The Risk Maturity Journey
Articles by: Richey May, Feb 25, 2022
A new series from the Integrated Risk Management team at Richey May Advisory
Understanding and managing risks is critical to any financial institution yet the journey is unique to each organization. Through this series of articles, we will be highlighting the people, processes, and technology platforms that are significant and can enable the journey to risk management maturity.
Cultivating Risk Awareness starts with Governance
To enable the maturity of your risk and compliance program and enable your framework to scale with your organization’s growth, you need appropriate buy in and direction from the top. Developing the foundations of your governance, risk and compliance (GRC) framework and expanding it across the enterprise requires strategic guidance which not only provide direction and tone, but also provide the assistance and tools to facilitate change and remove obstacles. This emphasizes the importance the role governance plays in governance, risk, and compliance and why it plays a critical role in your GRC journey.
Governance Model for Strategic Direction
Organizations who have taken the initiative to define a governance model are statistically more successful in navigating initiatives as a unified organization. However, many times organizations fail to establish and outline the responsibilities of a governance body and structure it ineffectively with the wrong stakeholders and decision makers. Elements of a successful governance model start with defining the hierarchy and responsibilities. Each group, committee, and oversight board need a defined purpose behind their creation. This defined set of responsibilities guides the committee in how they communicate strategic guidance to the organization.
Who Is on a Governance Board?
How you structure your governance committee depends on the outcome the group is looking to achieve. If we take a Risk Oversight Committee as an example, a typical structure will include Business Function leaders, Risk Managers, and an Internal Audit Executive generally as the lead of the committee. This structure allows the organization’s risk function to review the aggregated risk across the enterprise and collectively shift the organization’s focus and strategy in a unified direction to address strategic risks. The key benefit of these committees is setting up an agreed upon cadence with all related stakeholders and decision makers which allows for a unified direction for the organization to work towards. In addition, common function committees allow for all business stakeholders to be aware of upcoming initiatives, helping alleviate resource and process related roadblocks.
Defining the Purpose of an Oversight Committee
Defining the purpose of your committee is the first step in your journey. Developing a committee charter helps define the group’s purpose, responsibilities, roles, and meetings frequency. Most organization tend to forget that these charters are living documents, and that it is acceptable for a charter to evolve in its function overtime.
Oversight Committee Functions
The function of an oversight committee can vary depending on the needs of the organization and stakeholders; however, there are 4 core elements found in most oversight committees:
- Management function – manages the establishment and direction of an enterprise-wide risk management framework across the organization, dictating the adoption of a unified framework.
- Strategy function – how the committee leverages the data aggregated by processes such as enterprise risk management and defines the organizations strategic goals to address for a defined period, typically the following quarter.
- Policy and Profile function – the committee defines how internal processes, such as the guidelines and policies to govern how risks are assessed and managed, including setting the appropriate risk appetite for the organization.
- Monitoring function – the committee reviews, tracks, and interprets the data aggregating up to shift any resource, reprioritize initiatives, or respond to internal/external variables.
Do you have questions about your risk maturity journey? Contact us at email@example.com to learn more about how we can help.