No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

10 Ways to Enhance Leadership Engagement

by Jim DeLoach
January 11, 2018
in Featured, Leadership and Career
leadership meeting

Creating Better Leaders in Risk Management

How do executive management and the board remain engaged with risk management over time? Most observers would agree that senior management’s supervision of risk management and the board’s risk oversight entail much more than reviewing a risk assessment once a year.

“Risk listing” (or what I call “enterprise list management”) is neither risk management nor responsible board risk oversight, and as the environment changes rapidly, it falls far short of positioning the entity to be risk-informed. So the question remains, how do senior executives and the board stay engaged in discharging their respective risk management supervisory and risk oversight responsibilities and avoid the “business-as-usual” mindset that leads to complacency and stale check-the-box exercises?

Key Considerations

As senior managers and directors continue to refine and align their supervisory and oversight processes with the company’s strategy, operations and risk profile over time, there are 10 observations they may want to consider:

1. Keep the Risk Assessment Evergreen

Everyone’s confidence increases if there is an effective process in place to inform executive management and, in turn, the board, of emerging risks. For example, one annual study classifies emerging global risks as economic, geopolitical, environmental, societal and technological.[1] That framework can be supplemented by market-driven risks such as actions by competitors, changes in customer behavior, changes in the supply chain and impact of demographics on the talent pool. As the business environment changes, these risks can have a bearing on the company’s ability to execute its business model. Therefore, the risk assessment process should update the risk profile from time to time to reflect the impact of change.

2. Focus on Critical Enterprise Risks

Certain risks require senior management and directors to have the necessary information that will prepare them for discussions about the organization’s risks and how they are managed. Risks that threaten the company’s strategy and the viability of its business model should command the board’s risk oversight agenda, as they influence the enterprise’s ability to achieve objectives. The criticality of these risks – such as credit risk in a financial institution, supply chain risk in a manufacturer or R&D pipeline risk in a pharmaceutical company – requires an ongoing process to identify shifts in these risks, root causes and other sources of the risk, and/or emerging critical risks. While management is responsible for addressing risks, the board should consider its own information requirements for understanding them. For example, the board might require management to report on the impact and likelihood of the risks to key strategic initiatives or performance goals, as well as the status of risk mitigation efforts. Other examples of relevant information might include the effects of technological obsolescence and changes in the overall assessment of risk over time. The remaining risks – the day-to-day business management risks – can be addressed on an exception basis or through specific committee assignments.

3. Consider Impact of External Change

Executive management and the board should encourage out-of-the-box, big-picture thinking focused on the critical assumptions underlying the corporate strategy to assess the strategic risks and uncertainties the enterprise faces. Given the riskiness and volatility of the times, boards may want their organizations to consider allocating more time to understand what it is they don’t know by employing assessment techniques focused on identifying potential scenarios that could derail critical strategic assumptions. This may identify opportunities to further enhance and focus the company’s strategic, risk management and crisis management processes, as well as the board’s risk oversight process.

4. Position the Organization as an Early Mover

When management recognizes a market shift that creates an opportunity to create enterprise value or invalidates critical strategic assumptions, is the organization positioned to act on that insight as quickly as possible? The following questions apply to every organization: When the entity’s fundamentals change, which side of the change curve will it be on? Will it be facing a market exploitation opportunity, or will it be looking at the emerging risk of an outdated strategy? Time advantage is attained when the organization is able to recognize a unique market opportunity or an emerging risk and create decision-making options for its leaders before that knowledge becomes widely known.

5. Focus on Digital and Resiliency 

As noted in our 2018 top risks survey,[2] the rapid speed of disruptive innovation and new technologies, as well as resistance to adapting operations in the face of indisputable change, are high on the list of top risks for over 725 directors and C-level executives worldwide. As many organizations have discovered in recent years, strategic error in the digital economy can be lethal. Hyperscalability of digital business models and lack of entry barriers enable new competitors to emerge and scale very quickly in redefining the customer experience, making it difficult for incumbents to see it coming at all, much less react in a timely manner to preserve customer loyalty. The stark reality is that a focus on digital doesn’t always translate into a coherent strategy, as many organizations do not fully understand the potential opportunities and risks and are not demonstrating the necessary sense of urgency. That’s why the threat of disruptive innovation and the organization’s agility and response readiness in making adjustments to the strategy and business model deserve close attention in the boardroom and C-suite.

6. Take a Fresh Look at the Risk Management Process 

There is no better way to engage with the risk management process than to give it a robust critique. The issuance of COSO’s updated framework on enterprise risk management (ERM)[3] in 2017 offers an opportunity for companies to do just that. While every organization is different according to its industry, strategy, structure, culture, business model and financial wherewithal, the updated COSO ERM Framework points to several important areas to consider:

