Rapid change seems to be the order of the day, as the speed and complexity of business continue to increase. Technological advances such as cloud computing, mobile devices and social media continue to take hold. Regulatory demands continue to expand. Workforce dynamics continue to evolve. These and numerous other trends spawn new risks, altering risk profiles and exposing business models to disruptive change. Because of this dynamic environment, enterprise risk management should provide the discipline to ensure a fresh look at the organization’s risk management capabilities from time to time.
Following are 10 questions for management and boards to consider:
(1) What are the company’s top risks, how severe is their impact and how likely are they to occur? – Managing enterprise risk at a strategic level requires focus, meaning generally emphasizing no more than five to 10 risks. Day-to-day risks are an ongoing operating responsibility.
(2) How often does the company refresh its assessment of the top risks? – The enterprise wide risk assessment process should be responsive to change in the business environment. A robust process for identifying and prioritizing the critical enterprise risks, including emerging risks, is vital to an evergreen view of the top risks.
(3) Who owns the top risks and is accountable for results, and to whom do they report? – Once the key risks are targeted, someone or some group, function or unit must own them. Gaps and overlaps in risk ownership should be minimized, if not eliminated.
(4) How effective is the company in managing its top risks? – A robust process for managing and monitoring each of the critical enterprise risks is essential to successful risk management, and risk management capabilities must be improved continuously as the speed and complexity of business change.
(5) Are there any organizational “blind spots” warranting attention? – Cultural issues and dysfunctional behavior can undermine the effectiveness of risk management and lead to inappropriate risk taking or the undermining of established policies and processes. For example, lack of transparency, conflicts of interest, a shoot-the-messenger environment and/or unbalanced compensation structures may encourage undesirable behavior and compromise the effectiveness of risk management.
(6) Does the company understand the key assumptions underlying its strategy and align its competitive intelligence process to monitor external factors for changes that could alter those assumptions? – A company can fall so in love with its business model and strategy that it fails to recognize changing paradigms until it is too late. While no one knows for sure what will happen that could invalidate the company’s strategic assumptions in the future, monitoring the validity of key assumptions over time as the business environment changes is a smart thing to do.
(7) Does the company articulate its risk appetite and define risk tolerances for use in managing the business? – The risk appetite dialogue helps to bring balance to the conversation around which risks the enterprise should take, which risks it should avoid and the parameters within which it should operate going forward. The risk appetite statement is decomposed into risk tolerances to address the question, “How much variability are we willing to accept as we pursue a given business objective?” For example, separate risk tolerances may be expressed differently for objectives relating to earnings variability, interest rate exposure, and the acquisition, development and retention of people.
(8) Does the company’s risk reporting provide management and the board information they need about the top risks and how they are managed? – Risk reporting starts with relevant information about the critical enterprise risks and how those risks are managed. Are there opportunities to enhance the risk reporting process to make it more effective and efficient? Is there a process for monitoring and reporting critical enterprise risks and emerging risks to executive management and the board?
(9) Is the company prepared to respond to extreme events? – Does the company have response plans for unlikely extreme events? Has it prioritized its high-impact, low-likelihood risks in terms of their reputational effect, velocity to impact and persistence of impact, as well as the enterprise’s response readiness?
(10) Does the board have the requisite skill sets to provide effective risk oversight? – To provide input to executive management regarding critical risk issues on a timely basis, directors must understand the business and industry, as well as how the changing environment impacts the business model.
These 10 questions can provide a framework for taking a fresh look at the risk management process given changes in the business environment. The answers may provide insight on how the company can measure the success of its risk management capabilities.
Jim DeLoach has more than 35 years of experience and is a member of the Protiviti Solutions Leadership Team. His market focus is on helping organizations succeed in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner that reduces risk to an acceptable level. He also assists companies with integrating risk management with strategy setting and performance management. Jim also serves as a member of Protiviti’s Executive Council to the CEO.