The central purpose of a common risk language is to assist management with evaluating the completeness of its efforts to identify events and scenarios that merit consideration in a risk assessment. Either management begins a risk assessment with (a) a blank sheet of paper with all of the start-up that choice entails, or (b) a common language that enables busy people with diverse backgrounds and experience to communicate more effectively with each other and identify relevant issues more quickly.
In a Corporate Compliance Insights column earlier this year, we provided a suggested language for executive management and directors to use in the Boardroom to focus the board risk oversight process. This month, we discuss the merits of a common language for use by the entire organization.
The sources of uncertainty an enterprise must understand and manage may be external or internal. Risk is about knowledge. When management lacks knowledge, there is greater uncertainty. Thus sources of uncertainty also relate to the relevance and reliability of information about the external and internal environment. These three broad groups – environment, process and information for decision making – provide the basis for an enabling framework summarizing the sources of uncertainty in a business.
- Environment risk represents the uncertainties affecting the viability of the business model. It arises when external forces can (a) disrupt or otherwise affect the entity’s performance significantly, (b) render critical assumptions underlying the organization’s strategy invalid and/or (c) drive management to revisit prior choices regarding the operating process design, customer and supplier relationships, organizational structure or financing. These external forces include the actions of competitors and regulators, shifts in markets, technological innovation, changes in industry fundamentals, the availability of capital or other factors outside the company’s direct ability to control.
- Process risk represents uncertainties affecting the execution of the business model. It arises when internal processes do not achieve the objectives they were designed to achieve in supporting the entity’s business model. For example, characteristics of poorly performing processes, or process risks, include lack of alignment with business objectives and strategies, dissatisfied customers and inefficient operations. They also include diluting (instead of creating or preserving) enterprise value and failing to protect significant financial, physical, customer, employee/supplier, knowledge and information assets from unacceptable losses, risk taking, misappropriation or misuse.
- Information for decision making risk represents the uncertainties around the relevance and reliability of the information used to manage the business. It arises when information used to support business decisions is incomplete, out of date, inaccurate, late or simply irrelevant to the decision-making process.
These three groupings of risk are interrelated. The environment risks and process risks that the enterprise faces are driven by the external and internal realities of the business. Information for decision making risk is directly affected by the effectiveness and reliability of information processing systems and informal “intelligence gathering” processes in place to capture relevant data, convert that data to information and provide that information to the appropriate managers in the form of timely written reports and oral communications.
Process risk is sometimes indistinguishable from information for decision making risk because information is needed to make informed decisions about managing a process. A steady flow of information should provide decision makers the insights they need about the external environment and the performance of the organization’s business processes so that they can manage the risks effectively.
These three groupings of risk provide a broad foundation on which more specific categories of risk can be identified and detailed. For example, process risk might include such risk sub-categories as governance risk, reputation risk (brand image erosion), operations risk, financial risk (e.g., market, credit and liquidity risks), information processing/technology risk and integrity risk (e.g., risk of fraudulent, illegal and unauthorized acts).
In addition, each of these sub-categories might include more specific risks. To illustrate, operations risk might include such specific risks as customer satisfaction, human resources, knowledge capital, product development, efficiency, scalability, cycle time, sourcing, channel effectiveness, compliance, product/service failure, environmental and health and safety, among others. Definitions might be developed to support these risk categories and sub-categories as well as specific risks.
A risk model is flexible enough to be customized to a particular industry by picking up on that sector’s nomenclature and terminology. It may also be tailored to a specific company. Once developed, the model may be used to facilitate risk assessments, strategic thinking and M&A due diligence; codify best practices and risk responses: and provide a framework for risk management presentations and even risk reporting.
Desirably, a common risk language begins at a strategic level for the enterprise as a whole and is customized to specific units, geographies and products. This “cascading” approach has the advantage of identifying risks that are common across the enterprise. For operating units with distinctive risk profiles, however, the overall risk language must be customized to address the unique risks faced by those units. The distinction is an important one. Risks common to all business units drive enterprisewide risk responses. Risks unique to individual units drive unit-specific risk responses.
In summary, a well-conceptualized risk model is a springboard to deeper discussions and understanding of risk and, for some organizations, provides an essential “building block” toward setting the foundation for enterprise risk management. It provides a screening tool and completeness check for risk assessments, as well as a “memory jogger” and “thought stimulator” for busy people engaging in divergent thinking about risk. A customized risk model merits consideration by organizations seeking to implement enterprise risk management.