An important contribution of risk management is to help executives and their boards make better choices during the strategy-setting process. Boards and management need an effective enterprise risk assessment (ERA) process to effectively discharge their responsibilities, especially in today’s rapidly changing environment.
In Issue 6 of Volume 2 of The Bulletin, we recommended that companies conduct periodically an ERA. Specifically, we stated that “an ERA identifies and prioritizes the organization’s risks and provides quality inputs for purposes of formulating effective risk responses, including information about the current state of capabilities around managing the priority risks.” This issue of The Bulletin focuses on the vital steps in executing an effective ERA, and why integrating these assessments with strategy-setting is important.
Why is risk assessment important?
Earlier this year, Protiviti published its Risk Barometer Survey, conducted by an independent research firm, of 76 C-level executives of Fortune 1000 companies with respect to identifying and managing risk. Available at www.protiviti.com, the survey noted that only 38 percent of Fortune 1000 executives have high confidence their organizations are identifying and managing all potentially significant risks. A majority of organizations, or 54 percent, agree there is more they can do to identify and manage the risks they face and stay ahead of the issues that arise over time. Thus, they plan to improve their risk management capabilities, including their processes around identifying and prioritizing risk.
The survey also noted that six out of 10 (60 percent) of the participating executives indicated their companies integrate responses to manage critical risks with the strategy-setting process, which is not surprising because this kind of integration is what successful companies do. However, the more significant question is whether companies are keeping their strategies and plans current, given
the pace of change. More than half of those executives surveyed, 51 percent, said that the overall level of risk their organizations face has changed significantly during the past two years. In addition, nearly half of the respondents believe their organization’s risk profile has become more risky, primarily because of management’s opportunity-seeking decisions. Notwithstanding the changing operating environment, our survey noted that only 38 percent of companies assess periodically their risks enterprisewide.
The point is clear. As management’s strategy evolves, so does the operating environment. New systems, market changes, mergers and personnel turnover all further increase the odds of a changing control environment and are sources of new business risks. A strategy-setting process which is fueled by an annual risk assessment will mitigate the potential disconnects in the operating environment and is “best practice” in today’s world. In this issue, we focus on how to achieve this goal.
What is an enterprise risk assessment?
An ERA is a systematic and forward-looking analysis of the impact and likelihood of potential future events on the achievement of an organization’s business objectives within a stated time horizon. The risk assessment process encompasses an evaluation of available data, metrics and information, as well as the application of judgment. Effective risk assessment never ends with just a list and always leads to the formulation of risk responses.
Risk assessment is dynamic when it considers management’s risk tolerance, which is the level of risk that management is willing to accept. Risk tolerance is best determined using the same unit of measure as that used to measure performance against a stated objective. Once tolerances are set, performance measures are monitored to ensure that performance is managed within prescribed boundaries. Thus, risk tolerance is used to assess risk continuously over time, and ensure that performance variability is reduced to an acceptable level.
How is risk assessment conducted?
There are many ways to identify and prioritize risks, including interviews of key stakeholders and nominal group techniques. At Protiviti, we prefer and support the use of anonymous interactive voting software used in conjunction with facilitated meetings or Web-polling to catalogue, sort and prioritize risks. The most effective risk prioritization exercises begin with the company’s business objectives firmly in mind. The process itself is more important than achieving precision because it leads management and directors to target the risks that require the most attention.
An ERA begins with a common language because busy people need one to help them surface risk issues sooner. A common language provides a context for understanding risk and the predetermined criteria needed to conduct an assessment. It promotes learning and facilitates the aggregation of issues across the enterprise. The assessment often addresses possible future events identified by management, which are plotted on a grid or map in terms of their impact on the achievement of key objectives and the likelihood of their occurrence.
When assessing impact, management should rate the significance of risk to the business using criteria they understand and accept. For example, a major consumer products company evaluates the severity of its risks in terms of the potential impact on achieving its strategic business objectives, which incorporate “stretch goals” over the next three years. A global cement producer requires each operating unit to consider the potential impact of risk on the unit’s ability to execute its business plan. Other companies consider the potential financial impact: What is the potential cost to the business in terms of reductions in capital, earnings and cash flow? Some companies consider the potential for brand erosion or explicitly remind their people also to consider whether there is a significant potential upside to risk. At Protiviti, we have found that risk maps, heat maps and other flexible visualization tools are helpful in portraying management’s assessment and in generating consensus.
When assessing likelihood, management should use its best judgment to assess the likelihood that an identified potential event, or two or more interrelated events, will occur. When rating impact and likelihood, the time horizon is a factor that must be clearly defined. One company might assess risk to the execution of its strategy over the next three years. Another might assess the risk over a one-year business-planning horizon. If the time horizon is not clearly articulated, participants in the process will have different perspectives, leading to con- fusion during the risk dialogue. To illustrate, some issues, such as a capacity shortage, can be quite severe over the short term for a manufacturing company. However, most risks, including capacity, are less of an issue over the longer term because management has more flexibility to make adjustments.
An effective ERA often uses a cascading approach, drilling down into such areas as information security or operations risk. The process often begins with the objectives defined by senior management. Business unit managers then develop risk maps based on unit priorities developed in conjunction with the unit business plan that is to be presented to executive management and the board for approval. This activity is an iterative and ongoing alignment process.
Focus on the choices affecting enterprise value
“Enterprise value” is the value placed upon an organization by its stakeholders. While value can be expressed in different ways, shareholder value is a measure of choice for executives of public companies. Just as potential future events can affect the value of tangible physical and financial assets, they also can affect the value of key intangible assets such as customer assets, employee/supplier assets, and such organizational assets as the entity’s distinctive brands, differentiating strategies, and innovative processes and systems. These intangible assets often have more impact on enterprise value than physical and financial ones. An ERA contributes more value if it addresses all sources of enterprise value. using enterprise value as a context, we can better understand how integrating risk assessment with strategy-setting can make a difference.
Based on our experience, there are four broad choices available to management in strategy-setting that impact enterprise value. These choices are discussed further below, along with the related contribution of an ERA:
- Create fresh opportunities by investing in new business activities that promise attractive returns relative to the cost of capital. Every successful business takes on risk in the pursuit of value-added opportunities. Protiviti’s Risk Barometer noted that 42 percent of executives report their organizations have become more aggressive in taking risk. These executives cite the following as motivating factors: better management, changes in future outlook, and a desire to improve performance and grow the business. When management decides to invest in new markets and products, merge with or acquire another entity, or exploit other market opportunities, inherent in these decisions are choices to take on risk. When the ERA is integrated with strategy-setting, the implications of these choices are made more transparent. Risk taking should be wise and measured, not cavalier. An ERA is relevant to strategy-setting when it provides assurance to directors and executive management that risks are taken with knowledge—knowledge of the business, knowledge of the risks and knowledge of the markets. That knowledge is a result of the organization’s persistent efforts to understand, monitor and track risk during, and as a result of, the strategy-setting process.
Management should identify the priority risks inherent in planned actions and discuss significant risks with the board. Failure to take these steps may result in management committing to activities in which there is unacceptable performance variability and/or loss exposure. The objective is to fully understand the good things that can happen, the bad things that can happen and the various scenarios in between. Effectively integrated with strategy-setting, an ERA should invigorate opportunity-seeking behavior by helping managers develop the confidence that they truly understand the risks arising from their decisions and have the capabilities at hand within the organization to manage the risks they intend to take. The result: Management and the board fully understand the downside and how much it might hurt.
- Improve performance and increase returns of existing business activities by improving policies, processes, competencies, reporting, technology and/or knowledge. A robust, comprehensive risk assessment for a given business unit may identify priority risks that expose future revenue streams and cash flows to unacceptable performance variability. A rigorous ERA enhances the quality of the business strategy and business plan as well as their execution. For example, one multinational organization, with a strong presence in more than 70 countries around the world, integrates the first two steps of its Business Risk Management Process – Identify Risk and Source Risk – with the risk assessment phase of its annual business planning process. The organization examines the risk profile in each of its group companies, and evaluates how the business environment has changed or might change in the future. To develop a comprehensive risk profile, executives analyze both internal risk factors and external market situations to determine where to focus the planning process and where the critical elements reside. This way, they obtain useful insights as to the “soft spots” in the unit’s business plan, which tells them where to dig deeper.
Once a consistent ERA process is implemented and used enterprisewide by the organization’s business and support units, comparison and aggregation across the enterprise become possible. Capital allocation becomes more meaningful. Investment choices become clearer. A robust ERA process reduces the chance of overlooking key risks and incurring unacceptable opportunity costs due to riskaverse behavior. Risk responses then can be evaluated to reduce priority risks to an acceptable level.
- Harvest existing value by withdrawing from business activities generating inadequate returns. Decisions to exit a market or geographic area, or to sell, liquidate or spin off a product group or business must be evaluated carefully. When an activity has generated (or is expected to generate) returns which do not exceed a targeted rate of return or the cost of capital, managers need to understand the “relative riskiness” of the activity relative to other units, geographies, products or markets. If performance of an activity is measured without considering the risk assumed by managers in generating the related returns, an exit decision could result in withdrawal from a business that is actually generating superior “risk-adjusted returns,” even though the gross returns, unadjusted for risk, may appear lackluster. The analysis supporting this assessment could be as crude as a risk map prepared for each business unit or as sophisticated as deploying a risk-adjusted performance measurement. An effective risk assessment will facilitate an evaluation of the alternatives, as well as an understanding of the consequences of taking action to mitigate one risk relative to the impact of taking that action on other risks.
