On Governance is a series of guest blog posts from corporate governance thought leaders. The series, which is curated by the Governance Center research team, is meant to serve as a way to spark discussion on some of the most important corporate governance issues.

When I entered the auditing profession in 1979 at Coopers & Lybrand (now PwC), everyone told me “Management is responsible for internal control.” As time went on and wave after wave of major corporate governance failures swept the world this frequently cited axiom morphed in to the much broader “Management is responsible for risk management.” The theory of management responsibility for managing risks linked to important business objectives makes total sense. Unfortunately, the reality is unsettlingly confused.  

The reality is that, in the majority of companies around the world, management is not expected to learn how to identify risks, assess risks, and report on the state of risk linked to important objectives. Business schools don’t teach it. Job descriptions for management jobs don’t require it. Compensation systems don’t mention it.  Annual/semi-annual reports on risks using “risk registers” and “risk heat maps” from risk groups, and subjective internal audit reports on “internal control effectiveness” on a fraction of the total risk universe from internal audit each year are what most boards are given. Boards rarely receive reports on the state of risk linked to top value creation/preservation objectives directly from those responsible – management.

Based on 40 years of global experience, I believe the biggest risk nobody seems to want to talk about is a raw and unsettling truth: in a very large percentage of companies, management personnel lack the necessary skills and/or motivation to competently self-assess and report on the true state of risk linked to the company’s most important value creation and preservation objectives. By extension, this fact suggests that in high rate of change environments where “intuitive/experiential” risk management practised by all managers is no longer up to the task, management is not well equipped to fulfill their responsibility to manage risk.

 A key question has to be if a lack of management skill and motivation to periodically self-assess the state of risk to top objectives is a huge risk to better risk governance why haven’t CAEs and CROs been reporting this and why are regulators globally OK with it?

A visual of the popular “three lines of defense” risk governance model is shown below. This obsolete model has been popularized by the Institute of Internal Auditors (IIA) over the past decade and adopted by regulators all over the world. Simply stated, the 3LoD model claims management (the 1^st line) is responsible for managing risk. In companies that have a risk function and/or other disparate/silo assurance groups (the 2nd line), they are expected to report on how well management is doing managing risk. Internal Audit (the 3rd line) is expected to report on how well the 1st line and the 2nd line are doing discharging their responsibilities.

As amazing as it sounds, the majority of risk groups and internal audit functions around the world have not reported serious concerns to boards that management staff are not expected to learn how to formally assess and report on the state of risk linked to top value creation and preservation objectives themselves; and they are not expected to actually demonstrate via regular risk self-assessments they are aware of and managing the true state of risk/certainty linked to even the most important value creation and preservation objectives.

Why is this?

REASON No. 1: 3LoD is Obsolete. The 3LoD model was created by internal auditors to promote the internal audit profession. It is now obsolete. It uses “old speak accounting/auditor words” like “management controls” and “internal control measures.” The authors came from companies where management was not expected to complete reliable risk self-assessments on objectives they were responsible for, and companies that used vintage internal audit methods where internal auditors did risk-based internal control audits on a fraction of the risk universe each year and reported subjective opinions on whether internal audit thinks internal control is, or is not, effective. The good news is the IIA has announced plans to update this obsolete and dangerous framework in 2019.

REASON No. 2: Management doesn’t want to learn how or be responsible for self-assessing risks to top objectives. Risk specialists and internal auditors are just fine with that. The second reason may simply be that senior management has overtly or covertly communicated to the 2^nd line and the 3^rd line that they are unwilling to move from intuitive/experiential risk management, the kind of risk management a large percentage of managers practice every day, to more rigorous and transparent risk assessment methods that produce better, and more reliable, information for decision making.

Why 2^nd and 3^rd lines have been unwilling to challenge management’s overt or covert refusal to accept responsibility to self-assess risk is complex. One theory is that the professional bodies linked to the 2^nd and 3^rd lines, namely the disparate risk associations around the world including the Institute of Risk Management (IRM), Professional Risk Management Association (PRIMIA), Risk Management Association (RMA), Global Association of Risk Professionals (GARP) and others representing the 2^nd line; and the IIA representing the 3^rd line have largely accepted that management in most companies are unwilling to make the move from intuitive/experiential/non-transparent risk management and have built their professional guidance and standards to reflect that conclusion. A core unstated foundation for these professional associations is that although management is notionally responsible for managing risk, the 2^nd and 3^rd lines will do all or most of the formal risk assessing and reporting.

REASON No. 3: Risk registers create the illusion of effective risk management. Hundreds of thousands of organizations around the world, largely in response to demands from misguided regulators, have created and maintain “risk registers” as the foundation for their Enterprise Risk Management (ERM) frameworks. Risk registers have created the illusion that organizations and management are effectively identifying and managing risks. The focus of risk registers is, not surprisingly, on managing risks; not on managing risks that create uncertainty important objectives will be achieved – a huge difference. These dangerous risk-centric/risk register based ERM frameworks largely divorce risks from the objectives they relate; assume risks can be examined in isolation from the objectives they relate when the reality is that most objectives have ten or more significant risks that create uncertainty the objective will be achieved; don’t start by deciding which objectives are important enough to warrant the time required to move from intuitive/experiential risk management methods to more transparent and rigorous “objective-centric” risk assessment methods capable of dealing with today’s high rate of change/disruptive world; and, perhaps most importantly, don’t clearly identify a manager with responsibility to regularly assess and report upwards on risk status linked to key objectives to the board.

