Starting a Journey Towards Aligned Risk Governance

And you are right — it is frustrating that various “risk and control functions” are not aligned. They tend to focus on a different aspect of the same risk and controls, identify issues from their own perspective, providing advice to the business and report their view to management without proper alignment with others. This lack of alignment may cause inefficiencies (such as overlaps, doubling of efforts, re-doing the same multiple times), but additionally allow for some blank spots, leaving the organisation vulnerable to risks that are not addressed.

You, on top of that, are the one who works directly in the business and who will need to fix the issues, trying to satisfy the various stakeholders.

Unfortunately, the requests and advice from all these parties are not always the same and could even be contradicting. It becomes even more complicated when additional parties — such as external auditors and supervisory authorities come into the picture and express their own demands. From your perspective, such a set up can be quite counterproductive, not very helpful in achieving the organisation’s objectives, nor protecting or adding much value to it. And you do have a very good point there — which is opening the question about the organisation’s risk governance.^[1]

Through a series of questions and answers, this article aims to give insights into the root causes and about possible actions that can be taken towards aligned risk governance.

1. The Differing Perspectives

Who is right and who is wrong?

It may be very tempting to point the finger to the other side of the fence: everyone feels they do their job to the best of their abilities and from each perspective the issue rests somewhere else:

• The business (including the supporting activities), referred to as the ‘first line,’^[2] may feel that the risk and compliance functions work in silos without proper alignment between each other. On top of that, due to the distance from the daily business first line may also feel that the second line does not sufficiently understand the real business and what is important to customers, which leads to continuous inquiries from their limited silo perspective. This causes inefficiencies and frustrations to the daily business operations, or the impression that risks and controls stand in the way of providing quality service to customers. Besides the increased costs, it may result in a situation where the first line becomes fatigued from dealing with risks, controls and related inquiries, and therefore reluctant to cooperate with the second- or third line parties;
• The ‘second line’ such as Risk Management and Compliance (more activities may fall in this line^[3]), may feel that the first line is not sufficiently risk-aware, performs its daily activities without properly understanding the risks involved and their impact on other parts of the organisation, doesn’t adequately consider laws and regulations, or doesn’t implement appropriate controls and evidence their effectiveness. And without that the first line may create the impression of reckless risk-takers who do not properly balance risks with rewards, which will eventually lead to bigger issues. Moreover, in larger organisations with multiple functions fulfilling second line roles, these parties may also become competitive between each other — which function deserves more attention, who has higher priority, who deserves additional budgets — which does not help with building a strong and risk-aware organisation.
• The ‘third line’ (Internal Audit) needs to remain independent to provide objective assurance regarding the organisation’s risks — so may often end up even further away from the daily business, remain distant from the second line, and may also have its own, somewhat different view on the same risks and controls. As a result, internal audit may fail to convince the organisation of their added value and not gain the strong seat in the overall organisation’s governance as they aim to have.
• The governing body of the organisation (managing board, supervisory board, or the executive board), overseeing and leading the entire organisation, including all the three lines, is ultimately accountable to the stakeholders for the organisation’s success. The board may however struggle to understand why the three lines are not cooperating, why they work so inefficiently and why they create internal tensions instead of focussing on the core business and addressing the risks that truly matter to achieving organisation’s objectives.

2. The Impact

Why does it matter for the organisation as a whole?

Each party has its own perspective,^[4] which is fully understandable because this originates from the role they have been given: run the daily business and manage its risks, or advise and challenge the business from a specific risk angle. However, if these differences remain too large and are swept under the carpet, continuing with such a disconnect within an organisation cannot work in the long term. The first, more obvious, symptoms to emerge from this disconnect are inefficiencies and frustrations between the parties in trying to address the same issue in an uncoordinated approach. A less obvious symptom, however, which may be difficult to recognise, is the inability to identify the blind spots — i.e. risks that are improperly managed because none of the parties have taken any action towards them; either because they are unaware that action is required or assume that another party has already addressed those risks. Without a proper alignment between the parties, the Three Lines approach may turn into an internal struggle that diverts the attention from matters that are truly important for the overall organisation.

Due to this disconnect, the governing body may eventually receive incomplete, differing, sometimes mixed, inconsistent or contradicting management information about the key risks that the organisation faces. Of course, some contradiction is good to trigger the right discussion at the highest levels, but it should not lead to the impression that reporting about risks cannot be trusted, or that it is too expensive due to the additional time and effort spent on gathering the right information, checking facts, or making corrections. In the worst case, it may leave important management decisions in limbo and may eventually lead to bigger issues, including the inability to properly address risks that matter to stakeholders and inability to foresee emerging critical risks. As a result, the organisation may remain unable to prevent or respond timely to risk events that put the entire organisation in danger.

