When discussing how to improve the value contributed by risk management, we often are asked, “Where do we start?” At the heart of this question is the desire for a simple and practical point of view that makes sense in practice.
While there is no one size that fits all, there are four foundational elements to consider. These elements are intended to be flexible in application, which is essential because risk profiles vary in complexity across industries.
- Process – Like any other worthwhile activity in a business, risk management requires a process. As with any process, there needs to be a purpose, inputs, activities and outputs. The activities of the risk management process typically include the identification, sourcing, measurement, evaluation, mitigation and monitoring of risk. The purpose of the process varies from company to company. One company may seek to reduce risk or performance variability to an acceptable level. Another may seek to prevent unwanted surprises. Still another may desire to take more risk as it pursues value creation opportunities.
- Integration – For many companies, risk management has focused on protecting the tangible assets reported on a company’s balance sheet and the related contractual rights and obligations. Traditionally, this means the placement of insurance, management of treasury risks, mitigation of environmental issues, and elimination of health and safety risks in the workplace, among other things. While this traditional role has served a useful purpose in the past and should continue to function, the question arises as to whether risk management should serve a higher and better use.
The relevance of the risk management process increases if it is integrated with core management processes. The idea is to integrate risk management with what matters to instill in the board, CEO and executive management greater confidence that the organization will be successful in achieving its objectives and executing its strategy. The nature and extent of integration varies across industries and companies, and is highly dependent on management’s operating style.
The scope of integration could include one or more of such core processes as strategy setting, business planning, performance management, capital expenditure funding, M&A, due diligence and integration, etc.
Effective integration can result in risk management becoming more integrated with the rhythm of the business so that it can make value-added contributions to establishing sustainable competitive advantage and improving business performance.
- Culture – A well-designed risk management process can be compromised if dysfunctional organizational behavior exists. If the CEO does not pay attention to the warning signs posted by the risk management function, if the reward system is not sufficiently balanced with long-term shareholder interests, if the board is not asking tough questions about the assumptions and risks underlying the strategy, or if risk management is so mired in the minutiae of compliance that it is not focused sufficiently on strategic issues, it is not likely risk management will have an impact at the crucial moment when a contrarian voice is needed. A culture that is conducive to effective risk management often encourages open communication, sharing of knowledge and best practices, continuous process improvement, and a strong commitment to ethical and responsible business behavior.
- Infrastructure – Given the nature of the organization’s risk management process, the core management activities with which that process is integrated, and the strengths and weaknesses of the organization’s culture, we can now ask: Is the organization’s existing infrastructure sufficient to get the job done? By infrastructure, we mean the company’s policies, internal activities, organization, reporting and systems related to managing risk. If the answer is “yes,” then we move on. If the answer is “no,” the next question becomes: What changes are needed? Changes could include any combination of things, such as a risk management policy, more explicit dialogue around risk appetite, a risk management committee, a chief risk officer, improved risk reporting, and more reliable systems.
These elements define what executives should be looking at when evaluating the role and effectiveness of risk management within the organization, and provide a context for directors when focusing their risk oversight.
Questions for Boards
Following are some suggested questions that boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:
- Is there a risk management process that provides a framework for managing risk companywide? Does it address risks inherent in the company’s strategy?
- Is risk management primarily focused on insurable, financial and operational risks? Does it make sense to integrate risk management with one or more core management processes, such as strategy-setting?
- Are risk management activities scattered across the company operating as separate silos? If so, would coordination across, and even consolidation of, these silos improve risk management?
- Are there cultural issues in the organization that could compromise the effectiveness of risk management?
- Is the infrastructure in place sufficient to accomplish the objectives management and the board wish to achieve with respect to risk management?
How Protiviti Can Help
Protiviti assists boards and executive management with assessing the enterprise’s risks and the capabilities for managing those risks. The firm works with companies to ascertain the most effective ways to integrate risk management within the core processes of the business. Protiviti assists with both assessing and improving enterprise risk management as well as implementing strategies and tactics for reporting and managing specific financial, operational, technology and other risks.
Board Perspectives: Risk Oversight (Issue 8)