- Consider management’s risk appetite by aligning risk taking with what the organization does best. Every organization has a risk appetite, whether it acknowledges it explicitly or not. An organization’s risk appetite, or willingness to take risk, reflects both its capacity to bear risk as well as a broader understanding of the level of risk, which it can safely and successfully manage for an extended period of time. Risk appetite is the extent to which an organization exposes its sources of enterprise value to performance variability and/or loss exposure to pursue value-creating opportunities. Risk appetite represents executive management’s “view of the world,” which drives their strategic choices, and is expressed over time through an entity’s actions or inactions. It is inherent in the organization’s strategy and in the execution of that strategy, in the form of both risks taken and risks avoided.
During the strategy-setting process, companies that are serious about risk management strive to configure their risk taking with their core competencies, or what they do best and where they excel relative to competitors. In leveraging these advantages, however, management and directors need assurance that the company is not gambling its future. An effective ERA helps to ensure the company only takes those risks it is best equipped to handle within the parameters of its risk appetite, while minimizing exposure to those areas considered “off-strategy” because of the lack of competence to manage.
Prudence and common sense are vital when evaluating risk appetite. For example, does it make sense to take all of the risk an organization is capable of undertaking without reserving capital for new investment opportunities? Is it appropriate to retain a significant risk when options for transferring that risk are available at a reasonable cost? What is the desirable relationship between the capacity to bear risk and the appetite to take risk, and should capital allocation be modified to reflect that relationship? From a strategy-setting standpoint, it is useful to have a notion of at what point the organization’s capacity for bearing risk would be encroached upon, i.e., when is the organization taking on too much risk?
For strategy-setting to be effective, it must focus on these four choices. Because the relative risks inherent in individual business activities and opportunities vary, management should insist that the strategy-setting process consider the risk equivalency of available alternatives. At Protiviti, we have found that risk assessment becomes a strategic tool when it contributes to this transparency, particularly when it is concurrent with strategy-setting as opposed to an afterthought.
Markets and key stakeholders expect companies to understand their risks and risk management capabilities. They want more transparency in reporting on the organization’s key risks and approach to risk management. But none of this is possible unless the enterprise first identifies and prioritizes its most significant risks and stays abreast of its changing risk profile over time. Deciding what to do and how to do it only comes after the vital risks are prioritized through an effective enterprise risk assessment.
Because the operating environment is constantly changing, strategy-setting is a dynamic process that never ends. The same applies to risk assessment. An entity’s goals and objectives may be further refined when an enterprise risk assessment is conducted. Integrating risk assessment with strategy-setting leads to a stronger focus on improving performance, because it forces a thoughtful dialogue, leading to a more robust business strategy and continuous improvement in the capabilities for managing critical risks.
Key Questions to Ask
Key questions for board members:
- Does management periodically assess the operating environment to identify and prioritize the company’s risks? Do the results of management’s risk assessment lead to specific impacts on the business plan and control environment?
- Does management, in a timely manner, apprise the board of significant risks or significant changes in the enterprise’s risk profile? As a director, do you know what the priority business risks facing the company are? Does the board agree on why these risks are significant? Are the organization’s responses to these risks understood?
- Is there a periodic, substantive board-level dialogue regarding management’s appetite for risk, and whether the organization’s risk profile is consistent with that risk appetite? Is the board satisfied that management’s strategy-setting process appropriately considers, in a robust manner, the risks inherent in the business strategy?
- Is the organization’s risk profile discussed periodically in the context of strategy-setting so that the board has full knowledge of the significant risks the company is assuming?
Key questions for management:
- Is there an enterprisewide process in place to identify and prioritize risk in the context of your business strategy? How confident are you that all potentially significant business risks have been identified and are being managed by your organization?
- Do you involve the board in the assessment of strategic business risks, including the decisions as to which ones to accept or to reject, before finalizing or updating your business strategy? Do you periodically revisit your risk assessment to determine whether circumstances and conditions have changed or whether there are new risks?
- Do you understand the significant uncertainties, or “soft spots,” inherent in your organization’s business objectives and performance goals? Have you communicated these uncertainties to the board?
- using the priority risks identified in the context of your business strategy, have you identified gaps in risk management capabilities that must be improved to provide reasonable assurance that the objectives driving the strategy can be achieved?
The Bulletin (Volume 2, Issue 10)