No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Communicating Critical Enterprise Risks to the Board

by Jim DeLoach
April 10, 2018
in Featured, Risk
meter with indicator pointing to “critical”

8 Principles to Guide the Risk Assessment Process

Organizations don’t need to involve the board in every risk by any means, but critical enterprise risks are a special breed. Protiviti’s Jim DeLoach provides the formula for an appropriately designed risk assessment process – the first step to identifying and ultimately mitigating the risks in this category.

Directors and executives need to consider several categories of risk. Of particular interest are the normal, ongoing business management risks, emerging risks and critical enterprise risks. Below, we focus on the last category, which we define as the top five to 10 risks that can threaten the company’s strategy, business model or ongoing viability.

These risks should be a significant focal point of the board’s risk oversight agenda and risk-related discussions in the C-suite, because they present the most significant risks (and opportunities) affecting the achievement of the performance objectives of greatest importance to the enterprise’s leaders. Identifying them provides a starting point for assigning ownership for management; once ownership is assigned, accountability for results can be established and monitored over time.

Key Considerations

Certain risks require directors and executive management to have sufficient information in advance to prepare them for discussions about risks and how they are managed. For example, the critical enterprise risks are the ones that threaten the company’s strategy and the viability of its business model – such as credit risk to a financial institution, supply chain risk to a manufacturer, commodity price risk to a power company, country risk to an oil exploration company, research and development risk to a pharmaceutical company or unique risks that make a company an outlier among its competitors. Often, these risks require full board engagement because they are strategic in nature.

Paring a company’s risks down to the ones that really matter maximizes the value of the board’s risk oversight input and effectiveness of the executive team’s risk focus. It all starts with an appropriately designed risk assessment process based on the following principles:

#1: Begin with the end in mind.

Risks require a context provided by the enterprise’s business objectives and strategy. Strategic objectives are high-level goals aligned with the organization’s mission, vision and core values. These objectives reflect the management team’s choice as to how they intend to create stakeholder value. These choices almost always entail risk-reward trade-offs. It is important that the risk assessment process is sensitive to changes in the organization’s business objectives and strategies for achieving those objectives.

#2: Engage appropriate multiple stakeholders in the process.

Our experience is that the quality of the risk assessment process improves when it incorporates multiple perspectives. This means involving senior executives, business unit executives and appropriate functional leaders. It is interesting how various perspectives can differ in terms of evaluating risks in the business. We see this every year in the annual top risks survey we conduct in partnership with North Carolina State University’s ERM Initiative.[1] A rich dialogue yields better answers; furthermore, the dialogue itself has significant value in bonding a management team with disparate points of view.

#3: Periodically evaluate changes in the business environment.

The purpose of this evaluation is to determine whether changes in the external environment affect critical assumptions underlying the corporate strategy. For example, such matters as disruptive technological innovation, competition, economic trends, regulatory developments and other changes can impact the strategy and business model. When one or more key management assumptions about the present and future are rendered invalid, opportunity and risk present themselves. On which side of that double-edged sword the company falls often depends on whether the corporate strategy is revisited in a timely manner.

#4: Consider an end-to-end view of the value chain when evaluating the most significant exposures to unexpected events.

As they say, stuff happens. Whenever an unexpected event occurs, it can change the effectiveness or viability of the business model that is intended to create great customer experiences and deliver expected financial results. When evaluating exposure to the unexpected, take a look at the entity’s criteria for assessing risk. For example, likelihood of occurrence and severity of impact are commonly used. In addition, the velocity or speed of an event to impact, the persistence of that impact over time and the resiliency of the company in responding to the event creating the impact (response readiness) are criteria to consider. Pay attention to the uncompensated risks (so-called single-tail risks, for which there is little, if any, upside) the company faces across the value chain (e.g., the risk of significant warranty costs, massive product recalls or unusual environmental, health and safety exposures).

#5: Understand interconnections between and among risks.

A portfolio perspective of risk recognizes that understanding interrelated impacts may be as important as, if not more important than, managing individual risks. For example, a single event may create multiple risks affecting the achievement of multiple business objectives. Risks for individual business units of the overall enterprise may be within the units’ respective risk tolerances but, when taken together in the aggregate, may exceed the overall consolidated risk appetite for the enterprise. Conversely, potential events representing an unacceptable risk in one business unit may have an offsetting effect in another unit. The point is that looking at groups of interrelated risks allows management to pool the entity’s risk reduction and risk transfer responses. For instance, when procuring insurance, it may be beneficial to combine risks under a single policy to realize reductions in premium pricing.

#6: Ensure the process provides insight, promotes debate and adds to the collective understanding of what is really important for the business to be successful.

