Guidance for Executive Management and the Board
Protiviti’s Jim DeLoach discusses strategies to enhance the risk assessment process, from ensuring the proper stakeholders are involved to accounting for disruptive change and moving beyond “enterprise list management.”
An effective risk assessment is fundamental to risk management and the board’s risk oversight process. Successful risk assessments help directors and executive management identify emerging risks and face the future confidently.
An enterprise risk assessment (ERA) is a systematic and forward-looking analysis of the impact and likelihood of potential future events and scenarios on the achievement of an organization’s business objectives within a stated time horizon. The process begins with an articulation of the enterprise’s governing business objectives as reflected in its strategy and performance goals. It applies predetermined risk criteria to well-defined risk scenarios that could lead to the organization falling short of achieving those objectives. Often, the assessment results are displayed on a grid or map for review by decision-makers to ensure risk owners are appropriately assigned and risk responses and metrics are in place. Many organizations have some sort of ERA process in place.
Practices to Maximize Value
The notion of uncertainty refers to any situation in which decision-makers identify all possible outcomes and assess the related possibilities but do not know which events will occur. For directors and executives, the worst kind of uncertainty is being unaware of what they don’t know. Yes, management has knowledge of markets, customers and competitors from internal and external sources, but do leaders have an appreciation for what they don’t know? The point is, rather than shuffle “known knowns” around on a risk map from one risk assessment to the next, the risk assessment process should help decision-makers “know what they don’t know” so they can make better-informed decisions.
To that end, following are 10 practices that will help management and directors maximize the value derived from the risk assessment process.
1. Involve the appropriate people
Surveys we have conducted over the past seven years indicate, without exception, that different senior executives and operating unit and functional leaders often have different perspectives and viewpoints regarding risk. Therefore, it is important to involve the appropriate stakeholders in the risk assessment process, including the C-suite, as well as business unit and functional leaders.
2. Reduce the danger of groupthink
The risk assessment process should encourage an open, positive dialogue among key executives and stakeholders for identifying and evaluating opportunities and risks. Accordingly, attention should be given to reducing the risk of undue bias and groupthink. As a safeguard against executives developing misinformed opinions or reaching conclusions without having engaged in robust debate or listened to dissenting views, management should ensure that all perspectives are heard from the right sources and considered in the process. Anything any executive truly fears should be out in the open. Key issues and concerns should be aired, and the potential for missed opportunities should be discussed. When talking about the future, historical “hard numbers,” anecdotal evidence, polls and media reports may offer data points, but should not engender false assurance.
3. Focus comprehensively on the distinctive dimensions of strategic risk
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), there are three dimensions to strategic risk:
- The implications from the strategy – When management develops a strategy and works through alternatives with the board, decisions are made on the risk-reward trade-offs inherent in the strategy. In effect, each alternative strategy has its own distinctive risk profile.
- The possibility of strategy not aligning with an organization’s mission, vision and core values – A strategy misaligned with what the entity is trying to achieve and how it intends to conduct business can lead to reputation loss and brand erosion. This misalignment is the root of companies losing their way and failing to remember what they’re about.
- The risks to executing the strategy – This is the dimension many organizations consider in their risk assessment process. The other two dimensions can be just as important.
All three dimensions need to be considered if the company expects to avoid unintended consequences that could lead to a loss of enterprise value or a failure to create enterprise value.
4. Understand the assumptions underlying the strategy
Boards and executives that are navigating the risk assessment process should consider how the organization’s strategy and risk appetite work in tandem and how they will drive behavior across the organization in setting business objectives, allocating resources and making key decisions. Are risks evaluated in the context of the organization’s objectives, strategy and operations? Is adequate consideration given to macroeconomic issues? Is there a business intelligence process for monitoring the environment outside of traditional planning and budgeting to ensure strategic assumptions remain valid? Is the board informed when these strategic assumptions are no longer valid? Are these assumptions stress-tested when circumstances warrant?
5. Consider the impact of disruptive change
The rapid pace of change in the global business environment presents risks for entities of all types. Digital transformation and industry change alter risk profiles. The unique aspect regarding disruptive change is that it represents a choice – which side of the change curve does an organization want to be on? With the speed of change and constant advances in technology, rapid response to new market opportunities and emerging risks can be a major source of competitive advantage. Conversely, failure to remain abreast or ahead of the change curve can place an organization in the untenable position of becoming captive to events rather than charting its own course – a position that can be lethal. The risk assessment process must be dynamic enough to account for significant change (e.g., the process should monitor the business environment over time to identify risks inherent in the strategy and market changes that may invalidate one or more critical assumptions underlying the strategy).
