With another new year dawning, the question arises as to whether the 2013 agenda for board risk oversight is appropriately focused. Changing markets and circumstances spawn new risks, alter risk profiles and reduce the effectiveness of established risk management capabilities. The risk oversight agenda should take such changes into account.
Following are 10 questions for boards to consider as reminders as they evaluate their risk oversight agenda for the next 12 months:
- Has the company’s risk profile changed? Has management updated the assessment of the organization’s most critical enterprise risks? For example, has management provided the board a summary of such risks with an indication of the risks that have increased, decreased or remained the same since the previous assessment? Is the update consistent with the board’s view?
- Do the board’s delegations of risk oversight responsibility provide for adequate coverage of the critical risks? Are the most critical enterprise risks assigned to appropriate board committees to ensure coverage in the normal course as part of their ongoing activities? Most board committees address certain risks as they carry out their respective chartered activities. However, some risks may need to be specifically assigned to ensure oversight coverage.
- Is the board giving appropriate consideration to technology-related risks? Rapid technological innovation, such as with mobile devices, social networking and cloud computing, creates new risks in return for faster and more accessible data. These developments are causing companies to rethink how they create value for customers, causing disruption in how they operate. In addition, increasing demands for privacy and information security, intellectual property, and asset protection, as well as the growing complexity of regulations, are driving the need for more investment in security to minimize the economic and reputational costs of breaches.
- Is the board satisfied that there is a process for identifying emerging risks? Are risk assessments providing directors with insights they didn’t previously have? In other words, is the company thinking about the “known unknowns” and potential “unknown unknowns” that lie in the future? Is management considering longer-term global risks that are germane to the enterprise’s strategy, business model and geographic footprint, even though the potential risks may not manifest themselves over an annual period or even a three to five-year planning horizon?
- Does the board understand the key assumptions underlying the organization’s strategy? These assumptions are management’s “view of the world” during the strategic planning horizon (e.g., the enterprise’s capabilities, competitor capabilities, expected customer wants and expected economic trends, among other things). Have these assumptions been used to identify risk indicators to provide early warning of one or more critical strategic assumptions becoming invalid as the company executes its strategy in a changing business environment?
- Is the board satisfied with the risk reporting it receives? At minimum, risk reporting provides information about the critical enterprise risks and summarizes how those risks are managed. It is up to the board to communicate to management the additional information it needs. In addition, the board should obtain substantive risk information from external sources to supplement the information received from management.
- Is the board satisfied the company’s risk management is sufficiently resourced? Directors should inquire as to whether appropriate policies, processes, people, reporting, tools and incentives, along with a supportive culture, are in place to mitigate key risks.
- Does the board periodically assess whether there are potential issues in the company’s culture and its incentive compensation structure? Are there any dysfunctional behaviors that could undermine the effectiveness of risk management and lead to inappropriate risk-taking or compromise established policies and processes? Lack of transparency, conflicts of interest and unbalanced compensation structures are warning signs because they may create blind spots in the organization and encourage undesirable behavior that may not be subject to effective controls.
- Is the company prepared to respond to extreme events? Does the company have response plans for unlikely extreme events? These are the events no one can predict or see coming, the so-called unknowable risks. Has the company used scenario analysis to prioritize its “high impact, low likelihood” risks in terms of their reputational effect, velocity to impact and persistence of impact, as well as the enterprise’s response readiness?
- Does the board periodically assess its risk oversight processes? This assessment should be incorporated into the board’s periodic evaluations of its overall effectiveness. One key question is whether the board has the requisite expertise to provide effective risk oversight. As the business, technology environment and industry change over time, this question takes on more importance.
These questions can provide a framework for taking a fresh look at the board’s 2013 risk oversight agenda.
Questions for Boards
The board of directors may want to consider the above questions when assessing its oversight focus within the context of the nature of the entity’s risks inherent in its operations.
How Protiviti Can Help
Protiviti assists boards and management with identifying and assessing the enterprise’s risks and implementing strategies for managing risk. We assist companies with integrating their risk assessment process with their core business processes, including strategy-setting, and with improving their risk reporting to better inform the risk oversight process.
Board Perspectives: Risk Oversight (Issue 39)