What else could we expect from risk management or internal controls as such? By definition they are in place to prevent us from taking risks and growing the business, right?

Not at all — it is actually the exact opposite! Risk management and internal controls are there to help identify the important risks as part of the business and take the appropriate action at the right time, to help the organisation achieve its strategy and objectives. Each party in internal governance contributes to this from a slightly different angle and role — and understanding each other’s roles rather than undermining them will make it a more efficient and effective cooperation based on trust.

Building trust is of course a very broad question and aligned risk governance can certainly help building it. Because the governing body needs to rely on reports from all three lines, it builds mechanisms that helps ensure that these reports can indeed be trusted. This can also be referred to as aligned assurance or integrated assurance where…

• The first line is the first one to provide its own assurance (also called attestation) about achieving its objectives,
• The second line provides additional assurance on risk-related matters through support, expert advice, challenge, and monitoring,
• And the third line provides more independent and objective assurance,

…in making sure that reports can be trusted and any unexpected losses, damages or significant deviations from objectives can be reduced to a minimum.

Moreover, risk management is not only about the downside of risks — they certainly open up space for identifying opportunities and turn into an upside potential. Identifying and responding to risks timely will ultimately lead to a better product, better service, and a happier customer at the end. An organisation should therefore try to integrate risk management as a natural part of its business activities: to promote healthy and informed risk-taking, transparency and cooperation across the organisation when addressing the important risks, as well as the opportunities that they may bring. And this involves all three lines — each one operating in the role they have been assigned — but contributing to achieving the same.

By embedding risk management into daily business, closer to the product, service and customers, the organisation will not only make risk management more efficient, but also more consistent across the involved parties, and overall, more effective. After all, doing business equals taking risks — and good risk management enables doing even more business and taking increased risks if done in a conscious and informed manner, within risk appetite.

Getting there, however, requires effort — including the effort to align risk governance. In most cases a few iterations may be needed before risk management matures to the desired level so that it can directly contribute to the organisation’s value proposition, product offering and expectations of its customers and other stakeholders.

3. The Pre-Requisites

What could be done if we do recognise any of the symptoms — whether as part of the first, second or the third line? When is the right moment to take action and who should take it?

A question of good risk governance involves the entire organisation, top to bottom, and left to right, which makes this challenge even greater and more difficult to address quickly. But certainly, steps can and should be taken rather sooner than later. The question of ‘when’ is not about the specific time, however; but rather when the organisation is ready for such a step and truly wants to do something about it.

We at Protiviti have helped many various organisations to establish a well aligned risk governance. Although our experience tells us that there is no such thing as a ‘one size fits all template, ’ there are a few pre-requisites required to stir up the status quo and initiate a change in the right direction.

• The first pre-requisite is the recognition of the matter by senior management, best at board level. The ‘tone-at-the-top’ is often considered the key ingredient to initiate changes, and here it also plays a crucial role. This is because making changes to governance requires a lot of courage and self-reflection to realise that the efforts invested in the past to establishing a good organisational structure, building the risk management function, compliance function or internal audit, have not yet yielded a well-oiled and risk-aware organisation. That is fully understandable, especially if the past efforts were mainly driven ‘to comply with regulations’ or ‘satisfying expectations of the supervisor’ rather than seeing risk management as integral part of business and value creation. A well-established risk governance has so much more to offer beyond mere compliance, that it can be seen as a business case on its own — with the potential to create competitive advantages and a robust resilient organisation ready to face the future with confidence. The successes and failures with risk management from the past can help us understand where we stand today, but also to help determining the way forward — and there the board’s recognition of this case is an important ingredient to start. After all, aligning risk governance needs to fit the organisation’s strategy, objectives and culture — that is driven at the top.
• Second pre-requisite is that senior management needs to have the appetite and willingness to make changes in governance and the existing ways of working. This can sometimes mean fundamental tweaks to how governance, accountability and responsibility for managing risks are understood and what it really means for the day-to-day activities; but also for judging the overall performance and related remuneration. Rewarding merely the perceived (short-term) results without considering the risks involved in getting the results, can no longer be separated. Also, the traditional approach of ‘my kingdom —my rules’ can no longer work in the organisational silos, due to the increasingly complex internal and external environment (see Figure 2 for a simple analogy). Of course — aligning the rules between the existing domains, including the basic terminology — means giving up a bit of own autonomy; but eventually it will pay off. The concept of aligned risk governance certainly challenges the status quo, but it may also require re-visiting historical sensitivities and questioning the internal politics. Having an appetite for this, however, is a foundation for starting the journey.
• The third pre-requisite is the mandate for re-defining and aligning risk governance. The mandate should be given to someone skilled and experienced with defining and implementing risk governance, in combination with someone who knows and understands the organisation and the dynamics within. It is essential that these mandated parties can take an impartial standpoint, to start a journey that does not represent the interests of a particular group within the organisation, but understands the needs of all three lines, and can speak their language. This journey can be quite complex, as it touches upon both the high-level frameworks and methodologies, as well as the practical tasks of analysing business processes, identifying and assessing risks, implementing controls, and translating that into data and reporting. And of course, no mandate would be complete without sponsorship by the board who fully stands behind the initiative and makes sure it is aligned with the overall change agenda of the organisation and can facilitate cooperation with the relevant internal stakeholders.

