The big changes happening around us provide opportunity for a better way of clarifying responsibility.
One of the first letters to an editor I wrote was in 1990 or 1991 and it was to Paul Bawcutt who was the editor of a risk management journal called "Foresight". It was on the subject of whether risk managers should have direct responsibility for managing risk or not. There were different views around at the time and there still are today. A quarter of a century has passed and the debate over the roles of risk functions and others involved in managing risk still rages on.
...despite guidance, standards and regulations, we are not agreed.
Despite guidance, standards and regulations, we are not agreed. Even inside some industries with prescriptive rules around the topic and within geographic areas, differences in views and application remain.
The internet is rife with disgruntlement on generic approaches which just don’t seem to work for all people and companies, all of the time. When I talk to Chief Risk Officers, they are often frustrated by the current state and a couple have called "Emperor's New Clothes" on some of the high profile would-be solutions such as the "1.5 Line of Defence" which is getting a lot of airtime in banking. I’ve written in the past about the issues and don’t feel the need to repeat them here.
I think I might be coming to a conclusion on this topic. Certainly, 25+ years is a long time to have thought about it so maybe a conclusion is due and it is as follows:
Don’t look for generic, universally agreed, statements of responsibility for risk to adopt in your organization. If you think you’ve found one – don’t use it, blindly.
Ones which might appear at first to be “universally” accepted, typically don’t stand up if you look closely enough. Even descriptions coming from regulators can be loaded with ambiguity and/or implemented inconsistently and therefore cannot be relied upon to provide the clarity which should be useful to those organizations trying to manage risk in a structured way. History shows us that.
So what should we do, then?
Hmmn… well at the risk of sounding a bit obvious to some and inflammatory to others, I’d say it’s important for firms to devise their own descriptions. Yes, they might still have to ultimately translate back into more primitive language if regulators and others struggle to cope with something they are not used to but the most important thing is to achieve clarity that works for the firm, isn’t it?
“Double hmmn”. Let me be clear, I’m not suggesting firms should drop everything they currently have on responsibilities and start again. While that might be productive in the long run, it could be a recipe for chaos in the short term so it’s probably not a good option!
...the most important thing is to achieve clarity that works for the firm, isn't it?
Let’s take two examples of big change happening currently where something better could emerge, though:
- Digital changes. The world is changing and the move to digital is bringing shifts to the way organizations operate and who has responsibility within them. For most, certainly beyond the short term, digital is not a standalone thing. Instead, it impacts other processes, departments and functions. Time is being, and will be, spent clarifying who is responsible and for what in the new world.
- Decentralised decision making. Decentralization of decision making through edge technology, artificial intelligence and more empowered and collaborative small businesses means that thought will be given as to how these decisions should be made and who (and increasingly “what”) will make those decisions.
These two examples will be happening now, or in the near future, in a great many organizations around the world. That means there is now a superb opportunity to clarify responsibility for risk management in and around those decisions. Both are “new world” situations so where better to come up with a new way of clarifying responsibility and accountability than there?
How might it actually be done in those situations, though?
There are options.
Rich scenarios can be used to clarify or stress test responsibilities and accountabilities so using such an approach seems sensible. It is also a good way to help everyone become familiar with the peculiarities of the new world we are all entering into.
...become familiar with the peculiarities of the new world we are all entering into.
Inside each scenario, there will be a need to describe the actions and responsibilities of individuals and/or functions and this presents a risk of slipping into old habits. Instead, new but logically sound, terminology can help. One such set of terminology can be found in the “Risk Management Formations” approach where individuals’/functions’ responsibilities are clarified for specific situations using one or more than one of the Take/Help/Stop/KeepScore/Independent, risk management purpose angles.
Life would be easier for everyone if we had a common and truly universally accepted set of descriptions for risk and accountability which was consistently implemented in the same way, everywhere.
However, we don’t have it and I’m not sure we should spend more than 25 years trying to find it. Instead, we could perhaps move on and, regulators and others permitting, use smart and clever ways to get real clarity on responsibilities for managing risk in our changing world.
It seems to be within our reach but we each need to grasp it for ourselves.
Clive Martin is a Practice Leader at ICG. Before joining ICG as a Practice Leader, Clive was at EY for 17 years - 9 as a Partner operating mainly in London, New York and Zurich. He specialises in bridging between disciplines, especially strategy implementation, risk management and people behaviour.
He has run several professional services practices, had overall responsibility for large client accounts and developed new and inter-disciplinary services.