Never has there been a greater need for transparency into the nature and magnitude of risks undertaken in executing the corporate strategy. The first question the risk oversight process seeks to answer is, “What are our most critical risks?” An effective risk assessment process lays the foundation for management to respond to this question confidently as the business environment remains in a constant state of flux. Furthermore, an effective process instills confidence in the board that management has a substantive basis for answering the question.
An enterprise risk assessment (ERA) is a systematic and forward-looking analysis of the impact and likelihood of potential future events on the achievement of an organization’s business objectives within a stated time horizon.
- The process begins with the enterprise’s governing business objectives and common risk language to provide a context for understanding risk and the predetermined criteria needed to conduct an assessment of risk.
The process considers possible future events or scenarios identified by management and displays them on a grid or map based on their impact on the achievement of key objectives and the likelihood of their occurrence.
- When assessing impact, the significance of risk to the business is rated using understandable predetermined criteria. For example, a consumer products company evaluates the severity of its risks in terms of the potential impact on achieving strategic business objectives, incorporating “stretch goals” over the next three years. A global cement producer requires each operating unit to consider the potential impact of risk on the ability to execute its business plan. Other companies consider the potential financial impact, e.g., what is the potential cost to the business in terms of reductions in earnings and cash flow? Some companies consider the potential for brand erosion or impairments to shareholder value, as well as whether there is a significant potential upside to the risks undertaken.
- When assessing likelihood, the probability that a potential future event, or two or more related events, will occur is evaluated using the information available and the best judgment of key stakeholders.
- When rating impact and likelihood, time horizon is a factor that must be clearly defined. One company might assess risk to the execution of its strategy over the next three years. Another might assess the risk over a one-year business planning horizon. To illustrate, some issues, such as a capacity shortage, can be quite severe over the short term for a manufacturing company. However, most risks, including capacity, are less of an issue over the longer term because the enterprise has more flexibility to make adjustments.
Assessment results are portrayed using flexible visualization tools such as risk or heat maps. An effective risk assessment process never ends with just a list of risks and always leads to formulation of risk responses to close the gaps it identifies.
Questions for Boards
Following are some suggested questions that boards may consider, as appropriate to the entity’s operations, as they evaluate their confidence in the organization’s enterprise risk assessment process:
- Is the board satisfied that management is periodically evaluating changes in the operating environment to identify the risks inherent in the corporate strategy? Is the board sufficiently involved in the process, particularly when such changes involve acquisition of new businesses, entry into new markets, introduction of new products or alteration of key assumptions underlying the strategy?
- Does management apprise the board in a timely manner of significant risks or significant changes
- in the enterprise’s risk profile? Is there a process for identifying emerging risks? Does it result in consideration of response plans on a timely basis?
- Is the board aware of the most critical risks facing the company? Does the board agree on why these risks are significant? Do directors understand the organization’s responses to these risks? Is there an enterprisewide process in place that directors can point to that answers these questions?
- Is there a periodic board-level dialogue regarding management’s appetite for risk and whether the organization’s risk profile is consistent with it? Does the strategy-setting process appropriately consider a substantive assessment of the risks the enterprise is taking on as it executes its strategy?
How Protiviti Can Help
Protiviti assists boards and executive management with assessing the enterprise’s risks, either across the entity or at various operating units, and the capabilities for managing those risks. We help organizations identify and prioritize the risks that can impair their reputation, brand image and enterprise value. Our intent is to help companies increase the robustness of their business strategy through better anticipation and management of risk in executing the strategy.
Board Perspectives: Risk Oversight (Issue 2)