Effective risk management cannot happen in a vacuum. The risk management function can review, inform, advise, monitor, measure and even resign. In most situations, it cannot control and decide. These two functions are management’s job. It’s the focus of management that matters, as represented by the company’s policies, standards and controls in place and the discipline to apply them at the crucial moment, along with management and the board being on the same page when it comes to the enterprise’s appetite for risk. Without an effective internal environment in place to ensure adequate attention is given to protecting enterprise value, entrepreneurial behavior can run amok. By the internal environment, we mean the whole package – control environment, management’s operating style, incentive compensation structure, commitment to ethical and responsible business behavior, open and transparent reporting, clear accountability for results, and the company’s culture. These elements influence what is often referred to as the “tone at the top.”
Effective tone at the top is a prerequisite to a commitment to continuous improvement that is so essential for risk management to function effectively. A leadership failure and the organizational “blind spots” that contribute to dysfunctional behavior will almost always undermine even the strongest risk management capabilities. An organization’s culture can have a huge impact on its ability to prevent the occurrence of unacceptable risk events and identify new and emerging risks in a changing operating environment. More importantly, organizations should pay attention to the root causes of executive management missing warning signs that something is either wrong or isn’t working when objective parties, with the benefit of 20-20 hindsight, can see easily from a mile away that there was a problem.
Ensuring effective tone at the top is vital to the risk oversight process. Following are 10 key indicators which, collectively, provide red flags that potential issues may exist within the organization:
- Management does not involve the board in strategic issues and important policy matters in a timely manner.
- Risk is an afterthought to strategy setting and business planning, e.g., risk is not considered explicitly by management when updating the business strategy or plan, or when evaluating whether to enter new markets, introduce new products, or consummate a complex acquisition involving a different line of business.
- Risk management is an appendage to performance management, leading to a lack of focus on the potential for changes in existing risks or emergence of new risks.
- Risk management responsibility is not defined adequately or linked to the reward system or, worse, the compensation program incents unbridled risk taking.
- There is evidence of unhealthy internal competition and/or significant pressure to achieve unrealistic targets, fostering a “warrior culture” that can lead to undertaking inappropriate risks.
- There exists a “tunnel vision” line of sight on “making the numbers,” which can result in missing shifts in the business environment that affect critical strategic assumptions and give rise to emerging risks.
- “Star performers” are making a lot of money achieving an unexpectedly high level of profitability and/or returns and no one understands why.
- There is evidence of executive resistance to bad news, such as a dominant senior executive who resists contrary facts suggesting the current strategy requires adjustment to conform it to market realities.
- There are known gaps and overlaps in responsibilities for managing significant risks that are left unaddressed.
- There is tolerance for conflicts of interest in the execution of significant business activities.
“Tone at the top” is about striking an appropriate balance between creating and protecting enterprise value. For example, if management’s focus is always on the short term, i.e., the next month or quarter, the organization could end up undertaking risks that mortgage the future. While balancing value creation and preservation, as well as emphasizing short-term and long-term objectives, is a relatively straightforward concept, it requires effective leadership and discipline to pull it off.
Questions for Boards
Following are some suggested questions that boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:
- Is the board alert for the emergence of warning signs such as undeliverable strategies, inappropriate performance pressures, unrealistic expansion plans, a myopic short-term focus, signs that there is a “fear of the boss” within the ranks, or inadequate communication regarding difficult-to-quantify risks, among other things?
- When management desires to enter into a line of business that it does not have experience in managing, and therefore may not understand the related risks, does the board exercise strong oversight?
- Is the board satisfied that the enterprise’s existing compensation arrangements do not encourage inappropriate risk-taking behavior?
- Is management satisfied that neither the entrepreneurial risk-taking activities nor control activities are too disproportionately strong relative to each other?
- Is risk explicitly considered by management when evaluating new opportunities?
- Is there an effective escalation process to ensure significant problems are recognized and addressed at the appropriate level before they start?
How Protiviti Can Help
Protiviti assists boards and executive management with assessing the enterprise’s risks, either across the entity or at various operating units, and the capabilities for managing those risks. The firm works closely with companies to ascertain the most effective ways to integrate risk management within the core processes of the business. The firm can assist with assessing the entity-level control environment, organizational structure and cultural issues that can impact the effectiveness of risk management.
Board Perspectives: Risk Oversight (Issue 9)