Imagine this – your Chief Risk Officer (CRO) discovers a serious breach of policy that leaves the organisation exposed to significant risks.
She reports this to her boss who then puts her under enormous pressure to ignore the breach because it would expose his involvement in actions that caused the breach.
The CRO knows that the breach and associated risks are critical and continues to press the issue with her boss. Making no progress she leaves the organisation because either –
her boss fires her
she suffers constructive dismissal – being forced out or
she resigns to escape the stress and because she knows her own reputation will suffer when the breach is finally exposed
Now the organisation is even more at risk as the only person interested in fixing the breach has gone.
Real World Examples
This is not idle speculation. We have been asked for advice by risk managers who have faced similar situations: one was even threatened with physical injury if he did not drop the issue.
When the CRO at Lehman Bros began urging some caution on major deals which the CEO was pursuing he started excluding her from meetings and then fired her. We all know what happened to Lehman Bros!
Frank and Fearless.
This means there needs to be a safety valve of some sort to protect both the CRO and the organisation.
Safety Valve – The Board Audit and Risk Committee.
Our view is that the delegations of authority from the board to management should make it clear that even the CEO has no authority to –
• dismiss the CRO or
• redeploy or retrench the CRO without first gaining approval from the board audit and risk committee.
Also that if the CRO resigns then –
• the chair of the board audit and risk committee will conduct a thorough exit interview and
• report the results to the board audit and risk committee
In our experience there can often be potential for serious conflict of interest between the CRO conscientiously discharging their responsibilities and the interests of other individuals in the C suite.
Providing the sort of safety valve we suggest provides protection for your organisation and allows the CRO to deliver the frank and fearless advice required for organisational health.
Do your delegations of authority provide this sort of protection?
Would you like to strengthen the Risk Culture in your organisation? Contact us to find out how.
About the Authors
John P Dawson & Carmel McDonald are the co-owners of Dawson McDonald Consulting. They’ve been running Risk Culture Assessments since 2008 to help clients protect their organisations and build resilience. They can be reached at firstname.lastname@example.org
Take our FREE test to see how your organisation scores on Risk Culture, click here.
In 2015 they published a book BUILD Your Business. Risk Managers will also find this helpful in communicating their message effectively
To get your copy of this book, or to download a free sample chapter, click here