Given your expertise in risk management training, how do you approach developing risk appetite statements that effectively align with an organisation’s strategic goals?
The first thing to establish is whether the culture at the top of the organisation is onboard and understanding of risk management. Board effectiveness testing can usually highlight any weaknesses and make recommendations for training for individuals or the group as a whole. In any case, it would be good practice for the board to renew their risk understanding and awareness on a cyclical basis because the world is changing fast these days. You can achieve this with regular horizon scanning or stress and scenario workshops for the board and frontline staff alike.
Setting a risk appetite statement does not happen in isolation. As we all know, risk appetite statements are born in the board room and dispatched to the rest of the business to use as a measure to help them develop controls (risk mitigations) that are both proportionate and suited to the company’s ambitions for delivery and growth.
What I am saying here is that the same people who are responsible for formalising business strategy must also be the same people who issue the company risk appetite statement, so they must be regularly talking about and understanding internal and external risk landscapes. They will also need to turn their strategic goals into ‘objectives’ that are SMART, before they can start to be specific about the risks to each. Goals are too subjective and wishy washy in my view. Only then can they start to talk about ‘how risky’ they are willing to be with each of those objectives. Not only will you be able to call out an overarching risk appetite statement, but you will also be 75% of the way to a more granular list of risk tolerances, for your business to use too.
How can companies integrate governance, risk, and compliance (GRC) to create a more proactive and resilient business strategy?
Companies can integrate a GRC framework by ensuring that all of the things recognised by the framework are embedded in the things that staff do every day (documented in process docs.). They should refer to the correct business polices and standards that apply to ‘the thing they are doing’ to find controls, or create aligned controls, to embed them in staff processes. The framework will point staff to which policies and standards match which processes, provided it has been built by a suitably qualified person. It will also highlight any holes should the ‘world in which we live in’ have changed.
This in itself doesn’t create any sort of business strategy. The board will create the business strategy based upon their goals for the period, turned into objectives – and there may be multiple objectives for each goal – and how much risk to take for each will be informed by the findings of the latest Risk and Controls Self-Assessment (RCSA). Looking at how effective controls were in the last period, how many risk incidents occurred in the pursuit of objectives before, horizon scanning, costs, P&L etc. They will use this information combined with the ‘rules’ that they and others have set them (governance) to inform individual and collective decision making for the organisation.
With experience in stakeholder engagement planning, how can organisations successfully engage diverse stakeholder interests to deliver robust governance practices?
When engaging with stakeholders across any organisation to embed governance practices it is important to ‘hilltop’ their needs first. In other words, you must put yourself in their position in order to understand how they should interpret necessary practices/rules into the things that they do every day. After all, stakeholders first point of interest will always be their own priorities, not those of the governance managers.
Help your stakeholders understand that they must deliver in line with governance practices in order to preserve the culture, reputation and good of their organisation as a whole, because if the business thrives, so do they. Workshops and scenario setting can be useful tools to get people on board with why robust governance practices will serve them well instead of just being something that has been imposed upon them without benefit.
What practical steps can leaders take to embed good governance practices within their organisations?
They should ensure that their governance framework does the following three things. First, make sure that the company has educated themselves properly in order to capture all laws and regulations that apply to their business – the world is changing fast – and that they have adequate tools in place to monitor for compliance thereafter. Too many companies miss laws and regs because they don’t keep up to date. Second, include codes and best practice. It is important to have a set of industry conventions and principles that govern staff conduct, and to also monitor compliance thereafter. And third, create business values and ethics – beliefs that guide and motivate staff attitudes and actions. Let them know what is right and wrong and develop KPI’s that can be measured in staff appraisals.
With the increasing importance of environmental, social, and governance (ESG) factors, how should governance frameworks evolve to address these growing priorities?
Be proportionate and look at your business needs. Don’t try to absorb the whole kit and caboodle before you know what applies to your business. There are lots of resources to help you online, but the main considerations have got to be the Corporate Sustainability Reporting Directive (in the UK), who are demanding ESG reporting in annual statements now and of course the market that you are in, and stakeholders’ appetites.
Also consider your carbon footprint, values, ethics, transparency, accountability, fairness and trust. All of these can be embedded in your organisation simply by adding risk and governance categories to cover them in your GRC framework. Find out what applies to your business and create space for it in the things that you are doing already. Your GRC should not be rigid, it should flex with the changing world. Resist the urge to create a new and separate ESG framework because this will be duplicitous and inconsistent and, in my view, totally unnecessary.
What key advice would you give to emerging governance professionals aiming to make a significant impact in their roles?
Never stop reading, learning and being engaged with changes in the world. Know who the regulators are and what industries they are talking to, watch the news, learn where to find laws and regs for the industry you are working in, and engage with peers as much as you can. There is always much to learn from people who have been doing this for a long time.
Mandy Jones has provided consultancy services to her financial services clients in the City of London, Paris and Dublin for more than 17 years. With a natural ability for project, risk and change management, as well as being a talented collaborator, Mandy has been integral to the success of the commercial and regulatory transformation programmes she has been part of. More recently she spent two years working with a subsidiary of the Financial Conduct Authority, on their risk framework and programme management tools and processes. In her earlier career Mandy consulted with board-level executives on their business needs for platform-based products such as Sage Accounting. Drawing on a wealth of experience from insurance, retail banking and regulation, Mandy has a vision to share her skills using simple steps that she has learnt, about organising, managing and protecting an organisation, and making these accessible to all types of businesses or organisations across all industries, no matter their size, type or budget. She has a particular interest in public sector, local and central government. Mandy is committed to adding value and making a difference for her clients, including developing engaging tools and products for day-to-day staff to use in decision-making.
