Creating Better Leaders in Risk Management
How do executive management and the board remain engaged with risk management over time? Most observers would agree that senior management’s supervision of risk management and the board’s risk oversight entail much more than reviewing a risk assessment once a year.
“Risk listing” (or what I call “enterprise list management”) is neither risk management nor responsible board risk oversight, and as the environment changes rapidly, it falls far short of positioning the entity to be risk-informed. So the question remains, how do senior executives and the board stay engaged in discharging their respective risk management supervisory and risk oversight responsibilities and avoid the “business-as-usual” mindset that leads to complacency and stale check-the-box exercises?
As senior managers and directors continue to refine and align their supervisory and oversight processes with the company’s strategy, operations and risk profile over time, there are 10 observations they may want to consider:
1. Keep the Risk Assessment Evergreen
Everyone’s confidence increases if there is an effective process in place to inform executive management and, in turn, the board, of emerging risks. For example, one annual study classifies emerging global risks as economic, geopolitical, environmental, societal and technological. That framework can be supplemented by market-driven risks such as actions by competitors, changes in customer behavior, changes in the supply chain and impact of demographics on the talent pool. As the business environment changes, these risks can have a bearing on the company’s ability to execute its business model. Therefore, the risk assessment process should update the risk profile from time to time to reflect the impact of change.
2. Focus on Critical Enterprise Risks
Certain risks require senior management and directors to have the necessary information that will prepare them for discussions about the organization’s risks and how they are managed. Risks that threaten the company’s strategy and the viability of its business model should command the board’s risk oversight agenda, as they influence the enterprise’s ability to achieve objectives. The criticality of these risks – such as credit risk in a financial institution, supply chain risk in a manufacturer or R&D pipeline risk in a pharmaceutical company – requires an ongoing process to identify shifts in these risks, root causes and other sources of the risk, and/or emerging critical risks. While management is responsible for addressing risks, the board should consider its own information requirements for understanding them. For example, the board might require management to report on the impact and likelihood of the risks to key strategic initiatives or performance goals, as well as the status of risk mitigation efforts. Other examples of relevant information might include the effects of technological obsolescence and changes in the overall assessment of risk over time. The remaining risks – the day-to-day business management risks – can be addressed on an exception basis or through specific committee assignments.
3. Consider Impact of External Change
Executive management and the board should encourage out-of-the-box, big-picture thinking focused on the critical assumptions underlying the corporate strategy to assess the strategic risks and uncertainties the enterprise faces. Given the riskiness and volatility of the times, boards may want their organizations to consider allocating more time to understand what it is they don’t know by employing assessment techniques focused on identifying potential scenarios that could derail critical strategic assumptions. This may identify opportunities to further enhance and focus the company’s strategic, risk management and crisis management processes, as well as the board’s risk oversight process.
4. Position the Organization as an Early Mover
When management recognizes a market shift that creates an opportunity to create enterprise value or invalidates critical strategic assumptions, is the organization positioned to act on that insight as quickly as possible? The following questions apply to every organization: When the entity’s fundamentals change, which side of the change curve will it be on? Will it be facing a market exploitation opportunity, or will it be looking at the emerging risk of an outdated strategy? Time advantage is attained when the organization is able to recognize a unique market opportunity or an emerging risk and create decision-making options for its leaders before that knowledge becomes widely known.
5. Focus on Digital and Resiliency
As noted in our 2018 top risks survey, the rapid speed of disruptive innovation and new technologies, as well as resistance to adapting operations in the face of indisputable change, are high on the list of top risks for over 725 directors and C-level executives worldwide. As many organizations have discovered in recent years, strategic error in the digital economy can be lethal. Hyperscalability of digital business models and lack of entry barriers enable new competitors to emerge and scale very quickly in redefining the customer experience, making it difficult for incumbents to see it coming at all, much less react in a timely manner to preserve customer loyalty. The stark reality is that a focus on digital doesn’t always translate into a coherent strategy, as many organizations do not fully understand the potential opportunities and risks and are not demonstrating the necessary sense of urgency. That’s why the threat of disruptive innovation and the organization’s agility and response readiness in making adjustments to the strategy and business model deserve close attention in the boardroom and C-suite.
