If the financial crisis has but a single lesson, it is this: What we don’t know can be more important than what we do know. This raises the ultimate rhetorical question: Do we know what we don’t know?
The reality of today’s environment is that management and the board can never be certain they know everything they need to know. Nonetheless, there are eight steps they can take to manage uncertainty:
- The worst kind of uncertainty is being unaware of what you don’t know: Yes, management has knowledge from internal and external sources. But do they know what they don’t know? Unlikely. Therefore, their strategic choices and the risks undertaken should provide a margin for error to reflect what they may not know.
- Placing high value on historical “hard numbers,” anecdotal evidence, polls and media reports creates false assurance: “Management by fact” is a vital technique for understanding the truth in the current environment and for separating reality from instinct. When instinct is required to make decisions, undue reliance on the past in predicting economic activity and customer behavior may result in strategic error. So challenge underlying forecasting methodologies, consider multiple views of the future to test the robustness of the business model with “what if” scenarios, and think in terms of ranges and probabilities rather than in absolutes.
- Organizational “blind spots”: Be careful with reward systems based on volume metrics (earnings growth, new business, etc.) driven by excessive leverage and risk taking, as they may result in failure to identify market trends suggesting a need for a change in strategy. Management must insist that the assumptions underlying critical financial models don’t presume that the future will be similar to the past.
- The time value of creating “first mover” options: Beware of models used to convey a level of certainty to decision makers that is inconsistent with the modeling process and real world realities. In the financial crisis, institutions that tested asset values in selected markets were able to ascertain a steep decline in housing prices. These companies got a head start of as much as 12 months in reducing their exposure. First movers to exit an obsolete strategy always end up in a better position.
- Sooner or later, something fundamental in the organization’s business will change: Whenever change occurs, a company’s risk profile is likely to be altered. For example, a preemptive competitor action to increase market share or a management initiative to acquire a new business or enter a new market typically alters the risk profile. The risk assessment process must carefully consider the actual or anticipated effects of change.
- Preparation is the key to world-class reaction: Perhaps instead of “what do we not know,” the more appropriate question is “are we better prepared for the unexpected?” Being better prepared is a function of three things: (1) a sound strategy based on realistic assumptions and taking on risks with knowledge and transparency, (2) setting aside time to think about plausible scenarios that could derail the execution of the strategy, and (3) formulating appropriate response plans. Convening a committee after the fire has started is not the way to put it out.
- Is there anything management truly fears and are those concerns out in the open? Are there periodic “black swan” workshops to think about the “unthinkable” to ensure that issues causing insomnia get aired? Because a response plan may be needed for emerging risk scenarios, this is the point where crisis management intersects with risk management.
- Rigorous deduction based on faulty assumptions: Does the board understand the assumptions underlying the strategy? Is there a business intelligence process for monitoring the environment outside of traditional planning and budgeting to ensure these assumptions remain valid, and is the board informed when they are no longer valid? More importantly, does the process drive alteration of key assumptions when it is appropriate to do so?
Questions for Boards
Following are some suggested questions that board members may consider, consistent with the entity’s operations:
- Is the board apprised in a timely manner of significant changes in the enterprise’s risk profile? Is there a process for identifying emerging risks, including plausible “black swan” events? Does the exercise result in appropriate response plans on a timely basis?
- Is the board satisfied that management is periodically evaluating changes in the operating environment to identify impacts on the risks and assumptions inherent in the corporate strategy? Are necessary changes to the strategy made in a timely manner?
- Is the board sufficiently involved in decisions involving acquisition of new businesses, entry into new markets, introductions of new products or significant alterations of the corporate strategy? Is a postmortem required to enable the board to evaluate these decisions?
- Is sufficient time given to assess the risk profile in the context of strategy-setting so the board understands the significant risks the company is assuming? Is the risk profile updated to reflect strategic course corrections?
- How often is the board surprised by the company’s performance? Is it satisfied with management’s process improvements when the company underperforms?
How Protiviti Can Help
Protiviti assists boards and executive management with assessing the enterprise’s risks and the capabilities for managing those risks. We help organizations identify and prioritize their risks, including emerging risks that can impair their reputation, brand image and enterprise value.
Board Perspectives: Risk Oversight (Issue 3)