With the onset of a terribly disruptive pandemic and risks related to ESG matters taking center stage, the pace of change has quickened and the stakes for making correct strategic choices have increased. Protiviti’s Jim DeLoach poses an important question: Are our risk management and risk oversight processes still fit for purpose?
Two years ago, a joint report[1] shared recent survey findings from both the National Association of Corporate Directors and Protiviti about the shifting risk landscape, highlighting five risk areas that demand increased focus: innovation and technology disruptions, growing cyber threats, competition for talent, evolving economic conditions and political and regulatory changes. The report asserted that enterprise risk management (ERM) approaches used by many companies may no longer be sufficient to address these risks.
Fast-forward to today, and these same issues remain relevant, but they’re also being manifested in entirely unexpected ways. In fact, those companies that are devoting more attention to digital transformation, cultivating an innovative culture, gaining and sustaining the trust of their employees and customers, strengthening cybersecurity and privacy and preserving their financial health have been more likely to navigate the dangerous seas of 2020, a year no one will remember fondly.
Make no mistake: CEOs are operating under extreme stress in a profoundly strenuous climate that has disrupted supply chains and created unprecedented new workforce environments, concerns and anxiety. The pandemic and the ensuing economic distress it has wrought have invalidated for many industries the ability to use historical information and trends as a basis for supporting judgments and forecasts. It has forced innovations that must be implemented in a fraction of the time it took prior to the pandemic’s onset. Simply stated, it has created a dynamic in which everyone must be comfortable being uncomfortable, meaning all functions – including risk management – must elevate their game.
While the joint report outlined a roadmap for boards to consider in strengthening their risk oversight in today’s complex and unpredictable marketplace, that roadmap is applicable to management teams as well. Below, we cover the four points defining that roadmap; they apply today as much as they did two years ago. We have updated them to include references to management teams.
1. Revisit the Risk Governance Model, Director Skill Sets and Management Team Composition
Depending on the nature of the enterprise’s risks and the extent of expected change in its risk profile, the board and management team should assess whether they have access to the requisite expertise and experience – on the board and executive team or through external advisers – necessary for success. The board should rethink how it organizes itself for risk oversight, including the delineation of responsibilities among the various committees and at the full board. The CEO needs to ensure that the executive team and management ranks are peopled with talent that brings diverse perspectives, is customer-centric, acknowledges market realities, thinks strategically and out-of-the-box, is effective in earning trust and can lead and inspire in times of uncertainty.
For example, with digital disruption affecting many businesses, do senior executives and directors have sufficient understanding of digital business models, digital ecosystems and the potential for hyperscaling digital platforms that facilitate rapid growth to reinvent the company’s business model?
2. Focus on Behavior: Make Culture an Enterprise Asset as Well as an Oversight Priority
Culture is almost always the source of reputation and financial performance outcomes, as it is a potent source of strength or weakness for an organization. A strong culture is a critical asset for any brand, and it is just as important as effective strategy-setting and performance. Executive management should understand the culture at lower levels of the organization and whether the mood in the middle is aligned with the tone they set at the top. The board should be informed of any disconnects and the plans to create alignment.
Concerns that this topic may be “too soft” for objective assessment should not distract the focus on the real question:
Does the CEO really want to know the unvarnished truth about people’s perceptions across the entity, and is he or she prepared to act on that knowledge?
What gets measured and monitored matters. A “speak up” culture that encourages transparency and sharing of contrarian data and bad news entails convincing employees that it can be done without fear of repercussions to their careers or to their compensation. Use of confidential, anonymous surveys is a best practice. When coupled with responsive action plans to remedy identified issues in a transparent manner, candid, open, constructive interactions with and feedback from employees engender confidence and trust.
3. Focus on the Quality and Contribution of the ERM Process
Given the impact of COVID-19 on the company, the expected recovery for the industry and the nature and relative riskiness of the organization’s operations, does the risk management process:
- Focus on extreme but plausible scenarios that would test the company’s agility and resiliency to pivot its strategy?
- Delineate the critical enterprise risks from the day-to-day risks of managing the business?
- Establish accountability for results in managing key risks?
- Foster an open dialogue to identify and evaluate opportunities and risks?
- Offer actionable, reliable and timely information for decision-making?
- Help position the company as an early mover in responding to market opportunities and emerging risks?
- Require extensive manual effort to generate the reports used in executive team and board meetings?
- Deliver value for senior management and the board in informing decision-making and risk oversight?
These questions help focus leaders on the robustness and maturity of the organization’s risk management process and whether it is making a difference. Negative answers raise concerns as to what exactly the process is accomplishing in terms of running and managing the business.
4. Ensure Management Integrates Risk Considerations into Strategy, Performance and Decision-Making
The unique aspect regarding an exposure to disruptive change is that it presents a choice: On which side of the change curve do we want to be? Organizations must make a conscious decision about whether they are going to be the disrupter and try to lead as a transformer of the industry or, alternatively, whether they are going to play a waiting game, monitor the competitive landscape and react appropriately and in a timely manner as an agile follower to defend their market share.
These market realities suggest strongly that management should ground its decision-making and the board its risk oversight with a solid understanding of the enterprise’s key strategic drivers and the significant assumptions underlying the strategy.
With the steady drumbeat of change and technological advances, the ability to respond rapidly to new market opportunities and emerging risks can be a major competitive advantage. Conversely, failure to remain abreast or ahead of the change curve can place an organization in the position of becoming captive to events rather than charting its own course. Therefore, directors need to ensure that risk and risk management are not appendages to strategy-setting, performance management and decision-making.
In summary: We encourage everyone to look up the joint report,[2] as its message applies today. Boards should take a fresh look at how they are approaching risk oversight, including how the company’s ERM is informing that oversight. With risk management practices for many industries largely rooted in the prior century, the big question is this:
Are we prepared to improve our risk management and risk oversight or, alternatively, do we face the challenges of the next three to five years in the digital age with what we’ve been doing over the last 10 years?
The nature, velocity and persistence of risks have changed. Consequently, it’s time for management teams and their boards to revisit their governance model and skill sets and refresh the focus of their risk management and oversight. To that end, senior management should enhance the quality of risk management processes using new technologies. Management should also focus on better integrating risk considerations into strategy-setting and execution, performance management and decision‑making processes. Most important, closer attention must be given to sustaining a strong risk culture. The board should expect to be informed of management’s progress on these fronts.
Questions for Senior Management and Boards of Directors
Following are some suggested questions that executive management and boards of directors may consider, based on the risks inherent in the entity’s operations:
- Is our risk management and risk oversight well organized for the age of technological acceleration and supported by the diverse expertise and experience we need in order to discharge our respective responsibilities effectively?
- Are we mindful of signs of organizational resistance to change? Are we encouraging leaders throughout the organization to embrace change and lead the necessary transformations to remain competitive?
- Does the ERM process bring new value and insights to our dialogue and facilitate risk-informed decision-making? In other words, does it tell us things we don’t know on a timely basis when we need to know them?
- Are we satisfied that risk management is sufficiently integrated with strategy-setting and execution, performance management and monitoring and critical decision-making processes?
[1] Is Board Risk Oversight Addressing the Right Risks? Strategies for Addressing the New Risk Landscape, a joint report by National Association of Corporate Directors (NACD), Protiviti and NC State University’s ERM Initiative, July 9, 2018, available on NACD online to both subscribers and others at https://www.nacdonline.org/insights/publications.cfm?ItemNumber=58605.
[2] Ibid.