How does the board remain engaged with its risk oversight responsibilities over time? Most observers would agree that risk oversight entails more than just looking at a risk assessment once a year. Then what else should be done?
Following are observations regarding elements of the oversight process that boards may want to consider as they continue to refine their risk oversight process and align it with the company’s strategy, operations and risks.
Keep the risk assessment evergreen – The board’s confidence increases if there is an effective process in place to inform executive management and, in turn, the board, of emerging risks. For example, one annual study classifies emerging global risks as economic, geopolitical, environmental, societal and technological.1 That framework can be supplemented by market-driven risks such as actions by competitors, changes in customer behavior, changes in the supply chain and the impact of demographics on the talent pool. As the business environment changes, these risks can have a bearing on the company’s ability to execute its business model. Therefore, the risk assessment process needs to be updated from time to time to reflect the impact of change.
Focus on critical enterprise risks – Certain risks require directors to have the necessary information that will prepare them for discussions with management about the risks and how they are managed. Risks that threaten the company’s strategy and the viability of its business model should command a high level of attention on the board’s risk oversight agenda. The criticality of these risks – such as credit risk in a financial institution, supply chain risk in a manufacturer, or R&D pipeline risk in a pharmaceutical company – requires an ongoing process to identify shifts in these risks and/or emerging critical risks. While management is responsible for addressing these risks, the board should consider its own information requirements for understanding them. For example, the board might require management to report on the impact, likelihood, velocity and persistence of the risks to key strategic goals as compared to other enterprise risks, as well as the status of risk mitigation efforts. Other examples of relevant information might include the effects of technological obsolescence and changes in the overall assessment of risk over time. Other risks – the day-to-day business management risks – can be addressed on an exception basis or through specific committee assignments.
Consider the impact of external change – The board should encourage outside-of-the-box, bigpicture thinking focused on the critical assumptions underlying the corporate strategy to assess the strategic risks and uncertainties the enterprise faces. Given the riskiness and volatility of the times, boards may want their organizations to consider allocating more time to understanding what it is they don’t know by employing assessment techniques focused on the critical assumptions underlying the corporate strategy. This may identify opportunities to further enhance and focus the board risk oversight process.
Sustain the risk appetite dialogue – Given that risk levels and uncertainty have changed significantly over recent years for most organizations, the board and management may find it beneficial to engage in a dialogue on a periodic basis regarding the organization’s risk appetite, possibly covering topics such as the maximum acceptable level of performance variability in specific operating areas, targeted financial and operating parameters, upside/downside debates on significant matters, the “hard spots” and “soft spots” in the business plan, and the desired appetite for risk given the opportunities facing the company.
Require a regular reporting discipline – Risk reporting is one of the most effective tools for sustaining constructive board engagement from a risk oversight perspective. Depending on the board’s specific needs, enhancements to risk reporting may be useful. Examples of enhancements might include: scenario analysis evaluating the effect of changes in key external variables impacting the organization, a summary of exceptions to management’s established policies or limits for key risks, and a summary of significant gaps in capabilities for managing key risks and the status of initiatives to address those gaps.
Consider escalated risk issues timely – Protocols for escalating risk-related matters to the board that are specifically tailored to the company’s operations and risks are important to the risk oversight process. For example, the board may want to consider when and under what circumstances it should be informed of exceptions and near misses to the organization’s established risk tolerances, as well as actual limits violations and policy breaches, including any planned actions to address them through policy and process improvements.
Assess effectiveness of the process – Depending on the nature of the business and its risks, the board should periodically self-evaluate its risk oversight process. The above observations illustrate how the board can remain engaged with the risk oversight process beyond reviewing the results of an annual risk assessment.
Questions for directors
Following are some suggested questions that boards of directors may consider in the context of the nature of the entity’s risks inherent in its operations:
- Is the board satisfied that the risk oversight process is focused on the most critical risks and not mired in minutiae?
- Is the board satisfied with the risk reports it receives from management, and has it considered how those reports can be improved to meet its needs?
- Does the board periodically evaluate the effectiveness of its risk oversight process to ascertain whether any enhancements are needed?
How Protiviti Can Help
Protiviti assists boards and executive management in public and private companies with assessing the enterprise’s risks and its capabilities for managing those risks. We help organizations identify and prioritize the risks that can impair their reputation and brand image, and integrate risk management with critical management activities.
1Global Risks Report 2011: An Initiative of the Risk Response Network, Sixth Edition, World Economic Forum, January 2011, available at www.weforum.org.
Board Perspectives: Risk Oversight (Issue 18)