Directors need to consider several categories of risk.1 Of particular interest are the normal ongoing business management risks, emerging risks2 and critical enterprise risks. Below, we focus on the last category, which we define as the top five to ten risks that can threaten the company’s strategy, business model or ongoing viability. These risks should be a significant focal point of the board’s risk oversight agenda.
Certain risks require directors to have sufficient information in advance to prepare them for discussions with management about the risks and how they are managed. For example, these risks are the ones that threaten the company’s strategy and the viability of its business model – such as credit risk in a financial institution, supply chain risk in a manufacturer, commodity price risk in a power company, country risk for an oil exploration company, research and development risk in a pharmaceutical company or risks that make a company an outlier with its competitors. They require full board engagement.
Paring the company’s risks down to the ones that really matter maximizes the value of the board’s input. It all starts with an appropriately designed risk assessment process based on the following principles:
- Periodically evaluate changes in the business environment to determine if they affect the critical assumptions underlying the corporate strategy (regarding such matters as technological innovation, competition, economic trends, regulation, etc.) and, when one or more assumptions are rendered invalid, ensure the corporate strategy is revisited in a timely manner.
- Consider an end-to-end view of the value chain when evaluating the most significant exposures to the effectiveness or viability of the business model in creating value for customers and delivering expected financial results. Consider the velocity or speed of an event to impact, the persistence of that impact over time and the resiliency of the company in responding to the event creating the impact, in addition to considering the severity of the impact and likelihood of occurrence. Pay attention to the uncompensated risks the company faces across the value chain, e.g., the risk of significant warranty costs and/or product recalls or environmental, health and safety exposures.
- Ensure the risk assessment process provides insight, promotes debate and adds to the collective understanding of what is really important for the business to be successful. Focus on identifying significant changes in the enterprise’s risk profile, with emphasis on identifying emerging risks and worst case extreme events along with appropriate response plans to such scenarios on a timely basis.
- In a timely manner, involve the board in decisions involving acquisition of new businesses, entry into new markets, introductions of new products or significant alterations of the corporate strategy.
- Evaluate the effectiveness of risk assessments over recent years against actual experience.
To illustrate, one consumer products company filters its risks down to the vital few through a risk assessment process that considers velocity and persistence of impact in addition to significance of impact and likelihood of occurrence. Also, the assessment process focuses on upstream supply chain issues and protecting the company’s brands. The risk assessment criteria are considered by various risk subcommittees, which identify potential critical risks and provide input regarding such risks to the corporate risk management committee. Meanwhile, the operating units and corporate functions report critical risks (as well as emerging risks) to the strategic planning function. Based on their respective assessments using the inputs they receive, the corporate risk management committee and strategic planning function provide input on the critical risks to executive management which, in turn, reports “The Top Risks List” to the board. The company’s chief risk officer supports the process at all points. For example, he consolidates all potential critical risks identified by the individual risk subcommittees and submits a summary to the corporate risk management committee membership prior to the next scheduled committee meeting.
While management is responsible for addressing critical enterprise risks, the board should consider the information it needs to understand them. For example, the board might require management to report the following:
- High-level summary of the critical enterprise risks for the enterprise as a whole and its operating units and the reasons why they are critical
- Status of risk mitigation efforts with input from the executives responsible for managing the risks, including significant gaps in capabilities for managing the risks and status of initiatives to address those gaps
- The effect of changes in the environment on core assumptions underlying the company’s strategy
- Scenario analysis evaluating the effect of changes in key external variables impacting the organization
- Changes in the overall assessment of risk over time
- Reliability and value add of prior risk assessments
The above is illustrative and is not intended to be exhaustive or applicable to every organization.
Questions for Boards
Following are some suggested questions that boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:
- Is there a process for identifying the organization’s critical enterprise risks for purposes of prioritizing the board’s risk oversight focus?
- Is the board satisfied with the reporting it receives periodically regarding critical enterprise risks?
How Protiviti Can Help
Protiviti assists directors and executive management in public and private companies with identifying and managing their key risks. We provide an experienced, unbiased perspective on issues separate from those of company insiders and an analytical assessment approach that is aligned with the unique characteristics of the risks the company faces.
1See Issue 16 of Board Perspectives: Risk Oversight, “Five Risk Categories for Focusing Risk Oversight,” available at www.protiviti.com.
2See Issue 23 of Board Perspectives: Risk Oversight, “Identifying Emerging Risks,” available at www.protiviti.com.
Board Perspectives: Risk Oversight (Issue 32)