Executive management is expected to take risks in the pursuit of building enterprise value. At the same time, those risks must be well managed. But can the risk management process itself contribute value? This article examines two perspectives on a value-based approach to the board’s risk oversight: strategic and proprietary.
Every chief executive officer (CEO) pursues opportunities with the objective of building enterprise value. It is what the CEO’s board expects. In the book, Built to Last: Successful Habits of Visionary
Companies, one of the principles asserted by the authors is that a company sustains itself by setting “big hairy audacious goals” that require the commitment of its personnel to work outside their comfort zone.1 The point is that just as a CEO cannot rest on the status quo, neither can he or she allow the organization to do so.
Within this context, what is the role of risk? Many argue that risk management should contribute value. While this assertion is easy to make, what does it really mean? From a risk oversight standpoint, what is the board’s role in ensuring a value-based approach to managing risk?
There are two ways of looking at this topic: the strategic view and the proprietary view. We discuss both below.
A strategic view – A winning strategy exploits areas a company does better than anyone else. Ambitious goals for creating value entail taking on risk. Thus, the execution of any strategy is governed by the willingness of management and the board to accept risk and the organization’s capacity to bear and manage that risk.
Often, strategic risks are “compensated” because the expected upside returns are regarded as sufficient to warrant the downside exposure. These risks represent bets management decides to make, the board approves and, hopefully, investors support.
- Recognize that strategic risks are primarily compensated risks. Don’t confuse them with uncompensated risks.
- Integrate risk assessment with strategy-setting to make the strategy more robust.
- Establish an early warning system linked to critical assumptions underlying the strategy.
To illustrate, the risks associated with initiating operations in new markets, introducing new products, undertaking large research and development projects, and even altering business models to conform to regulatory requirements are often compensated risks because they are inseparable from the decision to execute the enterprise’s chosen strategy. By contrast, uncompensated risks are generally one-sided because they offer the potential for downside with little or no upside potential. For example, over the long term, environmental, health and safety risks offer little, if any, upside to cutting corners and taking shortcuts that, in time, contribute to unacceptable exposures.
Our experience is that most people think of risk as “uncompensated.” That mindset presents a challenge when integrating risk assessments with strategy setting, particularly when prior assessments have traditionally focused on uncompensated risks (i.e., “things that can go wrong”). Risk assessments contribute value to strategy-setting when management identifies the priority risks inherent in planned strategic initiatives and is able to discuss them with the board on a timely basis. An effective process signals to directors that management understands the potential performance variability arising from committing to the strategy and can articulate that the risks are sufficiently compensated through expected returns during the planning horizon.
Effectively integrated with strategy-setting, a risk assessment invigorates opportunity-seeking behavior by increasing the confidence of management and the board in two ways. First, it provides transparency to the downside of undertaking the strategy and how much it might hurt if an expected outcome is not achieved or an extreme negative outcome were to occur. Second, it leads to a discussion regarding the capabilities within the organization to manage the risks it is taking on to within an acceptable level. This process leads to conscious decisions to accept, avoid, transfer and reduce risk, resulting in a more robust strategy.
Focusing on the risks inherent in the strategy likely will uncover execution risks that warrant close attention, as they probably deal with human resources, competitive, technological, regulatory or other uncertainties during the planning horizon. Scenario analysis may be necessary to identify the strategic assumptions that are most sensitive to unexpected or disruptive change. In addition, intelligence gathering and monitoring processes should be deployed to identify changes in external variables that may necessitate revisiting key strategic assumptions. In this way, risk management contributes value by creating an early warning system that positions the organization to capitalize on market opportunities and emerging risks before they become common knowledge in the industry. These organizations are early movers.
- Recognize that the goal is to manage healthy tension between value creation and value protection.
- Set appropriate boundaries in executing the strategy.
- View the organization through the lens of multiple lines of defense.
A proprietary view – Tension is inevitable between value creation and value protection. If tension doesn’t exist, it is likely due to dangerous groupthink. That’s why the toughest task in risk management is balancing the organization’s entrepreneurial activities and control activities so that neither one is too disproportionately strong relative to the other.
