Risk oversight is a top-of-mind issue for boards today because of the dramatic failures associated with the financial crisis and the unanswered questions around what directors might have done to thwart it. Many believe directors in the financial services industry, for example, must do more to avoid another crisis.
Following are 10 reasons that can contribute to failure of the board’s risk oversight process.
- Lack of a robust process for prioritizing, managing and monitoring the enterprise’s critical risks – Directors are asking many questions of management that often fall into three categories:
- What are our inherent risks and what risks are we planning to accept?
- Do we have the capabilities to manage these risks?
- To both of these questions: How do we know?
The absence of a robust process leaves both management and the board hanging on the last question.
- Lack of understanding of, or a failure to monitor, the significant assumptions underlying the strategy – Boards should understand the critical factors that make or break the successful execution of the strategy and ensure a process is in place to monitor changes in the business or regulatory environment that could impact those factors.
- Executive management and the board are not on the same page with respect to the entity’s risk appetite – Typically this means insufficient dialogue between the board and management to obtain a highlevel view of how much risk the entity is willing to accept and the risks the entity should avoid.
- Failure to identify and manage emerging risks – The board must satisfy itself that management brings to bear the appropriate expertise, processes and information to, in a timely manner, identify new and complex risks to the execution of the enterprise’s strategy and business model and to manage those risks effectively.
- Insufficient time to think about the future – Does the organization have a process to consider the “unthinkable,” i.e., extreme scenarios that could occur over the time horizon covered by the corporate strategy? Has management considered how the entity would respond should any of these scenarios occur? Has considering these scenarios created awareness of the forces affecting the organization in the present that can make it captive to events in the future?
- The company practices “enterprise list management” – Generating lists of risks over time with no follow-up to understand and close gaps in risk management capabilities is not good practice. Risk management should impact the core management activities that matter – strategy setting, business planning and performance management, for starters.
- Drowning in data with little knowledge or insight – We hear many complaints from directors about risk reporting. The board needs relevant information about the enterprise’s risks and how they are managed as well as information from internal and external sources about the continued validity of critical assumptions underlying the strategy. At some companies, fragmented technology systems frustrate efforts to keep management and the board informed timely on important issues. When large systems integration projects are underway to address this problem, boards should ask whether management is deploying the right expertise to address the related risks and be informed as to how those risks are being managed.
- Deficiencies in the enterprise’s “tone at the top” and culture – The financial crisis provides many examples of management not setting the proper tone for managing risk. A short-term focus on making the numbers can result in disastrous consequences when warning signs posted by the risk management function are ignored. While balancing value creation and preservation, as well as emphasizing short-term and long-term objectives, are relatively straightforward concepts, they require effective leadership and discipline, which the board must ensure are in place. Otherwise, dysfunctional behavior, with the attendant consequences, can set in. The question for the board is: Will the CEO and executive management team heed the warning signs at the crucial moment?
- Lack of an effective chief risk officer – In organizations where the nature of the business and its risks indicate that a senior risk executive should be designated, either no designation has been made or the designated executive does not possess the requisite skills or is not positioned to be successful.
- The board isn’t organized effectively for risk oversight – The board may not be allocating sufficient time and resources to risk oversight. Or the board isn’t availing itself of the appropriate officers of the company to focus on identifying areas in which management needs to improve the organization’s capabilities and information for managing risk. Or there is insufficient coverage by the board of the enterprise’s risks.
Questions for Boards
Following are some suggested questions that boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:
- Has the board articulated its risk oversight objectives and evaluated the effectiveness of its risk oversight processes in achieving these objectives?
- Is the board proactively taking steps to address any gaps that may impede its risk oversight effectiveness?
How Protiviti Can Help
Protiviti assists boards and executive management with assessing the enterprise’s risks and its capabilities for managing those risks. We help organizations identify and prioritize the risks that can impair their reputation and brand image. Our intent is to help companies (1) increase the robustness of their business strategy through better anticipation and management of risk in executing the strategy, and (2) integrate risk and risk management with the core management activities that matter.
Board Perspectives: Risk Oversight (Issue 11)