8 Principles to Guide the Risk Assessment Process
Organizations don’t need to involve the board in every risk by any means, but critical enterprise risks are a special breed. Protiviti’s Jim DeLoach provides the formula for an appropriately designed risk assessment process – the first step to identifying and ultimately mitigating the risks in this category.
Directors and executives need to consider several categories of risk. Of particular interest are the normal, ongoing business management risks, emerging risks and critical enterprise risks. Below, we focus on the last category, which we define as the top five to 10 risks that can threaten the company’s strategy, business model or ongoing viability.
These risks should be a significant focal point of the board’s risk oversight agenda and risk-related discussions in the C-suite, because they present the most significant risks (and opportunities) affecting the achievement of the performance objectives of greatest importance to the enterprise’s leaders. Identifying them provides a starting point for assigning ownership for management; once ownership is assigned, accountability for results can be established and monitored over time.
Certain risks require directors and executive management to have sufficient information in advance to prepare them for discussions about risks and how they are managed. For example, the critical enterprise risks are the ones that threaten the company’s strategy and the viability of its business model – such as credit risk to a financial institution, supply chain risk to a manufacturer, commodity price risk to a power company, country risk to an oil exploration company, research and development risk to a pharmaceutical company or unique risks that make a company an outlier among its competitors. Often, these risks require full board engagement because they are strategic in nature.
Paring a company’s risks down to the ones that really matter maximizes the value of the board’s risk oversight input and effectiveness of the executive team’s risk focus. It all starts with an appropriately designed risk assessment process based on the following principles:
#1: Begin with the end in mind.
Risks require a context provided by the enterprise’s business objectives and strategy. Strategic objectives are high-level goals aligned with the organization’s mission, vision and core values. These objectives reflect the management team’s choice as to how they intend to create stakeholder value. These choices almost always entail risk-reward trade-offs. It is important that the risk assessment process is sensitive to changes in the organization’s business objectives and strategies for achieving those objectives.
#2: Engage appropriate multiple stakeholders in the process.
Our experience is that the quality of the risk assessment process improves when it incorporates multiple perspectives. This means involving senior executives, business unit executives and appropriate functional leaders. It is interesting how various perspectives can differ in terms of evaluating risks in the business. We see this every year in the annual top risks survey we conduct in partnership with North Carolina State University’s ERM Initiative. A rich dialogue yields better answers; furthermore, the dialogue itself has significant value in bonding a management team with disparate points of view.
#3: Periodically evaluate changes in the business environment.
The purpose of this evaluation is to determine whether changes in the external environment affect critical assumptions underlying the corporate strategy. For example, such matters as disruptive technological innovation, competition, economic trends, regulatory developments and other changes can impact the strategy and business model. When one or more key management assumptions about the present and future are rendered invalid, opportunity and risk present themselves. On which side of that double-edged sword the company falls often depends on whether the corporate strategy is revisited in a timely manner.
#4: Consider an end-to-end view of the value chain when evaluating the most significant exposures to unexpected events.
As they say, stuff happens. Whenever an unexpected event occurs, it can change the effectiveness or viability of the business model that is intended to create great customer experiences and deliver expected financial results. When evaluating exposure to the unexpected, take a look at the entity’s criteria for assessing risk. For example, likelihood of occurrence and severity of impact are commonly used. In addition, the velocity or speed of an event to impact, the persistence of that impact over time and the resiliency of the company in responding to the event creating the impact (response readiness) are criteria to consider. Pay attention to the uncompensated risks (so-called single-tail risks, for which there is little, if any, upside) the company faces across the value chain (e.g., the risk of significant warranty costs, massive product recalls or unusual environmental, health and safety exposures).
#5: Understand interconnections between and among risks.