  • Integrate ERM with strategy – COSO asserts that there are three dimensions to integrating ERM with strategy setting and execution: risks to the execution of the strategy, implications from the strategy (meaning that each strategic option has its unique risk-reward trade-off and risk profile), and the possibility of the strategy not aligning with the enterprise’s mission, vision and core values. All three dimensions need to be considered as part of the strategic management process.
  • Integrate risk with performance – COSO makes it clear that risk reporting is not an isolated exercise. Operating within the bounds of an acceptable variation in performance provides management with greater confidence that the entity will achieve its business objectives and remain within its risk appetite.
  • Lay the foundation for ERM with strong risk governance and culture – The board and the CEO must be vigilant in ensuring that pressures within the organization are neither excessive nor incenting unintended consequences (e.g., unmanageable bias, flawed decisions, and irresponsible and/or illegal behavior). Such pressures are spawned by unrealistic performance targets, conflicting business objectives of different stakeholders, disruptive change altering the fundamentals underlying the business model and imbalances between rewards for short-term financial performance and long-term focused stakeholders.
  • Tie risk considerations into decision-making processes – COSO defines “relevant information” as information that facilitates informed decision-making. The more information contributes to increased agility, greater proactivity and better anticipation of the enterprise, the more relevant it is and the more likely the organization will execute its strategy successfully, achieve its business objectives and establish a sustainable competitive advantage. For significant risks, risk quantification offers much more relevant information than the placement of risks on a heat map.

COSO’s message is clear: ERM is not an overlay on the core business processes that matter. If senior managers are concerned about that, their advisers either don’t understand what ERM is – given how COSO has defined it – or are asking the wrong questions. That’s why directors and senior executives should give risk management a fresh look.

7. Sustain The Risk Appetite Dialogue

Given that risk levels and uncertainty have changed significantly over recent years for most organizations, the board and management may find it beneficial to engage in a dialogue on a periodic basis regarding the organization’s risk appetite. This dialogue should cover such topics as the maximum acceptable level of performance variability in specific operating areas given the company’s projected cash flow and commitments, targeted operating parameters, upside/downside debates on significant matters, the “hard spots” and “soft spots” in the business plan, risks to reject as off-strategy, and the desired appetite for risk given the opportunities facing the company. This dialogue should translate into actionable risk tolerances that should be driven into the company’s operations.

8. Require a Forward-looking Risk Reporting Discipline

Risk reporting is one of the most effective tools for sustaining constructive board and executive management engagement. Depending on the board’s and management’s specific needs, enhancements to risk reporting may be useful. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile, flexible and nimble in responding to a changing business environment. To truly impact decision-making, risk reporting must address three questions:

  1. Are we riskier today than yesterday?
  2. Are we entering a riskier time?
  3. What are the underlying causes?

Risk reporting is often not actionable enough to support decision-making processes. And until it is designed to answer these three questions, it won’t be. And once it does, it becomes the key to evolving ERM from a “risk listing” process to a “risk-informed” decision-making discipline. The point is that redirected, more forward-looking risk reporting can strengthen engagement.

9. Consider Escalated Risk Issues in a Timely Manner

Protocols for escalating risk-related matters to the board that are specifically tailored to the company’s operations and risks are important to both risk management and risk oversight. For example, the board may want to consider when and under what circumstances it should be informed of exceptions and near misses to the organization’s established risk tolerances, as well as actual limits violations and policy breaches, including any planned actions to address them through policy and process improvements. Similar protocols should be determined for the executive team.

10. Assess Effectiveness of The Process

Depending on the nature of the business, its risks and the changing business environment, the board should periodically self-evaluate its risk oversight process. Likewise, the executive team should assess the effectiveness of the organization’s risk management, utilizing the perspectives and input from the strategic management function, risk management function, internal audit, culture surveys and other sources.

The above observations illustrate how the board and senior management can enhance engagement with the risk management and risk oversight processes beyond reviewing the results of an annual risk assessment.

[1] The Global Risks Report 2017, 12th edition, World Economic Forum, January 2017, available at www.weforum.org/reports/the-global-risks-report-2017.

[2] See Executive Perspectives on Top Risks 2018: www.protiviti.com/toprisks.

[3] Enterprise Risk Management – Aligning Risk with Strategy and Performance, Committee of Sponsoring Organizations of the Treadway Commission, June 2017, available at www.coso.org.


Tags: Business Continuity Planning
Previous Post

TRACE: 2017 FCPA Year in Review

Next Post

The Tides Are Turning For SEC Enforcement Policies

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

ACGS-strikes-riots-civil-commotion-report-2023_f

Strikes, Riots & Civil Commotion 2023 Report

by Corporate Compliance Insights
March 1, 2023

Is your business prepared for permacrisis? Drivers of Civil Unrest Strikes, Riots & Protests Expected to Test Business Resilience What’s...

The 16th ACES Compliance Summit

The 16th ACES Compliance Summit

by Aarti Maharaj
March 1, 2023

Lean-in and actively engage with today's most innovative and experienced trade compliance professionals during this 3 in 1 event. Featuring...

shifting sands risk

Shifting Sands: Leaders Are Feeling the Pressure of an Uncertain, Dynamic Risk Landscape

by Jim DeLoach
February 22, 2023

The global risk landscape has rarely been more unsettled over the past half-century than it is right now, and a...

jen colts

Football, Pain & Failing Upwards

by Jennifer L. Gaskin
February 8, 2023

This isn’t a story about business, third-party risk management, the DOJ or any of the other topics we normally cover...

Next Post
beach changing tides

The Tides Are Turning For SEC Enforcement Policies

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT