A decade ago, lack of risk awareness might have satisfied litigators in the aftermath of a loss event. However, today’s regulations have made board members and senior leadership teams accountable for risks, regardless of at what level the risk materialises. Mature Risk Management programs are more than a safety net. These programs are invaluable insurance policies against the surprises your business might face and assure achievement of corporate performance objectives.
Gerry Grimstone, keynote speaker at the IIA’s recent conference in London, had a message for senior executives. “You can’t easily blame a board member for not knowing something,” Grimstone said. “But you can blame a board member for creating a culture where he doesn’t know something.” Grimstone also discussed the “tone from the top;” a need for an organisational culture where assumptions are challenged and ethical risk management practices are acclaimed, not neglected.
It’s quite simple! Lack of disclosure and an ineffective RM information and reporting system equals negligence. Boards are explicitly given a choice between either having effective risk management in practice or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud or negligence, as not knowing about a risk is no longer a defense.
“You can’t easily blame a board member for not knowing something,” Grimstone said. “But you can blame a board member for creating a culture where he doesn’t know something.”