Recommendation #1: Determine Board Risk Oversight Responsibility
Ultimately, it’s management who is responsible for risk management and the board is responsible for overseeing management’s process of identifying, monitoring and mitigating risks. If there is no established risk management framework, the board should charge management to develop a framework that includes the board’s oversight duties. Boards can break down their responsibilities by establishing certain directors with experience or knowledge in a particular area to oversee a certain risk management process. For instance, the Public Policy Committee of ConocoPhillips is responsible for overseeing risks related to health, safety and environmental issues. However, these committees are still responsible for seeing the big picture and should come together on a periodic basis to discuss the risks they are overseeing as well as risks the company is seeing as a whole.
The thought paper offers recommendations for boards to develop and define their oversight responsibilities. Boards should work with management to assign risk oversight responsibilities to individual committees; committees should collaborate on risk-related happenings, and have management brief the entire board on strategic risks facing the company.
Recommendation #2: Enhance Risk Intelligence
Risk intelligence is how the company, at all levels, perceives risk management and conducts itself with regards to risk. The board should promote risk transparency at all levels of the organizations so that day-to-day decision-makers are aware of the strategic goals and how their decisions could impact those goals. Management should communicate and exude a risk intelligent culture for all employees to follow. To do this, management should:
- Clearly communicate responsibilities and hold responsible parties accountable
- Develop a process for lower level employees to communicate emerging risks
- Encourage employees to challenge new initiatives that could negatively impact the greater company
To promote an effective risk culture, boards can create a tone that allows employees to voice their concerns without fear of loosing their jobs. They can also help to develop a process to measure risk intelligence that management continually monitors and they should support management with resources, training and data from the company.
Recommendation #3: Determine Risk Appetite
Risk appetite is the amount of risk a company is willing to take. This can be defined in quantitative or qualitative ways. Management should be the one to develop the risk appetite for the organization and the board should understand management’s assumptions and approve or disapprove the company’s overall level of risk appetite. Once an appetite has been defined, the board should help management monitor emerging risks and opportunities, and evaluate whether the risk appetite should be changed. The board should also evaluate management’s previous decisions to see whether the risk appetite was bypassed. And finally, the board should align management’s incentives with the company’s risk appetite. This will prevent management from taking on too much risk.
Recommendation #4: Align Risk Management With Strategy
The board is also responsible for helping management develop a strategy that is aligned to the company’s mission. When the company is developing its strategy, the board should at the same time discuss the risks to the strategy and the risks of the strategy. This will help the entity identify risks that could ultimately disrupt its ability to compete. In order to do this, the board should challenge management on their assumptions by asking the right questions, establishing an open dialogue, and identifying alternatives.
The board should consider whether to provide “active oversight” in these strategic settings. That may include verifying that management has established key risk indicators and a process for monitoring these indicators, scanning the horizon for emerging risks, and fostering flexibility at the management level to avoid risks or seize opportunities.
Recommendation #5: Evaluate Risk Governance “Maturity”
One common measurement boards use to evaluate risk maturity is the amount of experience the company has with risk management. Boards should dive deeper than this and consider more criteria, such as:
- How often does management communicate to the board concerning risk management?
- Are specific risks assigned to their board committees and processes?
- Which committee is responsible for which risks?
- During strategic planning, are risks identified and analyzed, are assumptions challenged, and are alternative options evaluated during scenario planning? Is there scenario planning?
- How does management monitor key risk indicators and is there agreement when action should be taken?
Depending on the level of risk governance sophistication the entity needs to effectively manage its portfolio of risks, the entity’s maturity may fall anywhere between one of the five phases of risk intelligence.
- Initial: ad hoc risk management, based on individual actions.
- Fragmented: risks are managed in isolated departments and are rarely aligned to strategy.
- Top-down: Enterprise wide risk assessments and dedicated team to manage risks.
- Integrated: Risk appetite defined, key indicators monitored, escalation procedures communicated.
- Risk Intelligent: Risk dialogue is a part of strategy development, linking performance measures and incentives, risk scenarios evaluated, early warning of risk indicators used.
Recommendation #6: Communicate Risk Process and Issues to Stakeholders
The SEC now requires public companies to disclose how the board oversees risk and how it works with management to address risks to the company. These rules were established to provide greater transparency to investors and stakeholders. However, the thought paper states that meeting this minimum requirement is not enough to make stakeholders comfortable with the company’s risk management process. By explaining the company’s risk management process and oversight clearly to stakeholders, companies attract more long-term investors. Over the past three years, Deloitte has seen an increase in the quality of risk disclosures. Companies can improve their risk disclosures by explaining the processes in plain English, provide insight to the board’s oversight role and ensure risk disclosures are accurate, relevant and specific.
Enterprise risk management (ERM) has emerged as a best practice in gaining an overview of strategic, financial and operational threats, and in determining how to mitigate and manage those risks.
A comprehensive approach to risk management is important because it helps management comprehend the true potential of threats and allows organizations to address the cumulative nature of risk.
The following steps can help your company achieve the ERM objective.
- Just Do It!
The process of creating an ERM program is valuable, revealing much about your organization and the interrelatedness of elements within it. Document your efforts in your board minutes and share them with any auditors. You will generally find those parties willing to provide constructive feedback because they have a vested interest in the success of your efforts.
- Get a Champion
Your board of directors is accountable to shareholders and the SEC (if your company is public)—and possibly to other entities by industry—for the adequacy of risk management procedures, controls and ultimately for the competence of management. A logical champion of your ERM efforts is the chairperson of your board audit or ERM committee, followed by the chair of the board and other board members. If these individuals understand that an ERM program can help them discharge their duties and protect them from personal financial risk, you will likely see top-level buy-in and a trickle-down effect through senior management.
- Merge the Silos
If existing risk committees and sub-committees are functioning as intended and get consistently high marks from outside auditors, it’s unlikely that fundamental changes are needed. Yet it is important they understand where they fit in the bigger picture. A board-level champion can help provide this perspective, and reinforce the role of the ERM committee in setting the organization-wide level of acceptable risk.
- Weight the Risks
Certain areas of risk have the potential to seriously harm your organization. Others, however, are less critical. When your management team assembles an ERM framework, create a logical mechanism for assigning relative weights to each area of risk, and to selected components within those areas.
- Create a Dashboard
A dashboard containing a high-level summary of major risk elements supported by “drill-down” detail enables board members and senior managers to connect all the pieces of the risk management puzzle.A dashboard need not be complex. Some managers use Microsoft Excel to create multi-layered risk workbooks, which summarize details provided by the risk sub-committees into a single page of high-level information.
- Understand Risk and Reward
Some risks are worth taking, because the reward is greater than the likelihood and consequences of failure. In other cases the reward does not outweigh the potential consequences. Then there are risks not worth considering, when the risk is a “bet-the-farm” proposition, or is illegal or immoral. Each risk committee and sub-committee should understand the risk-versus-reward proposition.
- Set Limits
One important function of the board ERM committee is to work with management to establish limits to risk taking. Management should make recommendations to the board, supported by reasonable data and arguments, which establish the boundaries of the organization’s risk appetite. Management’s role is to advise and inform, with the ultimate decision resting with the board.
- Understand the Cumulative Nature of Risk
An organization that could sustain itself through one or two major weaknesses, or several minor ones, will succumb under too many. For this reason, the board ERM committee should set limits for both individual risks and cumulatively.
- Make It Easy
In the areas of setting limits and risk weighting, management should make it as easy as possible for board members to comprehend and participate in the process. Distill complex regulations, and use accepted business terminology. Implementing an ERM framework should be spread over several months, if possible. Give the board ERM committee two or three recommendations per month, in advance, so they can be reviewed, summarized, presented and adopted at the regular monthly meeting.
- Refine, Refine, Refine
New risks emerge every day, and your process must be flexible enough to identify, quantify and incorporate them. The chief risk officer and other senior managers should devote time to researching emerging risks, imagining worst case scenarios and creating stress tests to understand the implications of critical failures.
A Top-To-Bottom Effort
It is possible for ERM practices to become part of your organizational culture. Global awareness of the process and a rank-and-file understanding of the board’s focus on effective risk management are critical to obtaining the buy-in of the entire organization. After all, risk management is everybody’s job—today more than ever.