Of particular interest to executive management and the board of directors are normal and ongoing business management risks, emerging risks, and critical enterprise risks. In this column, we focus on the last category, which we define as the top five to 10 risks that can threaten the viability and/or execution of the company’s strategy and business model. These risks should be a significant focal point for executive management and the board as they provide an important foundation for the board’s risk oversight.
Paring down the company’s risks to the ones that really matter is a test of the effectiveness of enterprise risk management. If the risk assessment process generates a laundry list of risks, it’s “game over” in the C-suite and boardroom. What senior management and directors want to know is information about the risks that can make or break the company. It all starts with an appropriately designed risk assessment process based on the following principles:
To illustrate, one consumer products company filters its risks down to the vital few through a risk assessment process that considers velocity and persistence of impact in addition to significance of impact and likelihood of occurrence. Also, the assessment process focuses on upstream supply chain issues and on protecting the company’s brands. The risk assessment criteria are considered by various risk sub-committees that identify potential critical risks and provide input regarding such risks to the corporate risk management committee. Meanwhile, the operating units and corporate functions report critical risks (as well as emerging risks) to the strategic planning function. Based on their respective assessments using the inputs they receive, the corporate risk management committee and strategic planning function provide input on the critical risks to executive management which, in turn, reports “The Top Risks List” to the board. The company’s chief risk officer supports the process at all points. For example, he consolidates all potential critical risks identified by the individual risk subcommittees and submits a summary to the corporate risk management committee membership prior to the next scheduled committee meeting.
While management is responsible for addressing the critical enterprise risks, the board should consider the information it needs to understand them. Both might benefit from the following reporting:
The above information is illustrative and is not intended to be exhaustive or applicable to every organization. Reporting to executive management and the board is an iterative process and is fine-tuned over time.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Jim DeLoach has over 35 years of experience and is a member of Protiviti's Solutions Leadership Team. With a focus on helping organizations respond to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner, Jim assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2016.