Corporate compliance: Communicating risk to the whole organization
Organizations need to consider how they communicate risk intelligence messages and assess the extent to which risk intelligence is understood companywide. They also need to determine whether employees are comfortable discussing risk, or if they are afraid to raise challenging issues. And developing a common language around risk that defines risk-related terms and measures and promotes risk awareness in all activities and at all levels is vital.
Embedding a risk-management culture in which people—regardless of level—manage risk as an intrinsic part of their jobs is imperative. Such a culture supports open communication about uncertainties, encourages employees to express concerns and maintains processes for elevating concerns to the appropriate levels. Rather than being risk averse, employees need to understand the risks of any activity they undertake and manage them accordingly.
To develop a risk-aware culture, management and the board need to set the tone from the top, communicating the importance and value of risk management; aligning it with the organization’s business objectives; and tracking, measuring and rewarding risk performance. Once the desired risk-aware culture has been established, the company needs to continually refine it to reflect ongoing changes in business strategy. Information needs to flow up to the board and be presented in a timely way that drives decision making. It puts the board in the driving seat, giving it the responsibility and the tools for setting, communicating and cascading down the organization its stated strategic plan and business objectives and the appetite for specific risks.
Articulating the culture
If a risk framework is working well, identifying compelling evidence of the progression, from strategy and objective setting to the articulation and cascading of risk appetite, should be straightforward. Monitoring and reporting against appetite, control and control steps that lead back to the setting of strategy and objectives should be equally compelling.
The key word here, in my opinion, is articulation because risk statements need careful wording, and board-level guidance, to achieve an effective cascade down and up of timely risk information. As a result, risk managers need to have not only a set of professional knowledge and skills, but also be equipped with a number of soft skills, such as communication techniques, psychological knowledge and much more.
The goal is to communicate to staff clear, relevant risk language that it can understand and apply in its daily role. Typically, a hierarchy of risk appetite statements, measures and limits exists, starting with a high-level, enterprise-wide risk appetite statement that then cascades down to directional, specific and detailed risk appetite statements, measures and limits.
Adopting six best practices for communication
In a world of increasing financial cyber threats, what does effective communication look like? Consider these six tips for communicating risk to your organization:
- Know your business landscape: Before you report to your organization on risks, make sure you understand the entire operations landscape in place and the risks they could pose. Aligning risk management and business strategies fosters information sharing across the organization, creating a culture of collaboration.
- Communicate the business impact of IT risk: Businesses may understand the risks to their operations and processes, but not in terms of information security, governance and compliance. By linking IT risks to business objectives, processes and goals, the management can associate a dollar amount to these risks and better understand their impact on the bottom line and organizational growth.
- Know your organization’s risk appetite: Risk is not always bad, but assuming too much risk can be debilitating for the business overall. Know how much risk the business can tolerate and keep risk thresholds within those tolerances. Risk appetite defines the level of enterprise-wide risk that leaders are willing to take (or not take) with respect to specific actions such as acquisitions, new product development or market expansion.
- Speak the company’s language: Avoid jargon and communicate in terms that correlate to corporate objectives and business value. Your message should be clear to various stakeholders, including employees, management, the board of directors, investors and analysts. Make sure you get the main points across in a concise and effective manner for maximum impact.
- Consider feedback: Listen to the board's feedback and know how to use it. Make sure you understand all feedback, and if you don't, ask for clarification.
- Be ready to back up your analysis: Be prepared to dive into the details one level at a time and have the metrics to substantiate your report. Data visualization technology enables managers to distill hundreds of global risk factors into an arresting and immediately intelligible visual.