What CEOs Should Be Asking Risk Managers

According to Deloitte’s Global Risk Management Survey, 62% of CEOs and 77% of board members are not “highly engaged” in addressing cyber threats. CEOs have plenty to think about aside from the intricacies of data governance, risk, and compliance. They’re charged with delivering growth and value for shareholders—which can be seen as a cross purpose with risk management.

Looking at the figures above paints a bleak picture. Chief executives must navigate the muddy waters of both complex compliance and growth, while communicating with a board of directors. It’s no easy task. With this in mind, I outlined three priorities for CEOs to discuss with risk managers in order to properly communicate with the board.

Setting the vision

When it comes to the company’s direction, the CEO is steering the ship. The employees, however, who must actually take the company there. As part of overall company culture, creating a culture of risk management for the entire organization is a solid way to keep risk at the forefront of all employees’ minds. In all of their duties, employees should consider how risk management can keep the company on track strategically. The CEO needs to constantly consider emerging threats as they relate to the organization This involves constantly monitoring blind spots, risks to reputation, and threats to strategy, business model, and operations.

Recruiting and retaining talent

One of a CEO’s most critical—but undervalued—tasks is putting the right people in the right positions. It doesn’t end there, however: he or she must also grant them the autonomy and authority to execute their duties with minimal oversight. When it comes to risk, people must be considered as part of the strategy. The CEO should ask himself: is the right CISO, CRO, or other executive in place to keep tabs on risk stature? Are they being held accountable?

All company leaders must act as examples for the entire organization. This means exemplifying an attitude of vigilance and risk management, which can trickle down to employees.

Stewarding the company’s resources

Finally, all company resources should be considered in risk management strategy: people, processes, technologies, et al. As technology evolves, an organization’s offensive and defensive strategies need to be factored into the adoption equation. In the event of a major business disruption, is the company prepared? What kind of tools and technology should be adopted to keep the company safe?

In today’s complex risk environment, CEOs are required to anticipate and proactively mitigate risks before they emerge. It’s a tough task considering everything on his or her plate, but executives can start the process by first attacking risks where they have the most control and oversight. For example, a company’s brand, reputation, and culture are realms where the CEO has a great deal of influence, but under-investment can lead to catastrophic outcomes that take a long time to unwind (just ask Uber). The CEO can address these three things head-on, which can create momentum from which to draw for mitigating risks in other areas.

All in all, as regulatory environments continue to escalate in complexity, and boards take a more serious stance on risk, CEOs must be prepared to understand and proactively communicate about risk management. With the right risk manager and a continual focus on the priorities above, CEOs can set their companies up for sustained growth while keeping risk in check.

Read more: Know Your Third Party Risk

Matt is the co-founder and CEO of LogicGate. Prior to LogicGate, he spent over a decade in the management consulting space building technology solutions to operationalize regulatory, risk, and compliance programs for Fortune 100 companies. It was during this time he learned the skills to realize his true calling: building world-class companies that meaningfully affect the lives of others through user-friendly technology. Given his extensive background in the GRC space, Matt regularly speaks and consults on risk and compliance topics.