I was thrilled to be the first expert interviewed by Sean Costigan in Red Sift’s new podcast series, “Resilience Rising,” available on Spotify. We covered a lot of ground, looking at firms like Wells Fargo, Boeing, Theranos, and JPMorgan Chase. I had written about much of what we discussed in 2017 in an article for Risk Universe magazine called “Executives and Risk: What Your Teams Won’t Tell You.” I am reusing some of that material here, adding more recent assessments and a modest proposal.
Like practitioners in other disciplines that continue to evolve in a complex technological world, the maturity of risk managers varies widely. In recovering from the 2008 financial crisis, we’ve seen corporate managers rebrand themselves into this field or get promoted into it without necessarily understanding risk frameworks or methodologies. There is a great deal of variation in the maturity of risk programs in large firms and in where such programs are housed organizationally.
When failures occur in risk management, they are almost always directly tied to the Basel Consortium definition of the four elements of operational risk – “the risk of loss or failure” from people, from processes, from systems or from external events.
Though it is the Chief Executive Officer (CEO) we usually see testifying in front of Congressional Committees, I would argue that CEOs are often the last to know what has gone wrong in their firms. The larger the company, the greater the level of complexity. Auditors and regulators frequently have a poor understanding of technology or services that are based on new innovations. High speed trading instruments, artificial intelligence, cryptocurrencies, and cyber resilience all are rapidly evolving areas of competitive advantage, not usually subject to in depth audit and compliance protocols in their early days except as broad concept explanations. Even if a risk is elevated, it may not yet constitute a compliance issue. The forms of reporting at early stages of what might be a very risky project make it almost impossible for the CEO to ask the right questions of the team. So where is the information bottleneck?
Boards hire CEOs who have certain characteristics, according to nearly every piece of literature that describes what makes a good CEO. Experience counts, but because of privacy protections, liability issues, and complex exit agreements with former employers, recruiters for the new firm are probably not aware of issues or remediation plans that a candidate may have experienced in previous engagements. Extreme self-confidence can go a long way in the boardroom. Most C-suite executives have made their reputations with bold decisions and taking a significant amount of risk.
Most leadership books and articles also offer the same advice where delegation of responsibilities to a senior management team is concerned – even though the CEO is still held accountable for gross outcomes. The leader is both a receiver and an evaluator of information shared, rather than a do-er, or a hands-on shaper of the information. Here’s where the quandary begins: in the charged atmosphere of executive decision-making, where anywhere from five to fifteen consequential decisions get made daily, it is easier to accept the information reported than to question it, especially at the executive level. Bonuses in the form of stock or cash make it easier to turn a blind eye to risks that are not completely mitigated, or to control gaps that are reported blandly.
If we follow the bad news from the original identification of the failure, we see that, as we go up the reporting chain, the information becomes increasingly more sanitized from manager to more senior manager; and that the information flow among the three lines of defense begin to fray as well. Financial loss at the enterprise level is often the story of an executive or a manager gone wrong, concealing the true impact of a problem in order to protect bonuses and jobs. Boards of directors can only ask hard questions if they get useful reports.
I’ve spent this column’s time on people risk because it seems to me to be the type we read the most about, and wonder each time why it keeps happening. Though risk officers and cybersecurity officers are fired often enough, very rarely do CEOs lose their jobs or spend time in jail. It seems time to re-examine the set of corporate policies and guidelines for publicly traded companies created after the Enron scandal. Of the list of firms I referenced at the beginning of this column, only the Theranos CEO is spending time in prison. Should there be a framework for boards of directors to use to determine under what conditions they meet to determine if it is time to fire the CEO? Could the U.S. Securities & Exchange Commission create a rule that says to boards of directors, “Under the following set of conditions specified herewith, boards of directors are obliged to consider whether or not the Chief Executive Officer shall be removed and replaced.”
For more analysis of the role and qualifications of board members, see my report, “Ensuring An Ethical Lens on the Board Member Selection Process,” published in 2022 by the Board Risk Committee.
Originally Published in ASA News & Notes February 12, 2024
Annie Searle
Searle is an Associate Teaching Professor Emeritus at the University of Washington. She is founder and principal of ASA Risk Consultants, a Seattle-based advisory firm. She spent 10 years at Washington Mutual Bank, most of them as a senior executive. Annie is a member of the CISA 10 Regional Infrastructure Security Group. She was an inaugural inductee in 2011 into the Hall of Fame for the International Network of Women in Homeland Security and Emergency Management. She writes a column monthly for ASA News & Notes and is the author of several books or book chapters. She is also a member of the emeritus board of directors for the Seattle Public Library Foundation.