6. Take a Fresh Look at the Risk Management Process
There is no better way to engage with the risk management process than to give it a robust critique. The issuance of COSO’s updated framework on enterprise risk management (ERM) in 2017 offers an opportunity for companies to do just that. While every organization is different according to its industry, strategy, structure, culture, business model and financial wherewithal, the updated COSO ERM Framework points to several important areas to consider:
- Integrate ERM with strategy – COSO asserts that there are three dimensions to integrating ERM with strategy setting and execution: risks to the execution of the strategy, implications from the strategy (meaning that each strategic option has its unique risk-reward trade-off and risk profile), and the possibility of the strategy not aligning with the enterprise’s mission, vision and core values. All three dimensions need to be considered as part of the strategic management process.
- Integrate risk with performance – COSO makes it clear that risk reporting is not an isolated exercise. Operating within the bounds of an acceptable variation in performance provides management with greater confidence that the entity will achieve its business objectives and remain within its risk appetite.
- Lay the foundation for ERM with strong risk governance and culture – The board and the CEO must be vigilant in ensuring that pressures within the organization are neither excessive nor incenting unintended consequences (e.g., unmanageable bias, flawed decisions, and irresponsible and/or illegal behavior). Such pressures are spawned by unrealistic performance targets, conflicting business objectives of different stakeholders, disruptive change altering the fundamentals underlying the business model and imbalances between rewards for short-term financial performance and long-term focused stakeholders.
- Tie risk considerations into decision-making processes – COSO defines “relevant information” as information that facilitates informed decision-making. The more information contributes to increased agility, greater proactivity and better anticipation of the enterprise, the more relevant it is and the more likely the organization will execute its strategy successfully, achieve its business objectives and establish a sustainable competitive advantage. For significant risks, risk quantification offers much more relevant information than the placement of risks on a heat map.
COSO’s message is clear: ERM is not an overlay on the core business processes that matter. If senior managers are concerned about that, their advisers either don’t understand what ERM is – given how COSO has defined it – or are asking the wrong questions. That’s why directors and senior executives should give risk management a fresh look.
7. Sustain The Risk Appetite Dialogue
Given that risk levels and uncertainty have changed significantly over recent years for most organizations, the board and management may find it beneficial to engage in a dialogue on a periodic basis regarding the organization’s risk appetite. This dialogue should cover such topics as the maximum acceptable level of performance variability in specific operating areas given the company’s projected cash flow and commitments, targeted operating parameters, upside/downside debates on significant matters, the “hard spots” and “soft spots” in the business plan, risks to reject as off-strategy, and the desired appetite for risk given the opportunities facing the company. This dialogue should translate into actionable risk tolerances that should be driven into the company’s operations.
8. Require a Forward-looking Risk Reporting Discipline
Risk reporting is one of the most effective tools for sustaining constructive board and executive management engagement. Depending on the board’s and management’s specific needs, enhancements to risk reporting may be useful. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile, flexible and nimble in responding to a changing business environment. To truly impact decision-making, risk reporting must address three questions:
- Are we riskier today than yesterday?
- Are we entering a riskier time?
- What are the underlying causes?
Risk reporting is often not actionable enough to support decision-making processes. And until it is designed to answer these three questions, it won’t be. And once it does, it becomes the key to evolving ERM from a “risk listing” process to a “risk-informed” decision-making discipline. The point is that redirected, more forward-looking risk reporting can strengthen engagement.
9. Consider Escalated Risk Issues in a Timely Manner
Protocols for escalating risk-related matters to the board that are specifically tailored to the company’s operations and risks are important to both risk management and risk oversight. For example, the board may want to consider when and under what circumstances it should be informed of exceptions and near misses to the organization’s established risk tolerances, as well as actual limits violations and policy breaches, including any planned actions to address them through policy and process improvements. Similar protocols should be determined for the executive team.
10. Assess Effectiveness of The Process
Depending on the nature of the business, its risks and the changing business environment, the board should periodically self-evaluate its risk oversight process. Likewise, the executive team should assess the effectiveness of the organization’s risk management, utilizing the perspectives and input from the strategic management function, risk management function, internal audit, culture surveys and other sources.
The above observations illustrate how the board and senior management can enhance engagement with the risk management and risk oversight processes beyond reviewing the results of an annual risk assessment.
 The Global Risks Report 2017, 12th edition, World Economic Forum, January 2017, available at www.weforum.org/reports/the-global-risks-report-2017.
 See Executive Perspectives on Top Risks 2018: www.protiviti.com/toprisks.
 Enterprise Risk Management – Aligning Risk with Strategy and Performance, Committee of Sponsoring Organizations of the Treadway Commission, June 2017, available at www.coso.org.