Of particular interest to executive management and the board of directors are normal and ongoing business management risks, emerging risks, and critical enterprise risks. In this column, we focus on the last category, which we define as the top five to 10 risks that can threaten the viability and/or execution of the company’s strategy and business model. These risks should be a significant focal point for executive management and the board as they provide an important foundation for the board’s risk oversight.
Paring down the company’s risks to the ones that really matter is a test of the effectiveness of enterprise risk management. If the risk assessment process generates a laundry list of risks, it’s “game over” in the C-suite and boardroom. What senior management and directors want to know is information about the risks that can make or break the company. It all starts with an appropriately designed risk assessment process based on the following principles:
- Periodically evaluate changes in the business environment to determine if they affect the critical assumptions underlying the corporate strategy (regarding such matters as technological innovation, competition, economic trends, regulation, etc.) and, when one or more assumptions are rendered invalid, ensure the corporate strategy is revisited in a timely manner.
- Consider an end-to-end view of the value chain when evaluating the most significant exposures to the effectiveness or viability of the business model in creating value for customers and delivering expected financial results. Consider the velocity or speed of an event to impact, the persistence of that impact over time, and the resiliency of the company in responding to the event creating the impact, in addition to considering the severity of the impact and likelihood of occurrence. Pay attention to the uncompensated risks the company faces across the value chain, e.g., the risk of significant warranty costs and/or product recalls, or environmental, health and safety exposures.
- Ensure the risk assessment process provides insight, promotes debate and adds to the collective understanding of what is really important for the business to be successful. Focus on identifying significant changes in the enterprise’s risk profile, with emphasis on identifying emerging risks and worst-case extreme events, along with appropriate response plans to such scenarios, on a timely basis.
- Involve the board in a timely manner in decisions involving the acquisition of new businesses, entry into new markets, introductions of new products or significant alterations of the corporate strategy.
- Review the risk assessments over the last three to five years and evaluate their effectiveness against actual experience.
To illustrate, one consumer products company filters its risks down to the vital few through a risk assessment process that considers velocity and persistence of impact in addition to significance of impact and likelihood of occurrence. Also, the assessment process focuses on upstream supply chain issues and on protecting the company’s brands. The risk assessment criteria are considered by various risk sub-committees that identify potential critical risks and provide input regarding such risks to the corporate risk management committee. Meanwhile, the operating units and corporate functions report critical risks (as well as emerging risks) to the strategic planning function. Based on their respective assessments using the inputs they receive, the corporate risk management committee and strategic planning function provide input on the critical risks to executive management which, in turn, reports “The Top Risks List” to the board. The company’s chief risk officer supports the process at all points. For example, he consolidates all potential critical risks identified by the individual risk subcommittees and submits a summary to the corporate risk management committee membership prior to the next scheduled committee meeting.
While management is responsible for addressing the critical enterprise risks, the board should consider the information it needs to understand them. Both might benefit from the following reporting:
- High-level summary of the critical risks for the enterprise as a whole and its operating units and the reasons why they are critical
- Status of risk mitigation efforts, with input from the executives responsible for managing the risks, including significant gaps in capabilities for managing the risks and status of initiatives to address those gaps
- The effect of changes in the environment on core assumptions underlying the company’s strategy
- Scenario analyses evaluating the effect of changes in key external variables impacting the organization
- Changes in the overall assessment of risk over time
- Reliability and value added of prior risk assessments
The above information is illustrative and is not intended to be exhaustive or applicable to every organization. Reporting to executive management and the board is an iterative process and is fine-tuned over time.
Jim DeLoach has more than 35 years of experience and is a member of the Protiviti Solutions Leadership Team. His market focus is on helping organizations succeed in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner that reduces risk to an acceptable level. He also assists companies with integrating risk management with strategy setting and performance management. Jim also serves as a member of Protiviti’s Executive Council to the CEO.