An effective risk assessment is fundamental to risk management and the board’s risk oversight process. Successful risk assessments help directors and executive management identify emerging risks and face the future confidently.
An enterprise risk assessment (ERA) is a systematic and forward-looking analysis of the impact and likelihood of potential future events and scenarios on the achievement of an organization’s business objectives within a stated time horizon. In many organizations, the process begins with an articulation of the governing business objectives and a common risk language to provide a context for understanding risk and the predetermined criteria needed to assess risk. Often, the assessment results are displayed on a grid or map for review by decision-makers.
Uncertainty refers to any situation in which decision-makers identify all possible outcomes and assess the related possibilities, but do not know which event will occur. For directors and executives, the worst kind of uncertainty is being unaware of what they don’t know. Yes, company executives have knowledge of markets, customers and competitors from internal and external sources. But do they have an appreciation for what they don’t know? The point is, it may be prudent for the enterprise’s strategic choices and appetite for risk to provide a margin for error that takes into account the underlying uncertainty.
While the risk assessment process must be tailored to the individual needs of each organization, the hallmark of a successful risk assessment is one that helps decision-makers understand what they don’t know. To that end, we summarize 10 practices that will help management and directors maximize the value derived from the risk assessment process:
- Involve the appropriate people: Surveys we have conducted over the past five years indicate, without exception, that different senior executives and operating unit and functional leaders often have different perspectives and viewpoints regarding risk. Therefore, it is important to involve the appropriate stakeholders — across the C-suite and vertically into the organization — in the risk assessment process to ensure relevant points of view are heard.
- Reduce the danger of groupthink: The risk assessment process should encourage an open, positive dialogue among key executives and stakeholders for identifying and evaluating opportunities and risks. Accordingly, attention should be given to reducing the risk of undue bias and groupthink. As a safeguard against executives forming opinions or reaching conclusions without having engaged in robust debate or having listened to dissenting views, management should ensure that all perspectives are heard from the right sources and considered in the process. Anything any executive truly fears should be out in the open. When talking about the future, historical “hard numbers,” anecdotal evidence, polls and media reports may offer data points but should not engender false assurances.
- Focus comprehensively on the distinctive dimensions of strategic risk: According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), there are three dimensions to strategic risk:
- The implications from the strategy — When management works through strategic alternatives with the board in formulating strategy, decisions are made on the risk-reward trade-offs inherent in the various options. In effect, each alternative strategy has its own risk profile.
- The possibility of strategy not aligning with an organization’s mission, vision and core values — A strategy misaligned with what the entity is trying to achieve and how it intends to conduct business can lead to reputation loss and brand erosion.
- The risks to executing the strategy — This is the dimension many organizations consider in their risk assessment process.
All three dimensions need to be addressed if the company expects to avoid unintended consequences that could lead to lost opportunities or an unacceptable loss of enterprise value.
- Understand the assumptions underlying the strategy: Boards and executives that are navigating the risk assessment process should consider how the organization’s strategy and risk appetite work in tandem to drive behavior across the organization in setting objectives, allocating resources and making key decisions. Are risks evaluated in the context of their impact on the organization’s strategy and operations? Is adequate consideration given to macroeconomic issues? Is there a business intelligence process for monitoring the environment outside of traditional planning and budgeting to ensure that critical assumptions remain valid? Is the board informed when assumptions are no longer valid? Are strategic assumptions stress-tested?
- Consider the impact of disruptive change: The rapid pace of change in the global business environment is risky for entities of all types. Change alters risk profiles. The unique aspect of disruptive change is that it represents a choice: On which side of the change curve does an organization want to be? With the speed of change and constant advances in technology, rapid and innovative responses to new market opportunities and emerging risks can be a major source of competitive advantage.
Conversely, failure to stay abreast or ahead of the change curve can place an organization in a position of becoming captive to events rather than charting its own course. The risk assessment process must be dynamic enough to account for significant change (e.g., the process should monitor the business environment over time to identify risks inherent in the strategy and changes that may invalidate one or more critical assumptions underlying the strategy).
- Consider appropriate criteria to assess “high impact, low likelihood” risks: When considering extreme risk events, the operative question is: How resilient is our organization in the event one or more of these events occurs? Velocity, persistence and response readiness are useful risk criteria to consider when answering this question. What is the level of resilience of our plan in the event an alternative scenario were to develop? Is our plan robust enough or too ambitious? Do we know the level of variation of our expected performance in the short term? Is this variation acceptable?
- Understand the sources of risk: One of the most difficult tasks in risk management is translating a risk assessment into actionable steps in the business plan. Oftentimes, risk owners don’t know what to do to address significant risks based on risk assessments displayed on the traditional two-dimensional graph. For the most significant risks, it may make sense to source their root causes to better understand them so that more effective risk responses can be designed at the source. To this end, the process should be designed to identify patterns that connect potential interrelated risk events — risks that are not necessarily mutually exclusive.
- Inform the board of the results in a timely manner: The board should be informed of the risk assessment results on a timely basis to ensure that directors agree with management’s determination of the significant risks and are able to incorporate the organization’s most critical risks into the board’s risk oversight process. In addition, significant risk issues warranting attention by executive management and the board should be escalated to their attention on a timely basis. A process for identifying emerging risks should be in place to supplement the ongoing risk assessment process.
- Integrate risk considerations into decision-making: As important as the risk assessment process is, it may be just as important for decision-making processes to consider the impact of major decisions on the organization’s risk profile. If risk is understood to be the distribution of possible outcomes over a given time horizon due to changes in key underlying variables, it should be noted that major decisions either create different outcomes or alter previously considered outcomes. As a result, significant decisions should involve the board’s understanding of the organization’s appetite for risk and consider how those decisions impact the entity’s risk profile.
- Never end with just a list: Effective risk assessments always lead to the formulation of risk responses to close the gaps they identify. Therefore, following completion of a formal or informal risk assessment, management should designate the appropriate risk owners for newly identified risks so that appropriate risk responses and accountability structures can be designed for their execution. “Enterprise list management” is aimless, loses its novelty over time and can lead to trouble if risks are identified and nothing is done to address them.
The above practices can assist organizations in defining their most important risks and assessing the adequacy of the processes informing risk management and board risk oversight. An effective risk assessment process lays the foundation for executives and directors to navigate a changing business environment with confidence.
Questions for Boards
Boards of directors may want to consider the following questions in the context of the nature of the entity’s risks inherent in its operations:
- Are directors confident that they are aware of the most critical risks facing the company and management’s responses to these risks? Is the board satisfied that management is periodically evaluating changes in the business environment to identify the risks inherent in the corporate strategy? Is there a robust enterprisewide process in place that directors can point to that addresses these questions?
- Is the enterprise’s risk profile updated when strategic course corrections are considered? Does management apprise the board of significant changes in the risk profile in a timely manner? Is there a process for identifying emerging risks? Does it result in consideration of response plans on a timely basis?
- Is the board satisfied that the strategy-setting process appropriately considers a substantive assessment of the risks the enterprise is assuming as a result of the strategy selected? Is there a periodic board-level dialogue regarding management’s appetite for risk and whether the organization’s risk profile is consistent with that risk appetite?
How Protiviti Can Help
Protiviti assists boards and executive management with assessing the enterprise’s risks, either across the entity or at various operating units, and the capabilities for managing those risks. We help organizations identify and prioritize risks that can impair their reputation, brand image and enterprise value. Our intent is to help companies increase the robustness of their business strategy through better anticipation and management of risks arising from, and in executing, the strategy.
Board Perspectives: Risk Oversight, Issue 89