6. Consider appropriate criteria to assess “high-impact, low-likelihood” risks
When considering extreme risk events, the operative question is, how resilient is our organization if one or more of these events were to occur? Velocity, persistence and response readiness are useful risk criteria to consider when answering this question. What is the level of resilience of our plan in case of alternative scenarios? Is our plan robust enough, or too ambitious? Do we know the level of variation of our expected performance in the short term? Is this variation acceptable?
7. Understand the sources of risk
One of the most difficult tasks in risk management is translating a risk assessment into actionable steps in the business plan. Often, risk owners don’t know what to do to address significant risks based on risk assessments displayed on the traditional two-dimensional graph. If the risk scenarios used during the risk assessment are well-defined, they will have some ideas. But for the most significant risks, it may make sense to source their root causes to better understand them so that more effective risk responses can be designed at the source. There are a variety of ways to accomplish this task. The process should be designed to identify patterns that connect potential interrelated risk events so that they can be taken into consideration by the risk-response design. Risks are not necessarily mutually exclusive; therefore, they need not be managed in silos.
8. Don’t forget emerging risks
A process for identifying emerging risks should be in place to supplement the ongoing risk assessment process. One of the keys to identifying emerging risks is a sufficient time horizon. For example, environmental, social and governance (ESG) issues are becoming increasingly important with each passing quarter. The further out one looks, the more significant and relevant these issues appear to be.
9. Integrate risk considerations into decision-making
As important as the risk assessment process is, it may be just as important for decision-making processes to consider the impact of major decisions on the organization’s risk profile. If risk is understood to be the distribution of possible outcomes over a given time horizon due to changes in key underlying variables, it should be noted that major decisions either create different outcomes or alter previously considered outcomes. As a result, significant decisions should consider the baseline risk assessment and the organization’s risk appetite and involve the board in a timely manner.
10. Never end with just a list
Effective risk assessments always lead to formulation of risk responses to close the gaps they identify. Therefore, following completion of a formal or informal risk assessment, management should designate the appropriate risk owners for newly identified risks so that appropriate risk responses and accountability structures can be designed for their execution. “Enterprise list management” loses its novelty over time.
The board should be informed of the risk assessment results on a timely basis to ensure that directors agree with management’s determination of the significant risks and are able to incorporate the organization’s most critical risks into the board’s risk oversight process. In addition, significant risk issues warranting attention by executive management and the board should be escalated to their attention on a timely basis.
The above practices can assist organizations in defining their specific risks and assessing the adequacy of the processes informing risk management and board risk oversight. An effective risk assessment process lays the foundation for management and directors to navigate a changing business environment with confidence.
Questions for Executives and Boards
Following are some suggested questions that senior executives and boards of directors may consider, based on the risks inherent in the entity’s operations:
- Are executives and directors confident they are aware of the most significant risks facing the company in achieving its critical business objectives and management’s responses to these risks? Are changes in the business environment evaluated periodically to identify the risks inherent in the corporate strategy? Is there a robust enterprisewide process in place executives and directors can point to that addresses these questions?
- Is the enterprise’s risk profile updated when strategic course corrections are considered? Does management apprise the board promptly of significant changes in the risk profile? Is there an effective process for identifying emerging risks? Does it result in consideration of response plans on a timely basis?
- Are executives and the board satisfied that the strategy-setting process appropriately considers a substantive assessment of the risks the enterprise is taking on as a result of putting the strategy in play? Is there a periodic board-level dialogue regarding management’s appetite for risk and whether the organization’s risk profile is consistent with that risk appetite?
 Over the last seven years, Protiviti and the NC State University ERM Initiative have conducted a global survey of senior executives and directors regarding the top risks their companies face. In each of these surveys, we have found divergent views among executives in the C-suite and between executives and directors. For example, in our latest study for 2019, we found that board members, CEOs and chief risk officers perceive a slightly riskier environment for 2019 relative to 2018 than CFOs, chief audit executives and chief information/technology officers. See the executive summary on pages 9 and 10 of the report at www.protiviti.com/toprisks.