Good risk management is heavily process-dependent and without risk-focused leadership that enables effective structure and process security and operational risk activities may remain suboptimal. Shared Assessments developed In-Tune Tone at the Top in direct response to the increasingly disturbing financial, reputational, legal and regulatory consequences that, in part, arise from insufficient Board and C-Suite engagement in driving robust risk management program development.
“Despite the intensifying focus on the criticality of leadership to establishing and maintaining an organization’s risk culture, it is not clear that many of us think about Tone at the Top in a way that translates into organizational components we can see and understand,” notes Gary Roboff, Senior Advisor, The Santa Fe Group. Four key Tone at the Top elements have been defined as Management, Communications, Culture and Structure. ((Tone at the Top is Vital! ISACA Journal. 2009, Volume 3.))
Currently, there is a pronounced gap in evaluation structures and processes that provide specific definitions, methodologies and tools for measuring these elements. Where suggestions have been offered for measuring tone, they do not offer the prospect of repeatable, reliable and consistent outputs. ((The tone at the top: ten ways to measure effectiveness. Deloitte Forensic Center. 2011. http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-ers-tone-at-the-top-12102011.pdf)) Without such objective measures, an organization cannot evaluate the efficacy of its leadership and the effect leadership has on managing risks.
In some industries, compliance with regulatory and other standards may be the main driver and structure that leadership uses to strive for a more positive, stronger Tone at the Top in order to improve risk culture and performance. In these settings, a check-the-box routine may be established to meet the letter of the standard or guidance, without establishing risk sensitive values that are based on effective risk hygiene and ethical behavior.
This is demonstrated in the findings of the 2015 Vendor Risk Management Benchmark Study, which reveal a regulatory expectation that is not being met by most respondents. No industry, including banking, approached a score of 3.5 (“Fully Determined & Established”) in any of the eight vendor maturity categories surveyed. ((2015 Vendor Risk Management Benchmark Study: The Shared Assessments Program & Protiviti Examine the Maturity of Vendor Risk Management. Shared Assessments & Protiviti, Inc. June 2015.)) Analysis of this and other recent studies found that CIOs and CISOs polled rated their organizational tools, analytic abilities, skills and expertise as well below acceptable levels.
- More than 70% of Boards lack high levels of understanding about and high engagement with information security risks relating to enterprise activities.
- Only 29% of organizations rate management understanding of sensitive data and information as “excellent.”
- Overall maturity ratings for program governance ranked at just 2.8 on a 5.0-point scale, demonstrating the need for significant changes in organizational culture.
((The Battle Continues – Working to Bridge the Data Security Chasm. Protiviti, Inc. 2015. http://www.protiviti.com/en-US/Documents/Surveys/2015-IT-Security-Privacy-Survey-Protiviti.pdf)), ((2015 Vendor Risk Management Benchmark Study: The Shared Assessments Program & Protiviti Examine the Maturity of Vendor Risk Management. Shared Assessments & Protiviti, Inc. June 2015.))
A commitment to effective risk management demands effective engagement, communications and follow through from the Board level down and – also – from the organization itself to the Board. Organizations without a strong leadership risk culture must identify gaps and utilize constructive tools to improve their risk management environment and meet increasing demands (both marketplace and regulatory) for effective risk management structures and processes. Indeed, new FFIEC tools are directly addressing issues regarding the capability of an organization to evaluate the maturity of its own enterprise risk management program.
In-Tune Tone at the Top is the first part of a two-part process for enabling executive management teams to reliably assess their risk cultures and top of the house risk tone. This paper is concerned with developing a measurable, repeatable approach to assessment of Tone at the Top elements and improving the risk culture at the most senior management levels of an organization, with particular sensitivity to third party risk management. The second part of this process, which Shared Assessments is undertaking in 2016, is to build a prototype tool based solely on binary indicators.
In-Tune Tone at the Top provides background on the evolution of tone in a risk management context and discusses metrics that link leadership to effective enterprise risk management. This paper also proposes attributes that can be measured to reveal the broader picture surrounding an organization’s risk culture and suggests steps the Board and C-Suite can take to close any risk culture deltas an organization to respond to problematic risk cultures, if they are discovered during such an assessment. By examining the key attributes identified in the paper, it is possible to develop a structure that correlates regulatory and guideline expectations with quantifiable binary risk assessment measures, such as the presence or absence of specific topics in Board meeting minutes, the frequency of meetings and status updates to the Board on third party risk programs, etc.
The maturity of an organization’s approach may also be evaluated by examining both the structure and the degree of independence of key internal risk functions. These functions create and administer policy, procedures, compliance regimes, etc. and include both internal and external risk auditing to ensure independent, autonomous functions that identify, report and remediate risks.
Organizations that engender direct Board and C-Suite guidance for building and maintaining an effective, enterprise wide risk management culture are using drivers that improve organizational performance and therefore gain a clear competitive advantage. A Board and C-Suite that understand and believe in the strategic importance of strong risk management programs are most likely to develop a risk culture that pays material performance dividends.
You can read/download the full Tone at the Top paper here.