The financial crisis that brought the country’s largest banks to the brink of disaster illustrates perfectly what happens when an organization’s risk management practices breakdown, according to W. Ronald Dietz, a director and chair of the audit and risk committee at Capital One Financial Corp.
Despite clear signs, these companies didn’t see the impending crisis because directors responsible for establishing and enforcing proper risk management practices failed to do so. This failure has its roots in their respective corporate cultures, according to Dietz, who gave a keynote speech at ISACA's IT Governance Risk & Compliance Conference in Boston last week.
"I think in those companies that failed, culture was part of the overall issue," Dietz said. "There was some sense of comfort among many directors I talked to … I thought this was a great illustration of a breakdown of strategic risk in ways that people could see it in practical terms."
Understanding strategic risk at Capital One is very important in terms of decisions the company has made, Dietz added.
The breakdowns in risk management practices then and now aren't contained to just financial institutions. He pointed to BP PLC’s handling of its disastrous oil spill this past summer as another example of a botched risk management policy and its subsequent widespread repercussions.
"Unless the board is really spending time on these risks and they are incorporated into the risk management process, companies are vulnerable to being surprised by some of these external factors," Dietz said.
Dietz stressed to conference attendees that they could be effective in risk management processes by working with their board of directors to help better manage the risk-return balance in an enterprise. Communication is critical, he said, pointing out that Capital One implemented an extensive risk management policy that encourages all levels of the organization to have their say if they see a potential crisis.
"It wasn’t just the CEO saying we can accommodate risk management and setting that tone, it was also a lot of work by him and other members of the company to have an open communication policy so people can come and say 'we have a problem here' and not be overly sensitive about it," Dietz says. "Here's a culture that says 'let's confront these problems as they exist' and admit that maybe something needs more work or something is difficult to manage."
The importance of risk management
Susan Gueli, senior vice president and CIO, Nationwide Financial Services Inc., echoed Dietz's thoughts on risk management and its importance to several levels of an organization during her conference presentation, "Driving a Shared Risk Agenda Across the Company.”
You don't have to have risk management as part of your title to have risk management as part of your role.
Susan Gueli, senior vice president and CIO, Nationwide Financial Services Inc.
"You don't have to have risk management as part of your title to have risk management as part of your role," Gueli said.
Accomplishing this is a lot easier said than done, she acknowledged, citing a number of reasons why. Roles among senior officers of these companies tend to be narrowly defined, and risk responsibilities within these roles are not always easily understood. Individual departments are more likely to be working independently, and risk tolerance across them is often inconsistent, she said.
Gueli offered the following strategies to drive risk management across the breadth of an organization:
- Focus on driving full alignment of risk management professionals.
- Recognize, train and set expectations of risk management responsibilities for all leaders within an organization.
- Establish a company perspective on risk tolerance.
- Centralize decision making to ensure consistency.
- Drive clear linkage among all areas.
"The key is driving consistency in the language you use," Gueli said. That way, you can "clarify expectations with IT and business leaders."
Let us know what you think about the story; email Ben Cole, Associate Editor.