Effectively integrated with strategy setting and performance management, risk management invigorates opportunity-seeking behavior by helping directors and managers develop the confidence that they understand the risks inherent in the organization’s strategy and have the capabilities in place to manage and monitor those risks. A disciplined approach to understanding the potential downside of executing the strategy and the extent to which worst-case scenarios might hurt will help the company know what to watch over time. The message is about everyone who matters being knowledgeable about the risks.
Risk management is flawed when risks are evaluated after the strategy is formulated. The end result could be strategic objectives that are unrealistic and risk management that is simply an appendage to performance management. The financial crisis provides examples of this lack of connectivity. Consequences may include a strategy the organization is unable to deliver, inability of the organization to adapt and the loss of enterprise value that took years to build.
Building connectivity is not easy. The key is to establish and maintain a flexible corporate structure that can govern in a changing business climate and ensure a balanced approach to creating and protecting enterprise value. The governance process includes both “strategy setting” and “risk assessment.” “Strategy setting” results in the articulation of strategic aspirations and defines the differentiating capabilities and infra-structure needed to execute. “Risk assessment” identifies the key risks inherent in the strategy and sustains the risk appetite dialogue.
The process of integrating strategy setting and risk assessment is an ideal point for interaction between executive management and the board of directors. Because it provides quality inputs into the establishment of key metrics and targets, it is at this point that risk management and performance management begin to intersect. The discipline of establishing key performance indicators and key risk indicators through integrating risk management with performance management is intended to improve the mix of lead indicators included in the balanced scorecard used to run the business.
For example, for certain organizations, accumulated deferred maintenance may be a lead indicator of emerging environmental or health and safety risks.
Risk tolerances should be set leveraging the same methodology used to measure performance against established targets. Once key metrics and targets are established, business plans are developed so that key activities at the enterprise, unit and functional/process levels are aligned. These plans include the appropriate risk responses to address the key risks. The message is that the strategy, inclusive of the selected risk responses, is best deployed at the level of greatest achievability and accountability.
Once integrated plans are finalized, performance is monitored against established targets and tolerances. The objective is to identify the information required to monitor execution of the strategy, which helps inform the board risk oversight process. A technology platform is typically needed to enable timely management review and corrective action when out-of-tolerance conditions or missed targets arise.
Whether a company is rapidly growing, focused on establishing sustainable competitive advantage or both, it should consider how an integrated approach and discipline to deploy strategy, coupled with managing the associated risks, will improve its probability of achieving its strategic objectives.
Questions for Boards
Following are some suggested questions that boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:
- Are any of the following indicators present?
- Lack of connectivity of risk management to key management processes
- No process in place for anticipating extreme risk scenarios that could derail execution of the strategy
- Evidence of unacceptable risk taking or unnecessary risk-averse activity
- Poor alignment of risk responses with strategy and enterprise performance management
- Has management integrated strategic plans, risk management and performance management effectively? If not, are steps being taken to:
- Proactively identify, source and mitigate the risks inherent in the company’s strategy?
- Communicate and deploy the strategy, including risk responses, consistently across the enterprise?
- Provide needed transparency into the enterprise’s operations, including the management of its key risks?
How Protiviti Can Help
Protiviti assists boards and executive management with assessing the enterprise’s risks and its capabilities for managing those risks. We help organizations identify and prioritize the risks that can impair their reputation and brand image. Our intent is twofold: Help companies (1) increase the robustness of their business strategy through better anticipation and management of risks inherent in executing the strategy, and (2) integrate risk and risk management with the core management activities that matter.
Board Perspectives: Risk Oversight (Issue 10)