No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

A Value-Based Approach to Risk Management

by Jim DeLoach
September 3, 2015
in Risk
Man perched on top of jenga hame and gazing at expanse below him

CEOs drive their organizations to pursue opportunities with the objective of building and sustaining long-term enterprise value. It is what the Board of Directors expects. In the book Built to Last, one of the principles asserted by the authors is that a company sustains itself by setting “big hairy audacious goals” requiring the commitment of its personnel working outside their comfort zone.[1] That is exactly what a good CEO does. Everyone knows that the status quo is a non-starter in a rapidly changing environment. Anyone standing still is likely to get run over.

Within this context, what is the role of risk? Many argue that risk management should contribute value. While this assertion is easy to make, what does it really mean? And what is the Board’s role from a risk oversight standpoint to ensure a value-based approach?

There are two ways of looking at this topic: the strategic view and the proprietary view.

A Strategic View

A winning strategy exploits areas a company does better than anyone else. Ambitious goals for creating value entail taking on risk. Thus, the execution of any strategy is governed by the willingness of management and the Board to accept risk and the organization’s capacity to bear and manage risk.

A strategic view of risk management adding value focuses the Board of Directors and executive management to satisfy themselves that the strategy is realistic and does not result in unacceptable execution risks. There are three things the Board and management does to realize this strategic view.

  1. Recognize that strategic risks are primarily compensated risks; avoid confusing them with uncompensated risks – Often, strategic risks are “compensated” because the expected upside returns are regarded as sufficient to warrant the downside exposure. These risks represent bets management decides to make, the Board approves and, hopefully, investors support.To illustrate, the risks associated with initiating operations in new markets, introducing new products, undertaking large research and development projects and even altering business models to conform to regulatory requirements are often compensated risks because they are inseparable from the decision to execute the enterprise’s strategy. By contrast, uncompensated risks are one-sided because they offer the potential for downside with little or no upside potential. For example, over the long term, environmental, health and safety risks offer little, if any, upside to cutting corners and taking shortcuts that, in time, contribute to unacceptable exposures to losses, penalties, fines and reputation hits.Our experience is that most people think of risk as “uncompensated.” That mindset presents a challenge when integrating risk assessment with strategy-setting, particularly when prior assessments have traditionally focused on uncompensated risks. Risk assessments contribute value to strategy-setting when management identifies the priority risks inherent in planned strategic initiatives and is able to discuss them with the Board on a timely basis. This process signals to directors that management understands the potential performance variability arising from committing to the strategy and is able to articulate that the risks are sufficiently compensated through expected returns during and beyond the planning horizon.
  2. Ensure that risk assessment is integrated with strategy-setting effectively to make the strategy more robust – Effectively integrated with strategy-setting, a risk assessment invigorates opportunity-seeking behavior by increasing the confidence of management and the Board in two ways. First, it provides transparency to the downside to undertaking the strategy and how much it might hurt if an expected outcome is not achieved or an extreme negative outcome (a so-called “tail event”) were to occur. Second, it leads to a discussion regarding the capabilities within the organization to manage the risks it is taking on with the objective of reducing them to an acceptable level. This process leads to conscious decisions to accept, avoid, transfer and reduce risks inherent in the strategy, resulting in a more informed and robust strategy.
  3. Make sure management establishes an early warning system linked to critical assumptions underlying the strategy – Focusing on the risks inherent in the strategy will likely uncover execution risks that warrant close attention, as they most likely deal with availability of human resources, competitor actions, technological advances, regulatory developments or other uncertainties during the planning horizon and beyond. Scenario analysis may be necessary to identify the strategic assumptions that are most sensitive to change. These activities enable the organization to deploy intelligence gathering and monitoring processes to identify changes in external variables that may necessitate revisiting key strategic assumptions. In this way, risk management contributes value by creating an early warning system that positions the organization to make adjustments to the strategy and business model that capitalize on market opportunities and emerging risks before they become common knowledge in the industry.

A Proprietary View

A proprietary view of risk management adding value is focused on preserving enterprise value that took decades to build. While some may argue that this view doesn’t qualify as a value-based approach, we suggest that they talk with investors who held shares in financial institutions up to and through the aftermath of the financial crisis, when they saw the value of their holdings decline to a mere fraction of their pre-crisis levels.

A proprietary view compels the Board of Directors and executive management to ensure there is a contrarian voice within the organization, prudent boundaries and limits to opportunity-seeking behavior and clearly delineated responsibilities among (a) line of business leaders and process owners, (b) independent risk management and compliance management and (c) internal audit functions. These three things are discussed further below.

