Page 19 - Internal Auditor M.E. - June 2019
P. 19
TO cOMMenT on the article, risk Management
eMail the author at james.creelman@gmail.com
Corporate Governance was believed to be essentially in good Communication
shape - robust and effective, as was risk management. It was,
therefore, something of a surprise that many experts and reports Communication is a key management discipline in any
pointed to a failure of corporate governance being a major cause circumstance, and especially when large-scale change is taking
of the financial crisis – or more markedly, a failure to properly place. Communication is critical when an organization is
understand and manage the firms risk profile and exposure.
setting out to take an integrated approach to strategy and risk
Governance is embedded into the RBPM approach, supporting management and so has been included as a discipline within the
the corporate level obligations and enabling those commitments
to be cascaded through the organization. A greater focus by the RBPM approach – most notably in getting the appetite message
board on demanding the parameterizing of risk appetite and across and in driving the correct behaviours.
then supervising how executives execute strategy within those Crucially, communication should be an ongoing process, rather
boundaries is now a critical governance role and has been stressed than a one-off exercise repeated on an ad-hoc basis. Messaging
in many reports by regulatory and expert bodies.
must be a constant part of reinforcing the dos and don’ts around
However, as part of the RBPM approach, governance also has a strategy, risk and risk appetite and the importance of balancing
more operational, day-to-day role to play within an organization. risk and reward must be fully inculcated. If these are not done,
This approach to governance is based on the RACI framework there is a pressing danger that decision-makers and indeed all
which has been widely used within the program and project employees might revert to inappropriate behaviours.
management world. RACI is an acronym for Responsible,
Accountable, Consult and Inform, and is used to clarify individual
roles in the achievement of objectives and management of risks. Parting Words
Culture The rigour provided through the seven RBPM disciplines might
go a long way toward ensuring that the organizational (especially
Culture is perhaps the ultimate strategy and risk management tool.
financial) value delivered is sustainable over the longer term; that
The importance of getting the culture right is often overlooked in the pursuit of profit and the delivery of short-term and superior
major change efforts. Although few organizational leaders would returns to shareholders is not at the expense of long-term value, or
publicly state that culture is less important than process, structure even continued survival.
or technology, the fact is that due to its being so nebulous, and As well as a day-to-day system for effectively managing the
so difficult to define and to equate a precise financial figure to business, it provides a mechanism for effective performance
its effective management, it is more often than not “dealt with” oversight by corporate boards. The RBPM approach, with its
through a nice sounding value statement and then either forgotten emphasis on the integration of strategy and risk management, and
about or handed over to the HR function to manage. Many specifically risk appetite, provides a framework for boards and
organizations live to regret this oversight. senior executives to ensure that from a strategic direction and risk-
taking perspective they can deliver lasting success as well as meet
The importance of getting the culture right cannot and should not their corporate governance obligations.
be underestimated. Culture is, quite simply, a showstopper. Indeed,
Specifically, internal auditors should consider risk exposure
an August 2012 article in the Financial Times reported a survey of
versus appetite when assessing the rigour and robustness of the
risk managers that found that 62% of major risk events were the organizational controls on performance. When the former exceeds
result of culture, leadership or behaviour. the latter on critical strategic thrusts, be they financial, customer,
process, people or technological, the enterprise might, and often
Get the culture right and objectives will more likely be achieved
unknowingly, be engaging in a dangerous dance. The corporate
and risk managed. Get the culture wrong and failure will be just
boards of firms such as Enron, Arthur Anderson and many
about inevitable; even though ultimate failure might well be financial institutions would no doubt agree.
preceded by a period of stunning financial success, as we have seen
with many organizations that suffered catastrophic failure. James Creelman is an advisor and trainer in strategy management
and related fields and has worked extensively in the Gulf.
JUNE 2019 INTERNAL AUDITOR - MIDDLE EAST 19