REASON No. 4: Every internal audit should start by requesting management’s assessment of risk – few do. The main body of knowledge used to train internal auditors assumes that management has not completed a documented risk assessment on the objective/topic internal audit is interested in. If it did, the first request every internal audit in the world would start with is “Can you please provide us with the risk assessment you have done on the objective of (fill in the blank)? Most Internal auditors don’t make this request because they know management has not taken the time and often doesn’t know how to complete a documented risk assessment on the business objective/topic linked to the audit. If an objective is important or dangerous enough to warrant an internal audit costing $25K/$50K/$100K or even more, why isn’t it important enough that management routinely complete/update its own risk self-assessment?

REASON No. 5: Regulators are OK with management not assessing and reporting on risk status to boards. Perhaps the most important reason given the very real human tendency to wait until being forced to change, is that regulators globally, even regulators in the disaster-prone financial services sector, also appear to have largely accepted that management is not willing to learn how to more rigorously and transparently assess risks to important objectives, or periodically take the time necessary to self-assess. Regulators either are oblivious to the very serious risk that management staff in many companies lack the capability/motivation to act as primary risk assessor/reporters. Or they are incredibly optimistic and are hoping that any serious failures of the intuitive/experiential approach, the dominant approach used by the 1^st line around the world today, will be discovered and reported to the board by the 2^nd line or, failing that, by the 3^rd line.

REASON No. 6: Human resistance to rigor. History tells us that many management practices in use today evolve based on “trial and error.” Few are carefully designed/engineered using a rigorous process. American car manufacturers learned this the hard way.

In the last half of the 19^th century, Japanese car-makers had learned how to make cars that were a lot more reliable and fault free than American cars. Consumers all over the world grasped this fact and bought less and less fault prone/defect laden American built cars. American car manufacturers, including GM and Chrysler, had to resort to massive government bailouts in 2008 and 2009 to survive.  What the Japanese had learned was that it was that they needed to really engage the 1^st line to ensure cars produced and sold are defect/fault free.

 At GE, Raytheon, and other manufacturers plagued with production problems and unhappy customers top management mandated “Six Sigma” be used, a more rigorous form of manufacturing process management. There are reports that hundreds of middle and senior management members resisted adopting this far more rigorous form of process management had to be fired because they refused to embrace it.

Risk management is a process that everyone practices from an early age. Some managers and C-level executives are intuitively good, even great, risk managers. Others not so much. As business environments get more complex and the rate of change and business sector disruption increases these “intuitive/experiential” risk management methods can’t keep up. To cope with high change environments more rigorous risk management methods are needed to survive and prosper over the longer term. Unfortunately, history tells us many people, including many senior management members, often resist learning and applying higher levels of management rigor unless forced to by a powerful external force.  

REASON No. 7: Boards have not demanded management provide reports on risk status linked to top objectives. Boards have the positional authority to require CEOs, CFOs, and other C-level executives provide periodic reports on the state of residual risk linked to top strategic/value creation objectives, as well as the more routine value preservation objectives. (e.g. reliable financial statements, prevention of fraud, cyber security, continuity of operations, compliance with laws capable of inflicting serious pain for non-compliance, etc.) Unfortunately, boards also appear to have largely accepted that management shouldn’t have to assess and report to Boards on the true state of residual risk linked to important value creation and preservation objectives. Companies around the world continue to proliferate 2^nd and 3^rd line assurance groups at a rapid pace hoping that these “risk silos” will compensate for the 1^st line’s lack of knowledge/motivation to more rigorously assess and report on the state of residual risk linked to top objectives they are responsible for. 

THE PATH TO BETTER RISK GOVERNANCE IS SIMPLE BUT RESISTANCE IS FIERCE

The solution is simple. A high level visual of a “strong 1^st line risk governance model” is shown above. It requires management to learn how to formally assess and report on the state of risk linked to important objectives. Then, start with low-level target risk assessment rigor to help with the transition from intuitive/experiential risk management. Risk groups should help management learn how to assess and report and regularly report on progress building a stronger 1^st line. Internal audit should quality assure the work of management and risk specialists and report to boards on how management and risk groups are doing discharging these responsibilities.  

Unfortunately, the reality appears to be that senior management in many organizations doesn’t want to accept responsibility that comes with being primary risk assessor/reporters. Boards and/or regulators can drive change and demand a “strong 1^st line risk governance model” be implemented that marries management responsibility to manage risk, with stronger management motivation and capability to manage risks of all types. 

As I approach 40 years of global experience in the risk and assurance space, it has become increasingly clear to me that the biggest risk nobody appears to want to discuss is that management, at least in a very large percentage of organizations around the world, is not trained to formally assess and report on the state of risk/certainty linked to top objectives; nor is management expected to assess and report on risk for even the most important/strategic objectives to boards. Requiring a strong 1^st line risk governance model to manage risk to top objectives will, contrary to the fears of many auditors and risk specialists, dramatically increase the contribution and value add of the 2^nd and 3^rd lines.

The theory has always been management is responsible for managing risk. More recently that theory has been expanded by regulators and, more recently, institutional investors. It is now generally accepted that boards are responsible for overseeing management’s risk management processes. It’s time theory becomes reality on both fronts.

The views presented on the Governance Center Blog are not the official views of The Conference Board or the Governance Center and are not necessarily endorsed by all members, sponsors, advisors, contributors, staff members, or others associated with The Conference Board or the Governance Center.