The risk assessment process should focus on identifying significant changes in the enterprise’s risk profile, with emphasis on calling attention to whether risks are increasing or declining, identifying emerging risks and worst-case extreme events and outlining timely and actionable response plans to such scenarios.

#7: Involve the board in major decisions in a timely manner.

In between risk assessments, decisions are often made that alter the risk profile and potentially have unintended consequences pertaining to the achievement of various business objectives. Such decisions include the acquisition of new businesses, entry into new markets, introductions of new products, major procurement decisions or significant alterations of the corporate strategy. The board should be engaged in the decision-making process on a timely basis if decisions are likely to impact the company’s overall risk profile and ability to achieve its critical objectives.

#8: Review the risk assessments over the last three to five years and evaluate their effectiveness against actual experience.

A postmortem can be very revealing. It can point to major misses and misallocation of resources and suggest ways to improve the risk assessment process going forward.

To illustrate, one consumer products company filters its risks down to the vital few through a risk assessment process that considers velocity and persistence of impact in addition to significance of impact and likelihood of occurrence. The assessment process focuses on upstream supply chain issues and protecting the company’s brands. The risk assessment criteria are considered by various risk subcommittees that identify potential critical risks and provide input regarding such risks to the corporate risk management committee. Meanwhile, the operating units and corporate functions report critical risks (as well as emerging risks) to the strategic planning function.

Based on their respective assessments using the inputs they receive, the corporate risk management committee and strategic planning function provide input on the critical risks to executive management, which, in turn, reports the top risks to the board. The company’s chief risk officer supports the process at all points. For example, the CRO consolidates all potential critical risks identified by the individual risk subcommittees and submits a summary to the corporate risk management committee prior to the next scheduled committee meeting.

It is important to note that each top risk has a summary of the significant responses addressing it and the executives responsible for implementing those initiatives, so the process is not just creating a “risk list.” There is ample teeth and accountability for managing the top-tier risks.

While management is responsible for addressing the critical enterprise risks, the board should consider the information it needs to inform its risk oversight. For example, the board and executive management might benefit from the following:

  • A high-level summary of the critical enterprise risks for the enterprise as a whole and its operating units, the reasons why they are critical and the changes since the last report.
  • The status of risk mitigation efforts, with input from the executives responsible and accountable for managing the risks, including significant gaps in capabilities for managing the risks, status of initiatives to address those gaps and any concerns regarding potential “soft spots.”
  • The effect of changes in the environment on core assumptions underlying the company’s strategy.
  • Scenario analyses evaluating the effect of changes in key external variables having the greatest impact on the organization and its strategy (e.g., interest rate sensitivity analysis, commodity price volatility, supply chain disruption, innovation rates and geopolitical events).
  • Summary of near misses, close calls, limit breaches, compliance violations and other policy deviations.
  • Drill-down dashboards for specific risks, such as cybersecurity.
  • Changes in the overall assessment of risk over time and reliability and value add of prior risk assessments.

The above list is illustrative and not intended to be exhaustive or applicable to every organization.

Questions for Executives and Directors

The following are some suggested questions that senior executives and boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:

  • Is there a process for identifying the organization’s critical enterprise risks for purposes of prioritizing the board’s risk oversight focus and the executive team’s risk agenda?
  • Are the board and executive team satisfied with the reporting they receive periodically regarding each of the critical enterprise risks?
  • Is the reporting to the board and executive team sufficiently focused on what is being done to manage risk and establish accountability for results (e.g., does the reporting process involve much more than a risk-listing exercise?)?

[1] See our latest survey at www.protiviti.com/toprisks.


Tags: Board Risk OversightRisk Assessment
Previous Post

4 Ways to Lessen the Burden of a FINRA Audit

Next Post

CyberPosture Intelligence Solution Addresses Concerns with Hybrid Cloud Security

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

credit score gauge

Sales at All Costs? Unified Credit Risk Management Can Squash Bad Deals Before They Happen

by Matthew Debbage
March 15, 2023

The collapse of a business doesn’t usually happen all at once. There are warning signs. Late payments, legal filings and...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

shifting sands risk

Shifting Sands: Leaders Are Feeling the Pressure of an Uncertain, Dynamic Risk Landscape

by Jim DeLoach
February 22, 2023

The global risk landscape has rarely been more unsettled over the past half-century than it is right now, and a...

board tech purchase

Directors: Don’t Approve a Tech Purchase Without Asking These Questions

by Jean Hill
January 25, 2023

Board directors don’t need to be able to fix a broken server, but they do need basic technology competence, which...

Next Post
CyberPosture Intelligence Solution Addresses Concerns with Hybrid Cloud Security

CyberPosture Intelligence Solution Addresses Concerns with Hybrid Cloud Security

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT