Chief Risk Officer Andrew Potter joined BAI Communications with an important responsibility. In this article, Andrew shares his account of what drove his success. Read what it meant for Andrew to begin with the end in mind.
When I joined BAI, tasked with the responsibility of formally establishing the risk management function, I knew the key to success was beginning with the end in mind. BAI’s expertise in designing, building and operating communications technology and infrastructure in confined, complex and challenging environments makes risk management an important feature of our service delivery, as well as our operations – and lives are at stake.
I immediately voiced my intent of conducting a maturity review at the five-year mark – when risk management had moved beyond being a greenfield function. The review would analyse risk and audit performance against international standards and frameworks and the results would advance risk initiatives. This intent and the weight of the responsibility behind it would drive continuous improvement for the next five years.
A regular risk maturity review provides an impartial check-in of the risk and audit function, verifying best practice, stimulating foresight, and inspiring innovation to ensure responsibilities are met and stakeholders are engaged.
BAI’s risk and audit maturity review assessed four areas:
- risk management processes, procedures, and framework
- internal audit processes, procedures, and framework
- reporting outputs and communication with the business
- how well BAI aligns to international best practice, two internationally recognised standards in particular, International Standards for the Professional Practice of Internal Auditing and ISO31000 Risk management.
If I date the ‘beginning’ of the process back to when I first discussed the review with our Group CFO, the process took about a year from set-up to conclusion.
The process included a review of risk and audit documents, as well as stakeholder interviews. The analysis was conducted against criteria developed from the international standards and frameworks.
It’s important to consider these two elements in tandem. It is no good having happy stakeholders while risk management is failing across the board. Likewise, if you have perfect policies and procedures in place but nobody wants to engage with the function, then you’re not going to have much of an impact. But once you look at these two elements together, you have the picture you need of the organisation’s maturity.
The review was very qualitative, and it needed to be, as I deliberately wanted it to focus on the maturity and performance of the functions.
Identified areas of strength and improvement were supported by detailed evidence of why they are considered as such, including specific references to criteria developed from the international standards. An added layer of insight and informal benchmarking came from the independent consultants conducting the review. The commentary incorporated broader, contextual observations, based on extensive industry experience.
Resulting functional augmentation will align risk and audit’s purpose, mandate, and resourcing with ‘future state’ needs of the BAI group. This includes expanding representation across multiple international locations; involvement in strategic business decisions at the outset, not during decision-making; and expanding data analytics.
There is no one-size-fits-all approach to risk management. You must make it work for the organisation you are in. And, you must have stakeholder engagement.
I have already found it useful to have this ‘impartial’ positive feedback. The risk management function has a strong relationship with stakeholders (confirmed by the review), but the report recognises our achievements and enables the team to move on improvement initiatives with greater traction.
This exercise has really helped me think about next steps and challenged me on some of the things I’ve been doing. For example, I’ve now spoken to the communication team and we’re introducing a quarterly update from me to the organisation following each audit and risk committee meeting. This is something I have been thinking about for some time and never prioritised.
When you receive that black and white feedback from the organisation that ‘this is something we would like’, it motivates you to put a plan into action. That, and steering the organisation and its people away from harm, is the best incentive to keep improving what we do.
This article is based on a whitepaper produced by the Risk Leadership Network for its members.