Rising shareholder activism is driving increased expectations for governance oversight, including risk oversight. The speed and complexity of business continue to increase. Technological advances such as cloud computing, mobile devices and social media continue to take hold. Regulatory demands continue to expand. Workforce dynamics continue to evolve. All of these trends drive new risks, alter risk profiles and expose business models to disruptive change. Given the dynamic environment, each board should take a fresh look at its risk oversight agenda.
Following are 10 questions for boards to consider as they plan their 2012 risk oversight agendas:
- What are the company’s top risks, how severe is their potential impact, and how likely are they to occur? – Managing enterprise risk at a strategic level requires focus, which generally means emphasizing no more than five to 10 risks. Day-to-day risks are an ongoing operating responsibility of management.
- How often does the company refresh its assessment of the top risks? – The risk assessment process should consider changes in the business environment. A robust process for identifying and prioritizing critical enterprise risks, including emerging risks, is vital to an evergreen view of risk.
- Who owns the top risks and is accountable for results, and to whom do they report? – Once the key risks are targeted, someone or some group, function or unit must own them. Gaps and overlaps in risk ownership should be addressed.
- How effective is the company at managing its top risks? – A robust process for managing and monitoring each of the critical enterprise risks is essential to successful risk management, and risk management capabilities must be improved continuously as the business environment changes.
- Are there any organizational “blind spots” warranting attention? – Cultural issues and dysfunctional behavior can compromise the effectiveness of risk management and lead to inappropriate risk-taking or undermining of established policies and processes. For example, lack of transparency, conflicts of interest, a shootthe-messenger or warrior culture, and unbalanced compensation structures may compromise the risk management process.
- Does the company understand the key assumptions underlying its strategy and align its competitive intelligence process to monitor external factors for changes that could alter those assumptions? – A company can fall so in love with its business model and strategy that it fails to recognize changing paradigms until it is too late. That’s why monitoring the continuing validity of key strategic assumptions over time as the business environment changes is smart.
- Does the company articulate its risk appetite and define risk tolerances for use in managing the business? – The risk appetite dialogue helps to bring balance to the conversation around which risks the enterprise should take, which risks it should avoid and the parameters within which it should operate going forward. The risk appetite statement is decomposed into risk tolerances to address the question, “How much variability are we willing to accept as we pursue our business objectives?” For example, separate risk tolerances may be expressed differently for objectives relating to earnings variability, interest rate exposure and the acquisition, development and retention of people.
- Does the company’s risk reporting provide management and the board with information they need about the top risks and how they are managed? – We continue to hear complaints from directors about risk reporting. The effectiveness of the board’s risk oversight is directly impacted by the board’s ability to obtain substantive risk information from internal sources and, when appropriate, outside sources. Is there a process for monitoring and reporting critical enterprise risks and emerging risks to the board? Are there opportunities to enhance risk reporting to make it more effective and efficient in informing directors about how these risks are managed?
- Is the company prepared to respond to extreme events? – Does the company have response plans for unlikely extreme events? Has it prioritized its high-impact, low-likelihood risks in terms of their reputational effect, velocity to impact and persistence of impact, as well as the enterprise’s response readiness?
- Does the board have the requisite skill sets to provide effective risk oversight? – To provide input to executive management regarding critical risk issues on a timely basis, directors must understand the business, industry and how the changing environment impacts the business model.
The above questions can provide a framework for taking a fresh look at the board’s risk oversight agenda for 2012. Answers to these questions may provide insight on how the company can measure the success of its risk management capabilities.
Questions for Boards
Boards of directors may want to consider the above questions in the context of the nature of the entity’s risks inherent in its operations.
How Protiviti Can Help
As the board evaluates how to organize for risk oversight, Protiviti can assist it and executive management with identifying and assessing the enterprise’s risks and implementing strategies and tactics for managing risk. We assist companies with integrating their risk assessment process with their core business processes, including strategy-setting. We help organizations improve their risk reporting to better inform the risk oversight process – a key to the success of any oversight process, regardless of how the board chooses to organize itself.
Board Perspectives: Risk Oversight (Issue 26)