4. The Building Blocks

What are the key elements of risk governance which are part of this journey?

We can break down the key elements into the following groups of ‘building blocks’ — which are well integrated with each other, like pieces of one overall puzzle that together create a complete picture. None of these building blocks exists on their own. All the building blocks:

• Have clear touchpoints, interactions and connections with each other blocks,
• Are translated into actual and practical roles and responsibilities and day-to-day activities for all three lines, each one participating and contributing as required.

Aligned risk strategy, framework and organisation include building blocks that create the basis for the aligned risk governance. These building blocks set the tone for the entire organisation that running a business on one hand and managing risks on the other, cannot be separated. Therefore, the organisation needs a common approach, language and tools how this will work for the entire organisation to support achievement of its strategy and objectives. The roles and responsibilities towards risks, controls and underlying activities are clearly defined and assigned, as the basis for the day-to-day execution of the ongoing risk cycle. Also, having a defined picture what kind of ‘risk culture’ the organisation would like to see, is an important basis for communication with all target groups throughout the journey.

Ongoing risk management cycle is what brings the aforementioned building blocks to life. These are the concepts that can be recognised from various known frameworks (such as COSO ERM, COSO Internal Control, ISO Risk Management^[5]), and which can be designed and implemented in various ways, that fit the organisation’s business. All these activities result in concrete ‘objects,’ such as the identified risks, the implemented controls, tests of their effectiveness, actions and their status, incidents that have occurred, and others. All of these objects have clearly assigned ownership to individuals, plus other attributes that make the cycle practical and ensure that accountability and responsibility do not only exist on paper, but also in practice, and can be effectively monitored on an ongoing basis; including reporting and escalation to appropriate levels of management.

Each of the three lines have their role and responsibilities defined for each of the blocks, for example for risk identification and assessments:

• First line responsible for identifying and assessing the risks relevant to their domain, following the agreed framework, methodology and templates, and reflecting all practical aspects relevant to their day-to-day activities.
• Second line supporting the first line in this process, challenging the outcomes and providing expertise on specific risk matters, making sure that the conclusions and actions identified in the risk assessments are of adequate quality, and aligned amongst involved parties.
• Third line providing assurance about the outcomes from their independent perspective.

By defining the roles and responsibilities for each building block, expectations of all lines are clear upfront and throughout the entire risk management cycle.

Common risk data and system is what binds all the aforementioned blocks together. Depending on the maturity of the organisation, its size and complexity, this may range from simple spreadsheet tooling to a sophisticated suite of integrated risk technology. Even Excel spreadsheets may suffice in simpler organisations, or at the start of the journey. The more mature ‘GRC technology’ can have all the aforementioned ‘objects’ translated to distinct data records, the roles & responsibilities implemented into concrete system roles with clearly granted authorisations, and where possible, facilitated by automated workflows. Technological innovations provide various ways to automate risk management and elevate it to a modern, data-driven and automated activity that does not burden our day-to-day jobs, but rather gives valuable (and if possible real-time) insights into risk exposures and trigger the right action by the right person at the right time. However, the organisation needs to be ready for that — implementing sophisticated GRC technology only when the organisation clearly understands the purpose and knows both what risk technology can — or cannot — bring. GRC technology should be introduced appropriate to the level of sophistication of the methodology, readiness of the users and the plans of the mid-to-longer-term journey. Too sophisticated ones will not be understood nor adopted by the users, but too simple may become a bottleneck to successfully take the next steps.

Ultimately, the actual existence of these building blocks will manifest itself in the actual Risk Culture^[6], i.e. the lived and observed values, attitudes and behaviour of people in the organisation — from top to bottom — towards managing risks. It manifests itself during social interactions, both internally and externally, in daily processes and decisions being taken. It is something that is actually observed in the day-to-day reality — by all employees, all levels of management, as well as by clients, vendors and shareholders. And not only when business is going well — but also when issues arise, during difficult situations, let alone crises when difficult choices have to be made.

Defining all these building blocks is definitely a challenge, but as stated above, engaging a party with the right skills, knowledge and experience pays off and does not need to take a very long time. There are various available frameworks and good practices available, which are tailored to the specific organisation, its structure, environment and culture — throughout all the three lines.