  1. Ensure that management is committed to preserving a healthy tension between value creation and value protection – Tension is inevitable between value creation and value protection. If tension doesn’t exist, it is likely due to dangerous groupthink and a culture that encourages everyone to “get along.” That’s why one of the toughest tasks in risk management is balancing the organization’s entrepreneurial activities and control activities so that neither one is too disproportionately strong relative to the other.Appropriate balance consistent with the organization’s mission, strategy and values is the goal. This proprietary view transcends the strategic view because it recognizes the importance of protecting enterprise value that may have taken a long time to build. This perspective means different things to different organizations and across different industries, as there is no one size fits all.We are all supportive of the idea that independent risk management functions should be trusted advisors and business partners with front-line managers. At the same time, if a deal is a bad one or is too risky relative to the organization’s risk appetite, these functions need to be positioned to speak up without fear of repercussions and retribution.
  2. Ensure management sets appropriate boundaries and limits in executing strategy – There are several ways of achieving the desired balance. Boundaries provide a broad context for balancing the organization’s objectives and performance goals for creating enterprise value with the policies, processes and control systems deemed appropriate to preserve enterprise value. Boundaries, and the limit structures supporting them, provide a tool for managing the tension between the two by forcing dialogue, escalation and even arbitration. This is a good thing. There are times when the right people need to take a pause in the cool of the day and revisit the strategy. Boundaries and limits are useful in forcing that pause. The alternative is unbridled entrepreneurial activity that can lead to trouble.To illustrate, there should be a risk appetite statement outlining the organization’s accepted risks inherent in the strategy, risks to avoid in executing the strategy, as well as targeted strategic, financial and operational risk parameters. Risk tolerances and limit structures should be used to decompose the assertions articulated in the risk appetite statement down to a level where it can be applied in daily operations.For risk management and internal control to function when a crucial decision-making moment or changing circumstances arise, directors and executive management must be committed to making it work. Aligning governance, risk management and internal control processes toward striking the appropriate balance is fundamental to managing and sustaining a strong risk culture. Rather than tell the CEO what to do or how to run the business, the Board provides direction as to what not to do through a risk appetite statement, risk tolerances and limit structures.
  3. View the organization through the lens of multiple lines of defense – A lines-of-defense approach also facilitates the desired balance by making it clear that everyone manages risk. A widely accepted view of the lines-of-defense model includes the following:
  • The first line consists of business unit management and customer-facing process owners who have primary ownership of the responsibility to manage risks their units and processes create;
  • The second line includes independent risk management and compliance functions that ensure an enterprise-wide framework exists for managing risk, risk owners (see (1)) are doing their jobs in accordance with the framework, risks are measured appropriately, risk tolerances and limits are adhered to and risk reporting and escalation protocols are working as intended; and
  • Internal audit is the third line that provides assurance that the first two lines are functioning effectively.

Five things are needed for a line-of-defense model to work:

  1. The CEO and Board must set the tone and provide the oversight to ensure the appropriate balance exists. To this end, executive management must act on risk information on a timely basis when it is escalated to them and involve the Board in a timely manner when necessary.
  2. Line of business leaders and process owners must be designated as the ultimate owners of risk and held accountable for results.
  3. The independent risk management and compliance functions must be properly positioned within the organization so that they are independent of business unit operations and front-line, customer-facing business processes. Desirably, they should have access to the Board or to a committee of the Board.
  4. The primary owners of risk – the unit managers and process owners – must accept, and cooperate with, the oversight activities of risk management and compliance functions and the assurance activities of internal audit; it is a bright red flag if they don’t.
  5. Internal audit should use the lines-of-defense framework to sharpen its value proposition in focusing assurance activities more broadly on risk management.

Everyone knows that companies today cannot afford to sit still with the status quo. Every company must continue to seek opportunities to grow, innovate and respond to an ever-changing business environment to enhance enterprise value. Whether it is through a strategic view or proprietary view or both, risk management can contribute to growing enterprise value over time.

[1] Built to Last: Successful Habits of Visionary Companies, Chapter 5, Jerry Porras and Jim Collins, Harper Business Essentials, 1994.


Previous Post

Does Every Board Need an Activist?

Next Post

Amazon’s Culture, the Greatest Brawl in Baseball and Compliance

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

Fox_DOJ Speeches_f

Analysis of Recent DOJ Statements

by Corporate Compliance Insights
March 23, 2023

DOJ leaders provide insight into agency's plans. Analysis of Recent Statements DOJ Shaping the Future of Corporate Criminal Enforcement What’s...

Fox_2023 ECCP Update_f

2023 Evaluation of Corporate Compliance Programs

by Corporate Compliance Insights
March 23, 2023

Keeping up with 2023 changes to DOJ guidelines. Additions, Deletions & Changes From 2020 2023 Evaluation of Corporate Compliance Programs...

encompass update

Encompass Launches pKYC Maturity Model

by Corporate Compliance Insights
March 22, 2023

KYC automation platform Encompass has unveiled a new perpetual Know Your Customer (pKYC) maturity model designed to help banks improve...

consilio onna partnership

Consilio, Onna Seek to Streamline eDiscovery for Cloud Apps

by Corporate Compliance Insights
March 22, 2023

Legal technology provider Consilio has launched a new platform, Sightline Collect, powered by data management supplier Onna. The platform is...

Next Post
Amazon’s Culture, the Greatest Brawl in Baseball and Compliance

Amazon's Culture, the Greatest Brawl in Baseball and Compliance

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT