In its latest Board Perspectives: Risk Oversight newsletter, Protiviti addresses this challenge by exploring how directors can better understand risk management as the business environment changes and morphs the risk profile along with it. To make the process a little simpler, there are five questions directors should ask when reviewing their 2014 risk oversight agenda in order to gain insight on how the company can improve risk management capabilities:
- Does our risk profile reflect the significant risks we currently face? When management reports on the company’s top risks, the reporting should highlight (a) whether the noted risks increased or decreased, (b) any new risks, and (c) whether the current summary excludes risks previously reported. In addition to addressing the severity of impact and likelihood of occurrence, it may be useful to prioritize “high-impact, low-likelihood” risks in terms of their reputational effect, velocity to impact and persistence of impact, and the enterprise’s response readiness. Such insights can pinpoint areas where the company may need response plans for unlikely, extreme events. As risk assessments can go stale rather quickly, the company should strive to keep them fresh.
- Are we continuously improving our risk management capabilities to ensure that we are managing our risks effectively in a changing business environment? One of the key risks is targeted, someone or some group, function or unit must own them. If not eliminated, gaps and overlaps in risk ownership should be minimized, so accountability for results is firmly established with the lines of business and process owners. The effectiveness of the board’s oversight of this ongoing continuous improvement of risk management capabilities is directly impacted by its ability to obtain substantive risk information from internal sources and, when appropriate, outside sources. To that end, the board should satisfy itself that (1) a robust process for managing and monitoring each of the critical enterprise risks is in place, including effective response plans in the event of a crisis; (2) risk management capabilities are improved continuously as the speed and complexity of business changes; and (3) reporting on risks and risk management performance is timely and reliable. There may be opportunities to enhance the risk reporting process to make it more effective and efficient, and the board should consider them in light of its needs.
- Are the board and executive management on the same page with respect to appetite for risk? The board should engage management in a periodic dialogue about the risks the enterprise should take, the risks it should avoid and the parameters within which it should operate. A robust risk appetite dialogue frames the following question: How do we know we are executing our business model within the parameters of our risk appetite? The only way to know for sure is to decompose the risk appetite statement into more specific risk tolerances and use them to manage performance variability around the achievement of business objectives. Separate risk tolerances may be expressed for objectives related to earnings variability; interest rate exposure; and the acquisition, development and retention of people.
- Is our risk culture encouraging the right behaviors? Even the most well-intentioned risk management process can be compromised if dysfunctional organizational behavior exists and can fester. Suppose the chief executive officer (CEO) chooses to ignore the warning signs posted by the risk management function. In that case, the reward system is focused primarily on short-term performance targets, the board is not asking the tough questions about the assumptions and risks underlying the strategy, and risk management is not positioned effectively within the organization, it is not likely risk management’s voice will be heard at the crucial moment. Suppose a highly complex organizational structure lacks transparency, tolerance for conflicts of interest and self-dealing, a shoot-the-messenger or warrior culture, and other dysfunctional behaviors. In that case, the organization is likely to miss market-driven changes in critical assumptions underlying the strategy. This can lead to inappropriate risk-taking or even failure to exit a flawed strategy promptly. A risk culture conducive to effective risk management reflects the shared values, goals, practices, reinforcement mechanisms and attitudes that embed risk into an organization’s decision-making processes and risk management into its operations. An influential risk culture encourages open communication, sharing of knowledge and best practices, continuous process improvement, and a strong commitment to ethical and responsible business behavior. More importantly, it appropriately balances entrepreneurial activities and control activities so that neither is too disproportionately strong relative to the other, meaning a healthy tension exists between the two.
- Have we integrated risk management with the appropriate management processes? The relevance of risk management increases if it is integrated with core management processes. The idea is to integrate risk management with what matters to instill in the board, CEO and executive management greater confidence that the organization will successfully achieve its objectives and execute its strategy. The nature and extent of integration vary from industry to industry and company to company and highly depend on management’s operating style. Effective integration can result in the risk management process becoming more aligned with how the business is run and managed so that it can make value-added contributions to establishing sustainable competitive advantage and improving business performance.