Stakeholders, regulators and even ratings agencies have a keen interest in the management and oversight of risk. This interest will continue to grow.
This report discusses the elements of a risk challenge culture. It draws on discussions from the ACCA–IMA Accountants for Business Global Forum and insights from ACCA–IMA roundtables held in Dubai, London and New York City in late 2013. In these sessions, the participants discussed the following essential elements of a risk challenge culture: professional scepticism and board oversight of risk; board diversity and expertise development in enterprise risk management (ERM); conversations and roles in a risk challenge culture; information asymmetry and risk reporting; decision making and cognitive biases; risk culture – assessment, diagnostics, and signs; risk appetite; strategy and risk; and incentives and risk.