Home » Featured Article » General Interest » Governance » Risk » Currently Reading:

Risk Intelligence: Best Practices in Risk Management and Corporate Governance

by Michael Fuchs @ 2009-04-16 Featured Article, General Interest, Governance, Risk

(This article is a precursor to Deloitte’s forthcoming 14th issue of its Risk Intelligence Whitepaper Series, which will provide a more in-depth look at how to balance risks and rewards in a voliate economy. “Risk Intelligence: Best Practices in Risk Management and Corporate Governance” was contributed to Corporate Compliance Insights by Mr. Michael Fuchs, a principal with Deloitte Consulting LLP where he is a leader of Deloitte Consulting’s Governance and Risk Management services. Michael Fuchs can be contacted via email at mfuchs@deloitte.com)

Risk Intelligence: Are you closer than you think?

Best Practices in Risk Management and Corporate Governance

With recent events on Wall Street and their spillover onto Main Street, the widespread call for stronger risk management in recent years may seem prescient now. In fact, a growing list of issues makes risk management more of a stay-awake issue for executives every day:risk intelligence - best practices in risk management and corporate governance

  • The growing concern and uncertainty facing the global economy.
  • The impact of the banking crisis on credit-reliant businesses.
  • The ever-growing volume and complexity of global regulations.
  • Increasing scrutiny of Board oversight of risk management.
  • The potential for negative publicity over ineffective risk management.

Given the wide array of business risks facing companies in these turbulent times, the notion of “transforming” risk management is likely to be a popular subject going forward. Rationalizing and aligning risk management activities can help bring order to disparate and overlapping activities. The result should be a more coordinated, streamlined, and economical approach to risk management.

But fulfilling the vision of what Deloitte calls “Risk Intelligence” — being effective and efficient at managing risks to both existing assets and future growth — may seem a daunting goal for many organizations. Any reticence is understandable. Melding risk management operations across a multinational enterprise sounds appealing, but who has the time, the will, and the resources?

The answer is simple: you do. In fact, it is likely that your organization has already created an effective foundation for addressing risk. Now is the time to build on those accomplishments and the substantial effort and investment already made to strengthen and formalize this risk infrastructure.

Risk Intelligence: Building on successes and lessons learned

Through the years, many companies have made major gains in governance and risk management by tackling various issues and requirements. Have these efforts been reactive? Sure. Regulators set deadlines, and you met them. New security threats required quick action to protect critical data, and you acted. The board of directors pressed for controls to reduce their exposure to liability, and you responded.

An interesting thing happened along the way. You formulated solutions that not only addressed the problem at hand, but began the process of creating a common risk infrastructure. By tackling specific governance and risk management challenges, you forged leading practices for the broader organization.

In other words, you most likely have created much more in the way of a risk management infrastructure than you realize. You have closed risk management gaps across your organization, and you have — perhaps unwittingly, but in actuality nonetheless — increased your company’s level of Risk Intelligence through these efforts. As such, you may be ready to integrate and standardize those individual risk management efforts into leading practices that will help you to achieve a higher level of Risk Intelligence.

Think of a sustainable governance and risk management program as a triangle, with risk governance at the top driven by the board. Risk infrastructure and oversight — i.e., designing, implementing, and maintaining a common risk infrastructure and establishing organization-wide consistency in risk management — are in the middle, the purview of executive management. And risk ownership is at the bottom, the responsibility of the business units and supporting functions such as finance, human resources, and IT.

risk intelligence - best practices in risk management and corporate governance

Recent efforts have focused on the top and bottom of the triangle, shrinking the chasm between the two. However, there are still opportunities for improving how you leverage a common risk infrastructure and improve consistency across the enterprise. This typically means a shift in mindset, with the organization needing to avoid common pitfalls, including:

  • Taking a “check the box” approach to addressing risk.
  • Ignoring the duplication that may exist across business units and functional areas, which drives up operating costs, consumes resources, and limits the ability of leadership to view risks across the enterprise.
  • Underestimation of — or disregard for — the potential interdependencies between various risks, clouding the true exposure and impact of mitigating the risk.
  • Poorly defined and controlled risk management authority and responsibility at the various levels of the enterprise.
  • Inconsistent risk management terminology, processes, and tools, especially in multinational organizations.

