Risk is a fact of life. Even the best ideas, the most talented people, the best products currently available in the marketplace and the most carefully thought-through strategies do not guarantee sustainable success. Ultimately, it isn’t the strongest or the smartest companies that survive and prosper, but the organizations that successfully adapt to change.
The markets continue to punish the stocks of companies managed by executives who were outflanked by events they had no indication would occur. Yet in a McKinsey study released in May 2002 involving 200 directors representing over 500 boards, 36 percent of the directors indicated their boards did not understand the company’s major risks. Approximately 40 percent of directors indicated they could not effectively identify, safeguard and plan for risk. The study also found that nonfinancial risk receives only “anecdotal treatment” in the boardroom.
Boards and management know the price of surprise is steep and should work together on an effective plan for managing risk. Following are recommendations:
Adopt a common language
Every manager has knowledge of certain key risks, but not necessarily all risks. A systematic process is needed. That process should provide the board and senior management, as a collective group, with confidence that the organization has knowledge as to what the most significant risks are, why those risks are significant, the rationale for accepting those risks, and how the risks are managed.
Business risk includes not only external and internal risks that have financial implications, but also those risks that have strategic and operational impacts or are related to the quality and timeliness of information used for decision-making. Nonfinancial risks include risks affecting human resources, information systems, innovative processes, strategic suppliers, and brand and reputation.
A common language enables different individuals from multiple disciplines, backgrounds and perspectives to sustain an ongoing dialogue concerning the organization’s risks. Busy people simply don’t have the time to start with a clean slate every time the subject of risk arises. Without a common language, that’s exactly what they have to do.
Know the risks the organization is taking … and why
According to research published by Financial Executives International in November 2001, 65 percent of senior executives lack high confidence that their risk management processes identify and manage all potentially significant business risks. Our experience indicates that a common cause of this lack of confidence is the absence of a systematic and continuous process for engaging appropriate managers throughout the organization in identifying and prioritizing risk, enterprisewide. Deciding what to do and how to do it only comes after management becomes aware of vital risks.
We believe companies with high confidence are implementing a robust process for engaging managers and process/risk owners in identifying and prioritizing risk. These processes often deploy a common language, can be applied consistently at all levels of the enterprise, are intuitive to most people, and are flexible enough for deployment in facilitated meetings, on a website or as part of the internal audit methodology.
Technology supports the process to ensure consistent execution and to codify, organize and present information. The objective of the process is to document information about the enterprise’s risks for timely action and public disclosure.
Manage risks strategically
We also see some companies making risk an integral part of their business planning and strategic management processes. One of management’s biggest challenges is translating the knowledge gained in risk assessment into specific actionable steps in the business plan. But there is a more strategic issue. Management must thoughtfully accept and reject risk with full knowledge of why that choice is made.
Boards should ask management to articulate clearly the financial and non-financial risks that the enterprise is taking with respect to proposed investments and transactions. What makes a risk desirable or undesirable often depends on its nature and the environment in which the company operates.
For example, if a risk results in the company incurring higher costs or lower rates of return relative to its peers, the company may need to reduce or eliminate its exposure to that risk. Some risks may be “off-strategy” because they are outside the company’s core business activities or area of expertise and because other companies can assume them at a lower cost.
Boards need to become more involved in evaluating the risk profile of the organization and its operating units in an anticipatory, proactive way. They need to understand the risks their companies are taking. For example, if management only considers risk intuitively when formulating business strategy, then the board should determine that the strategy is confirmed or adjusted when risks are fully considered. Management should articulate the organization’s risk tolerance, which is the level of variation the organization is willing to accept relative to the achievement of objectives targeted by its business strategy. Management should identify the significant risks inherent in the strategy and, if necessary, align the strategy with the organization's tolerance for risk. The board should satisfy itself that management thoughtfully considers risk so that business and risk strategies are in sync with one another.
Not all risks are controllable. For example, competitor, regulatory, political and other environment risks are beyond management’s direct control. However, management can proactively manage the impact of these risks on the business rather than become captive of events.
Do we use a common language, or set of terms, to describe the various risks we face?
• Does everyone having management responsibilities use it?
• Is it effective in facilitating and sustaining an ongoing dialogue about our risks?
How do the current business realities in the external environment affect our risks?
• Is our business model effective in creating and protecting enterprise value? How do we know?
• Are we exceeding or meeting customer expectations and needs? How do we know?
• Do we have an edge on our competitors or do they have an edge on us? Are we operating better, faster and at less cost? Are we gaining or are we losing market share? How do we know?
• Are we in compliance with applicable laws and regulations? How do we know?
What are our most significant business risks?
• Are our risks written down and prioritized? Is there agreement among top management?
• Are we involved in or do we operate different businesses such that our risks should be identified separately for each business?
• Are there some overall corporate risks that are shared and common between all business units and geographic locations? Should evaluation of these risks be coordinated enterprisewide?
• Are there complex or unique risks within business units or geographies that require specialized knowledge and expertise to evaluate?
How do we rate the quality, reliability and relevance of our risk reporting?
• Internal management reporting?
• External financial reporting?
Is our risk identification and prioritization current?
• Have new facts and conditions emerged since our last assessment?
• Have we sufficiently considered all business risks and not just those of a financial nature (i.e., strategic, operating and information risks)?
• Do we regularly "re-identify" and "re-prioritize" our business risks and keep them up to date with current business and market realities?
When evaluating strategy, directors should understand management's planned actions with respect to managing and monitoring external risks outside management’s control.
Continuously improve risk management capabilities
In today’s business world, boards and management need a more formal and comprehensive process to discharge effectively their respective responsibilities. Directors cannot manage the company’s risks – that clearly is management’s job. But directors must provide oversight, and a process is needed to facilitate this oversight.
Just as a company needs a process to procure quality materials from its suppliers at a competitive cost, it needs a process to manage and reduce its risks to an acceptable level. Without such a process, risk management is ad hoc, reactive and fragmented across the enterprise. The most effective process enables directors and executives to identify the major risks that may affect corporate performance and shareholder value as well as ensure those risks are appropriately measured and managed. It should provide a systematic approach to building risk management capabilities that are repetitive, defined and managed.
There are several “business risk management process” activities that directors should expect to find in their organizations:
- Align risk management objectives with overall business strategies and performance goals. Communicate those objectives, including the level of acceptable risk approved by the board, throughout the enterprise.
- Identify and prioritize risks based on the likelihood the risks will occur and, if they do, the potential severity to the business and to various stakeholder groups.
- Source and measure the priority risks, including the cost of mitigating them versus the cost of doing nothing.
- Take an enterprisewide versus a narrower unit or functional view when selecting strategy to optimize risk and reward for the enterprise as a whole. Original thinking should be the order of the day.
- Timely designate risk owners – the individual, the group or the unit authorized to make choices and take action within established bounds to manage one or more priority risks. Grant risk owners the responsibility and authority to (a) decide and design the policies, processes, competencies, reporting, methodologies and systems that execute the selected risk strategies, and (b) ensure such capabilities are built and executed.
- Implement effective internal controls and checks and balances. Regularly evaluate both the design and operating effectiveness of such controls.
- Gather information necessary for risk owners and executive managers to track achievement of objectives, execution of strategies, and compliance with policies for managing risk.
An effective business risk management process provides greater confidence to the board and management that risks and opportunities are being systematically identified, rigorously analyzed and effectively managed on an enterprisewide basis. Appropriate risk measures, early warning systems, a continuous risk scan, a risk dashboard and other tools should be in place so that risk owners can monitor the design and operational effectiveness of risk management capabilities, including internal controls. Executive management should also monitor the activities of the owners of critical risks. Strategies and policies without “monitoring teeth” may as well be called hopes.
Implement effective oversight
While boards must be "risk-minded" as they review strategies, plans, reports, operations and compliance, they also need to determine that management has a structure in place to eliminate gaps and minimize overlaps in risk management roles, responsibilities and authorities. An organizational oversight structure defines and assigns risk management responsibilities, authorities and accountabilities to appropriate personnel. It may include a risk management executive committee (RMEC) consisting of appropriate executive and unit management. It may also include a chief risk officer and appropriate assurance units (internal audit, corporate compliance officer, etc.). The audit committee and disclosure committee also play a role in the oversight process, particularly as it relates to public reporting.
Anticipatory and proactive oversight requires a strong emphasis on up-front involvement by directors in the policy setting, risk assessment and strategy formulation phases of the risk management process. Boards enhance the quality of the oversight process by adding value to management’s assessment of the organization’s risks.
Once risks are identified and sourced, boards should assist management with evaluating the company’s options and decide how to manage the most critical risks, leading to policies clarifying responsibilities, authorities and accountabilities. For example, among other things, the board will want to determine that:
- Risks inherent in the organization’s opportunity-seeking behavior in developing new products and markets and in encouraging and rewarding growth and innovation are fully understood and managed.
- Defined boundaries and limits exclude behaviors and actions that are off-strategy and unacceptable because they create risks that exceed management’s defined risk tolerance.
- Performance measures and targets are not encouraging risky behavior.
Top performers in the rapidly changing global marketplace will be those that best understand their risks and align their risk taking with their core competencies.
Management needs help to accomplish this objective, including guidance and input from experienced directors.
Effective oversight is also reactive and interactive. The board should determine that management has in place the appropriate capabilities to execute approved strategies. Risk ownership and personal accountability must be focused sufficiently so that the appropriate risk management and control processes are designed and implemented. Risk management capabilities for the more critical risks must be more mature than those for less significant risks. Therefore, management should determine that sufficient resources are allocated to the management of these risks. An effectively functioning RMEC will increase a board’s confidence that the appropriate capabilities are in place.
The RMEC must have the information it needs to make informed decisions confidently regarding the risks the company faces and the value proposition for the enterprise as a whole in taking those risks. But what information should the board receive? Board reports should include the following:
- Summary of the top risks for the enterprise as a whole, categorized by operating unit, geographic location, product group, etc.
- Summary of the top and worst performing investments and explanations for them.
- Report of emerging issues or risks from the environment scan process or early warning system that warrant immediate attention.
- Summary of exceptions versus policies or established limits that have been encountered, including any significant breakdowns, errors, accidents, losses (as well as lost opportunities) or “close calls.”
- Special studies or targeted analysis to evaluate questions about specific events or anticipated concerns that could “stop the show.” For example, what is our Latin American or Asian exposure?
- Summary of significant findings of business process audits performed by internal audit or reviews conducted by other independent parties such as the organization’s regulators, usually reported to the audit committee.
- Summary of sensitivity and scenario analysis evaluating the impact of changes in key variables (e.g., interest rates, exchange rates, inflation, weather, competitor acts and supplier performance levels) beyond management’s control on earnings, cash flow, capital and the business plan.
- Summary status of improvement initiatives. Are planned improvement initiatives on track? If not, why not?
These are a few examples of risk management reports that serve the purpose of lengthening the board’s memory and positioning the board to hold management accountable for results and determine whether corrective action is needed.
Risk management is about accountability
Ultimately, risk management is about accountability for taking and managing risks. The stakes are high. Recent legislative and regulatory developments have pointed to a need for expanded board oversight over the fairness of reporting. Quality risk reporting and risk management provides fresh insight and “feeds” to the disclosure process.
Key Questions to Ask
- Does management involve the board early in the strategy formulation process, including when making decisions to accept or reject risk?
- Does the board understand the priority business risks and how they are addressed? Does the board periodically review risks and possible “worst case” scenarios? Are the risks documented? Is there sufficient time during board meetings to discuss them? Is the board satisfied that management has in place an effective process to continuously identify risk, measure its impact and evaluate risk mitigation capabilities?
- Is the board satisfied with its oversight of risk management? Is board reporting adequate?
- Is the company taking significant risks the board does not understand? For example, if an operating unit or product group is generating superior returns relative to competitors, is it the result of taking significantly greater risks than competitors?
- Is the board satisfied that contingency plans are in place in the event of a crisis?
- Are both a common risk language and an enterprisewide process in place to identify and prioritize risk? Are the significant uncertainties, or soft spots, inherent in the organization’s strategies for achieving its business objectives and performance goals well understood? Have you communicated these uncertainties to the board?
- Have roles, responsibilities, authorities and accountabilities with respect to risk management been clarified internally? Does an individual, group or unit (the "risk owners") own each priority risk?
- Is there an infrastructure in place to provide reliable risk management reporting? Do you have the information needed to monitor the performance of risk owners responsible for significant risks? Is there adequate assurance of the reliability of this information?
- How confident are you that all potentially significant business risks have been identified and are being managed by your organization? Do you periodically revisit your risk assessment to determine whether the risks have changed or whether there are new risks?
The Bulletin (Volume 1, Issue 7)