In the prior issue, we provided insights as to the areas where the risk oversight process could be improved. These insights were based on the results of a comprehensive survey we conducted of more than 200 directors regarding the current state of board risk oversight. Sponsored by the Committee of Sponsoring Organizations (COSO), this survey provides a basis for boards to examine how they can improve their risk oversight process. In this issue, we take the additional step of listing some recommendations based on the insights from the survey.
Boards may want to consider the following recommendations in view of the nature and complexity of their organizations’ operations and risks, as well as the current state of their risk oversight processes:
- Implement a more structured process for monitoring and reporting critical enterprise risks and emerging risks to the board – While most companies do monitor and report on their risks, the survey results suggest opportunities for improvement. There are many ways to do this. For example, a company might formalize the common risk assessment methodology that is based on subjective inputs of the severity of impact of potential future events and the likelihood of those events occurring, that is, by making it a regular and more robust process with results shared with the board periodically. Another approach might be to consider the unique characteristics of different categories of risks a company faces using alternative analytical frameworks, as suggested in Issues 2 and 3 of Volume 4 of The Bulletin (available at www.protiviti.com). These analysis would feed an overarching process for developing a risk profile that merges together the top risks to summarize the vital few “critical enterprise risks” for the board. These are just two out of several possible approaches to take.
- Look for opportunities to enhance the risk reporting process to make it more effective and efficient and increase the regularity of report ing according to the nature of the organization’s operations and risk profile – The survey report lists nine different types of risk reports for consideration by the survey participants. Depending on the board’s specific needs, some of these reports may be useful. According to a majority of survey participants, reports that the board does not receive at least annually include: scenario analysis evaluating the effect of changes in key external variables impacting the organization; a summary of exceptions to management’s established policies or limits for key risks; and a summary of significant gaps in capabilities for managing key risks and the status of initiatives to address those gaps.
- Come to an agreement with management on the risk-related matters that need to be escalated to the board, addressing the what, when and why – Escalation protocols specifically tailored to the company’s operations and risks are important. For that reason, it is vital to the risk oversight process to determine what needs to be escalated to the board (e.g., limits violations, policy breaches, near misses, etc.), as well as when and why.
- Encourage employment of techniques that foster out-of-the-box, big-picture thinking focused on the critical assumptions underlying the corporate strategy to assess the strategic risks and uncertainties the enterprise faces – Given the riskiness and volatility of the times, organizations may want to allocate more time and resources toward understanding what it is they don’t know by employing techniques focused on the critical assumptions underlying the corporate strategy. As they do so, they will likely identify opportunities to enhance and focus the board risk oversight process further.
- At least annually, focus on whether developments in the business environment have resulted in changes in the critical assumptions and inherent risks underlying the organization’s strategy and the effect of such changes on the organization’s strategy and business model – This recommendation is related to the previous one. The survey results found that less than 15 percent of respondents noted that the board is fully satisfied with the processes for understanding and challenging assumptions and inherent risks associated with the corporate strategy and monitoring the impact of changes in the environment on the strategy and business model. Implementation of, or enhancements to, these processes may assist the board in addressing two questions fundamental to the risk oversight process – “What do we do if the critical assumptions underlying our strategy and business model are no longer valid?” and “How would we know if our assumptions were no longer valid?”
- Implement a more defined and rigorous process supporting the risk appetite dialogue between the board and management, and ensure that the results of this dialogue are driven down into the organization in an appropriate manner – Given that risk levels and uncertainty have changed significantly over recent years for most organizations, the board and management may find it beneficial to engage in a dialogue on a periodic basis regarding risk appetite, possibly covering topics such as the maximum acceptable level of performance variability in specific operating areas, targeted strategic, financial and operating parameters, upside/downside debates on significant matters, the risks and assumptions inherent in the corporate strategy, the “hard spots” and “soft spots” in the business plan, and the implications of changes in the operating environment on the core assumptions inherent in the strategy, including the desired appetite for risk. The board also may want to consider when and under what circumstances it should be informed of exceptions and near misses to the organization’s risk tolerance parameters and any planned actions to address them through policy and process improvements.
- Incorporate appropriate questions relating to risk oversight in the board’s periodic evaluation of board performance effectiveness – Depending on the nature of the business and its risks, one practical approach for self-evaluating the risk oversight process is to incorporate an assessment of it within the board’s existing periodic self-assessment process, such that the evaluation of the risk oversight process is conducted at least as often as the overall assessment of board effectiveness. If the board were to undertake this approach, we would suggest that the nature of the board’s self-assessment questions touch on appropriate components of our survey.
The above practices can be applied to most organizations, irrespective of how the board chooses to organize itself for risk oversight. For a copy of the complete survey report, go to www.protiviti.com.
Board Perspectives: Risk Oversight (Issue 15)