By improving in these areas, the “hole in the middle” of the governance and risk management triangle — the missing piece still needed to fully capitalize on your accomplishments and further your transformation agenda — can shrink, thus making the transformational effort to Risk Intelligence manageable and a real possibility.

The first step is deceptively simple: create a common definition of risk that addresses both value preservation and value creation. This common definition needs to be used consistently across your organization, which is why governance is at the top of the triangle. We find that companies making the greatest strides do so under an umbrella of strong governance. In these companies, the board and c-suite recognize their responsibility to set the tone and drive home a strong message — governance and risk management are daily, high-priority issues that must be woven into the fabric of the organization.

Other important steps? We suggest:

  • Adopting a common risk framework supported by appropriate standards enterprise-wide. COSO ERM may be the most common, but others, such as Turnbull and ISO, may be appropriate.
  • Clearly defining and delineating key risk management roles, responsibilities, and authority.
  • Giving boards, audit committees, and other governing bodies appropriate visibility into risk management practices so they can discharge their oversight responsibilities.
  • Assigning to executive management primary responsibility for designing, implementing, and maintaining risk management capabilities.
  • Using a common risk management infrastructure to support the business units and functions.
  • Assigning internal audit to inform governing bodies and executive management about the effectiveness of risk programs.
  • Giving business units and functions full ownership of risks associated with day-to-day operation, including responsibility for keeping executive management informed.
  • Tasking key centralized functions, such as finance and IT, with providing guidance to the business units and monitoring and reporting the effectiveness of risk management activities.

Your organization may have implemented some of these steps. Achieving an integrated governance and risk management framework may just be a matter of tying them all together. How?

Risk Intelligence: Tips for moving forward

Executive support of governance and risk management activities will vary from company to company. But regardless of the situation in your organization, there are actions you can take to advance the effort:

Celebrate what you have achieved. Savor and promote your successes. Sharing what you have accomplished can create a positive effect that boosts governance and risk management efforts across the organization.

Don’t stop what you’re doing. Any solution that works can be a good solution. People are going to address issues and problems that affect them, as effectively as they can. There’s no reason to disrupt or stifle them while you’re working to integrate governance and risk management efforts.

Identify strengths and weaknesses. Conduct a quick assessment of your current state and how far you have come. Identify a meaningful starting point for the analysis. Then sort out the successes and shortcomings.

Create a map to where you want to go. You may need to keep making incremental changes. Or, you may be ready to focus on integrating your governance and risk management efforts. Analyze current gaps and determine what you need to address them.

Risk Intelligence: An ongoing effort

There is no governance and risk management nirvana. You will never be able to anticipate every new regulation or threat, or address every contingency.

But you probably are miles ahead of where you were five years ago. Build on what you have accomplished. Understand what you still need to do. Recognize that you may be well on your way to having a Risk Intelligent Enterprise™ — one that integrates governance and risk management operations across the organization. You are closer than you think.

———-

Mike Fuchs is a principal with Deloitte Consulting LLP, where he is leader of Deloitte Consulting’srisk intelligence - best practices in risk management and corporate governance Governance and Risk Management services. Michael can be reached at mfuchs@deloitte.com.

To learn more about risk intelligence and to download resources for the Risk Intelligent Enterprise™, visit deloitte.com/us/riskintelligence.

As used in this document, “Deloitte” means Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Tax LLP and Deloitte Financial Advisory Services LLP, which are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.


Tags: , , ,


Corporate Compliance Insights was founded by Maurice Gilbert, the Managing Director
of Conselium, a premier global executive search firm for compliance.

Enter your email address to subscribe to the CCI Daily Digest:


Delivered by FeedBurner, Corporate Compliance Insights, and the Conselium compliance search group




Comment on this Article:







Subscribe to CCI

Join our growing list of subscribers and followers:

corporate compliance, corporate governance        

Security

Categories

Sponsors

AdvertisementAdvertisementAdvertisementAdvertisement

Risk Assessment: Featured Column by Jeff Kaplan

Risk, Culture and “Soft Power”

March 2, 2010

Does Your Risk Assessment Do This?

February 18, 2010

Risk Assessment: The Recent Rise of the “Mega Fine”

February 16, 2010

Archives