5. Shaping The Journey Ahead

This looks like a lot… how can we start and what kind of journey can we expect this to be?

Every journey has a starting point towards a goal, which may or may not be clearly defined. As shown in Figure 4, the starting point is the already existing practices in the organisation — and most organisations already have a good deal of elements from the aforementioned building blocks in place.

The existing practices may not always be aligned, sometimes are incomplete, or disconnected from each other, as historically they may have been developed from perspectives of the silos who developed them. However, if many of these elements are already implemented, if they are working adequately (although not yet in an ideal way) and deliver useful information for their users, these should be leveraged from as good internal practices. Therefore, the best way to start is to scan the existing state of all these building blocks in the current state and understand how they are perceived by the other involved parties. It can be sometimes surprising to find out that perspectives of the various internal parties can be miles from each other on the same topic. Answering questions such as ‘do we know our risks’, ‘which risks are key’, ‘do we prioritise addressing issues that really matter’ should help in finding this out. Understanding this overall picture provides valuable insights and helps in aligning all lines into one direction, addressing the roadblocks that stood in the way of aligned governance.

Defining the target state is the logical next step on this journey, but usually is a challenge on its own — especially if the organisation lacks the positive experience from a well-working risk governance. Until the various involved parties do understand the essence and benefits that can be expected, it may be difficult to decide on all aspects of risk management upfront or for the long term, which everyone would agree to. Therefore, an iterative approach to defining the target state can be deployed. What usually helps is using capability and maturity models or benchmark studies as inspiration, to better understand how far the target state is from the current state, and what efforts can be expected to get there — step by step. Based on that, an organisation can build a high-level alignment roadmap, which over time ensures that all lines are on board with the changes and still is going in the same direction.

Taking the first steps may be the most difficult part. As stated before, with the support from the board, senior management and an explicit mandate, first enhancements can commence to set the right direction and take care of the first deliverables. On this journey, the following approaches also have proven to be very useful and practical:

• Pilot approach, where sub-sets of first line organisational units are engaged at the beginning with second line parties to play crucial role in defining the building blocks design, and its practical implementation. Third line can provide independent view about the outcomes of the pilot, or advice on elements important from third line perspective. The pilot exercise play an important role in show-casing the successes and benefits for all three lines that can be further leveraged on.
• Appointment of “Risk Champions” — persons appointed at the various business units of the first line, who work closely with the mandated party on this journey and connecting with the second and third line via a regular dialogue. Risk Champions are representatives of the first line who understand the existing organisation, its daily business, objectives, limitations and struggles, and who can help translating them into the aligned governance and making the bridge between the building blocks and practical activities. 

Once the initial steps are taken (for example as a change project) and the organisation starts seeing the benefits it would be more willing to invest time and effort. A project may gradually dissolve, and next steps on this journey can become part of an overall continuous improvement. Adopting an agile approach on this journey — where organisation determines simpler and shorter steps on the overall roadmap — gradually implementing them across the organisation, is also a way how the journey can become part of the organisation’s continuous improvement. We have seen great progress made at our clients when applying our Agile Risk Management approach.

[1]. We use the term ‘risk governance’ to emphasise the question of accountability for managing risks and related roles and responsibilities in the organisation. It can be therefore understood as an integral part of the overall organisational (corporate) governance, and for purposes of this article can be understood as synonyms.

[2].  Following the organisation’s ‘Three Lines Model’. Also refer to “The IIA’s Three Lines Model” of the Institute of Internal Auditors (June 2020). This is an update to the widely known “Three Lines of Defence Model”. The word ‘defence’ is no longer in the title of the model nor in the names of the three lines. The role of each line in this model goes beyond protecting the organization’s value — it is now more explicitly directed also towards creating value and achieving the organization’s strategy and objectives.

[3]. In principle, the second line roles provide their support, expertise and challenge regarding management of risks. In practice, an organisation may place various functions to the second line roles, while Risk Management and Compliance are the most common ones. Other functions may include: Financial Control, Information Security, Inspection, or functions overseeing specific risks around business continuity, quality, privacy, supply chain, and others. Important is, however, that the second line does not include the ‘support activities’ (or ‘back-office’ functions, such as HR, IT, administration) who are typically considered the first line due to their role of directly contributing to enabling execution of the core business activities (products and services) and hence are responsible for managing the related risks.

[4]. See Figure 5: Differing perspectives of the Three Lines and Key Stakeholders

[5]. COSO Enterprise Risk Management — Integrated Framework 2017, COSO Internal Control — Integrated Framework 2013, ISO 31000:2018 Risk Management.

[6]. We understand ‘risk culture’ as part of the overall corporate culture, not a stand-alone component of the overall governance.