At the risk of sounding controversial, we believe risk managers sometimes need to take responsibility for providing an independent risk analysis not based on the information supplied by the management. Although rare, there may be situations where manager approving the project or making a decision has significant conflicts of interest or there may be suspicion of fraud.
Risk managers need to establish risk analysis methodologies that limit reliance on management information and internal data which may be tampered with. Risk analysis should be based on industry data, statistical information, verifiable data and external reliable providers etc.
Risk managers should also use communication channels that allow presentation of an alternative point of view to management. While the goal should be working with the business and providing the necessary support to make risk-based decisions, sometimes risk managers need to play the role of a policeman.
As a result, risk managers may be required to defend their position at the executive meetings, propose risk mitigation actions and even take responsibility for some of the risk mitigation. As someone who had to do it almost on a weekly basis, we can tell you it takes a lot of courage and bulletproof risk management methodologies. It’s difficult, but it’s the only way to become an equal participant in the decision making and not just an observer.
HERE IS A QUICK CHECKLIST TO TURN THIS SECTION INTO ACTIONS
|☐||Discuss with senior management the need for an alternative / opposing point of view on certain business decisions|
|☐||Consider having veto power for risk managers on certain types of business decisions|
|☐||Develop risk analysis methodologies that do not heavily rely on management information|
|☐||Establish an independent escalation channel to raise issues if management is ignoring risks|