A portfolio perspective of risk recognizes that understanding interrelated impacts may be as important as, if not more important than, managing individual risks. For example, a single event may create multiple risks affecting the achievement of multiple business objectives. Risks for individual business units of the overall enterprise may be within the units’ respective risk tolerances but, when taken together in the aggregate, may exceed the overall consolidated risk appetite for the enterprise. Conversely, potential events representing an unacceptable risk in one business unit may have an offsetting effect in another unit. The point is that looking at groups of interrelated risks allows management to pool the entity’s risk reduction and risk transfer responses. For instance, when procuring insurance, it may be beneficial to combine risks under a single policy to realize reductions in premium pricing.
#6: Ensure the process provides insight, promotes debate and adds to the collective understanding of what is really important for the business to be successful.
The risk assessment process should focus on identifying significant changes in the enterprise’s risk profile, with emphasis on calling attention to whether risks are increasing or declining, identifying emerging risks and worst-case extreme events and outlining timely and actionable response plans to such scenarios.
#7: Involve the board in major decisions in a timely manner.
In between risk assessments, decisions are often made that alter the risk profile and potentially have unintended consequences pertaining to the achievement of various business objectives. Such decisions include the acquisition of new businesses, entry into new markets, introductions of new products, major procurement decisions or significant alterations of the corporate strategy. The board should be engaged in the decision-making process on a timely basis if decisions are likely to impact the company’s overall risk profile and ability to achieve its critical objectives.
#8: Review the risk assessments over the last three to five years and evaluate their effectiveness against actual experience.
A postmortem can be very revealing. It can point to major misses and misallocation of resources and suggest ways to improve the risk assessment process going forward.
To illustrate, one consumer products company filters its risks down to the vital few through a risk assessment process that considers velocity and persistence of impact in addition to significance of impact and likelihood of occurrence. The assessment process focuses on upstream supply chain issues and protecting the company’s brands. The risk assessment criteria are considered by various risk subcommittees that identify potential critical risks and provide input regarding such risks to the corporate risk management committee. Meanwhile, the operating units and corporate functions report critical risks (as well as emerging risks) to the strategic planning function.
Based on their respective assessments using the inputs they receive, the corporate risk management committee and strategic planning function provide input on the critical risks to executive management, which, in turn, reports the top risks to the board. The company’s chief risk officer supports the process at all points. For example, the CRO consolidates all potential critical risks identified by the individual risk subcommittees and submits a summary to the corporate risk management committee prior to the next scheduled committee meeting.
It is important to note that each top risk has a summary of the significant responses addressing it and the executives responsible for implementing those initiatives, so the process is not just creating a “risk list.” There is ample teeth and accountability for managing the top-tier risks.
While management is responsible for addressing the critical enterprise risks, the board should consider the information it needs to inform its risk oversight. For example, the board and executive management might benefit from the following:
- A high-level summary of the critical enterprise risks for the enterprise as a whole and its operating units, the reasons why they are critical and the changes since the last report.
- The status of risk mitigation efforts, with input from the executives responsible and accountable for managing the risks, including significant gaps in capabilities for managing the risks, status of initiatives to address those gaps and any concerns regarding potential “soft spots.”
- The effect of changes in the environment on core assumptions underlying the company’s strategy.
- Scenario analyses evaluating the effect of changes in key external variables having the greatest impact on the organization and its strategy (e.g., interest rate sensitivity analysis, commodity price volatility, supply chain disruption, innovation rates and geopolitical events).
- Summary of near misses, close calls, limit breaches, compliance violations and other policy deviations.
- Drill-down dashboards for specific risks, such as cybersecurity.
- Changes in the overall assessment of risk over time and reliability and value add of prior risk assessments.
The above list is illustrative and not intended to be exhaustive or applicable to every organization.
Questions for Executives and Directors
The following are some suggested questions that senior executives and boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:
- Is there a process for identifying the organization’s critical enterprise risks for purposes of prioritizing the board’s risk oversight focus and the executive team’s risk agenda?
- Are the board and executive team satisfied with the reporting they receive periodically regarding each of the critical enterprise risks?
- Is the reporting to the board and executive team sufficiently focused on what is being done to manage risk and establish accountability for results (e.g., does the reporting process involve much more than a risk-listing exercise?)?