Appropriate balance consistent with the organization’s mission, strategy and values is the goal. This proprietary view transcends the strategic view because it recognizes the importance of protecting enterprise value that may have taken decades to build.
This perspective means different things to different organizations and across different industries, as there is no “one size fits all” approach. But make no mistake, this perspective also acknowledges the importance of stewardship in protecting the value the enterprise already has – whether expressed in terms of shareholder value, reputation and brand image, customer relationships, supplier relationships, financial and physical assets or in other ways – and not jeopardize that value through reckless actions and behavior.
There are several ways to achieve the desired balance. Boundaries provide a broad context for balancing the organization’s objectives and performance goals for creating enterprise value with the policies, processes and control systems deemed appropriate for preserving enterprise value. Boundaries provide a tool for managing the tension between the two by forcing dialogue, escalation and even arbitration. This is a good thing. The alternative is unbridled entrepreneurial activity that can lead to trouble – even disaster.
For risk management and internal control to function when crucial decision-making moments or changing circumstances arise, directors and executive management must be committed to making them work. Aligning governance, risk management and internal control processes toward striking the appropriate balance is fundamental to managing a strong risk culture. Rather than telling the CEO what to do or how to run the business, the board provides direction as to what not to do through a risk appetite statement, risk tolerances and limits, and a commitment to core values.
A lines-of-defense approach also facilitates the desired balance. A widely accepted view of the lines-of-defense model includes the following:
- The first line consists of business unit management and process owners who own the responsibility to manage the risks their units and processes create.
- The second line includes independent risk management and compliance functions that ensure an enterprisewide framework exists for managing risk; risk owners [see (1)] are doing their jobs in accordance with the framework; risks are measured appropriately; risk limits are adhered to; and risk reporting and escalation protocols are working as intended.
- Internal audit is the third line; it provides assurance that the first two lines are functioning effectively.
Four things are needed for a lines-of-defense model to work:
- First, the CEO and board must set the tone and provide the oversight to ensure the appropriate balance exists. To this end, executive management must act on risk information on a timely basis when it is escalated to them and involve the board in a timely manner when necessary.
- Second, the independent risk management and compliance functions must be properly positioned within the organization so they are independent of business unit operations and frontline, customer-facing business processes.
- Third, the primary owners of risk – the unit managers and process owners – must accept, and cooperate with, the oversight activities of independent risk management and compliance functions and the assurance activities of internal audit; it is a bright red flag if they don’t.
- Finally, internal audit should use the lines-of-defense framework to sharpen its value proposition in focusing assurance activities more broadly on risk management.2
Questions for Boards
The board of directors may want to consider the following questions in the context of the nature of the entity’s risks inherent in its operations:
- Is the board satisfied that the strategy is realistic and does not result in unacceptable execution risks?
- Is there a risk appetite statement outlining the organization’s accepted risks inherent in the strategy and risks to avoid in executing the strategy, as well as targeted strategic, financial and operational risk parameters? If so, are risk tolerances and limit structures used to decompose the risk appetite statement to a level that can be applied in day-today operations?
- Is the board satisfied that:
- Line-of-business leaders and customer-facing process owners are designated as the ultimate owners of risk, accept that responsibility, and are held accountable for results?
- Independent risk management, compliance management and internal audit functions have access to the board or to a committee of the board and are properly positioned to fulfill their charters and meet expectations?
How Protiviti Can Help
As the board focuses on risk oversight, Protiviti can assist it and executive management with identifying and assessing the enterprise’s risks and implementing strategies and tactics for managing risk. We assist companies with integrating their risk assessment process with their core business processes, including strategy-setting. We evaluate the company’s capabilities for managing risk, including implementation of an appropriate lines-of-defense framework. We help organizations improve their risk reporting to better inform the risk oversight process, a key to the success of any oversight process regardless of how the board chooses to organize itself.
1Built to Last: Successful Habits of Visionary Companies, by Jim Collins and Jerry I. Porras, Harper Business Essentials, Chapter 5.
2See Issue 51 of Board Perspectives: Risk Oversight, “The Five Lines of Defense – A Shareholder’s Perspective,” available at www.protiviti.com.
Board Perspectives: Risk Oversight (Issue 61)