“How mature is our risk management?” Chances are good that you have been asked this question at least once. At Protiviti, we hear it frequently. The common presumption is that the more mature a process, the more effective it is. But what does that really mean, and how does the concept of maturity apply to risk management?
Effective enterprise risk management (ERM) enables timely responses to the risks that matter most to an organization. An effective risk management infrastructure is constructed using the following six elements:
People and organization
Methodologies and assumptions
Systems and data
Once in place for a given risk, these six elements pave the way for advancing the maturity of risk management. The more mature an organization’s risk management, the stronger its culture will be in balancing the inevitable tension between creating enterprise value through strategy and driving performance, and protecting enterprise value through a risk appetite framework and effective risk management capabilities.
A capability maturity framework assists management in thinking more clearly about questions such as:
Do we rely on a few well-qualified individuals to manage a particular risk in an ad hoc manner, or do we have robust capabilities that we improve continuously?
How effective do we want our risk management capabilities to be as we improve our infrastructure over time for each of our priority risks?
Should we vary the rigor and robustness of our risk responses and related control activities by risk type or, alternatively, treat all risks the same in terms of applying mature risk management capabilities?
When aligning the organization’s capabilities with its desired risk responses, choices must be made. Given that every organization has a finite amount of resources, risk management capabilities must be selectively improved by considering expected costs and benefits. The goal of ERM is to identify the organization’s most significant exposures and uncertainties and focus on improving the capabilities for managing them. That’s why an emphasis on risk management infrastructure is important. Risk management processes can advance through five levels of maturity which are defined as follows:
Initial State. Risk management is fragmented and ad hoc. Individual risks are managed in silos, and the organization is often reactive to events. There is a general lack of policies and formal processes; therefore, the entity is dependent on seasoned managers acting on their own initiative to manage risk.
There is also very little accountability due to the absence of clearly designated people charged with overseeing specific risks. When personnel leave the organization, the organization has difficulty replicating what they do. While the initial state can be rationalized for insignificant risks, the lack of direction is a breeding ground for a crisis in areas requiring more rigor and discipline.
Repeatable State. Basic risk management policy structures and processes, including risk assessment, are in place to achieve stated objectives and requirements. Human resources are allocated to risk management, with responsibilities and authorities defined for specific individuals. Accountability may still be an issue at this stage because reporting is not rigorous enough to hold specific individuals accountable for results. Thus, there is still heavy reliance on people to “take care of things.” However, when someone who saddles these responsibilities leaves, the void is not as great now that “repetition” is taking place as a result of increased process discipline and established guidelines for managing risks.
Defined State. Policies and processes are further refined and documented, resulting in more uniform risk mitigation activities and risk oversight across units and functions. For example:
A risk committee structure may be in place, along with a designated executive responsible for aggregating enterprise risks and ensuring cross-unit and cross-functional coordination.
Robust controls documentation and verification mechanisms are in place to ensure policies are followed and processes are performing as intended.
Roles and responsibilities are clearly defined. Robust management reports, supported by rigorous methodologies, add more value by integrating appropriate key performance and risk indicators into decision-making processes.
Systems are more stable and scalable with improved functionality because technology lays a foundation for all of the other infrastructure elements.
There is evidence of risk-sensitive and risk-aware decision-making, as exceptions and “near misses” are reported in a timely manner, and lessons learned and control deficiencies drive improvement initiatives.
Managed State. Organizations functioning at the defined state are building the foundation for a strong risk governance culture. At the managed state, we see improved quantification, time-tested models and data analytics assisting decision makers with forecasting, scenario-planning and trend analysis to identify emerging risks and anticipate the potential for disruptive change. A formal lines-of-defense framework is implemented, risk measures are linked to performance goals, early warning systems are in place, and capital allocation techniques are effectively deployed.
At this stage, a risk appetite framework is also established and decomposed into risk limits allocated to operating units. When predefined limits are approached or exceeded, the situation is evaluated and corrective action, if needed, is taken. Objectives, targets and performance metrics are integrated into enterprise-wide systems providing dashboard reporting and drill-down capabilities. These enhanced capabilities facilitate the integration of risk management activities into strategy-setting, business planning, and performance management. They also position the organization as an early mover to recognize and act on emerging risks—as well as opportunities.
Optimizing State. Here, the organization has a commitment to continuously improve the capabilities at the managed state, keeping all elements of risk management infrastructure fully aligned as the business environment changes. Risk policies are evaluated on an enterprise-wide basis to achieve the desired risk/ reward balance, as well as to understand and exploit the effects of diversification across multiple risks.
In the optimizing state, best practices are routinely identified and shared across the organization, suggesting that the journey of enhancing risk management capabilities never ends because external and internal conditions are constantly changing. Corporate improvement initiatives that are established and applied enterprise-wide are integrated with risk management.
The above criteria show how each successive stage of maturity reflects further enhancements in managing risk. The more mature a company’s capabilities, the greater its prospects for success in managing risk and the lower its potential for failure. A consistent and fact-based use of a capability maturity framework by risk owners allows for a focused understanding and articulation of the current and desired states of risk management capabilities across the organization.
To illustrate, a maturity framework works as follows:
For each risk (e.g., regulatory, health and safety, or supply chain risk), the risk owner or internal audit should evaluate the current state of the entity’s risk management capabilities. The current stategenerally refers to capabilities that are present and functioning, but it may take into account planned initiativescurrently funded and underway to improve capabilities.
The risk owner then decides how much added capability is needed to achieve the desired state of risk response.When making this determination, be as realistic as possible. The objective is to select capabilities that provide the best fit with the core competencies that would be reasonably expected of an organization executing the enterprise’s business model.
Both management and the board should recognize that the desired state’s capability may vary by risk. For example, some operational risks, such as operating a nuclear power plant, may drive management to choose processes at the optimizing state of maturity because there is little margin for error in operation. Windstorms, flooding, and other environmental hazards may only warrant periodic analysis and procurement of insurance with little need for intricate risk reporting, in which case a response system at the repeatable state of maturity might be appropriate. For cyber risks involving “crown jewel” information assets and systems, a response matured to the managed statemay be desired.
Once the gap between the current state and desired state is identified, the risk owner must then evaluate the expected costs and benefits of increasing capabilities to close the gap. The actionable steps resulting from a gap analysis become an integral part of the business plan. What constitutes “best practice” in managing a particular risk at one company may seem either insufficient or overdone in the context of managing the same risk at another company. Not only is it unnecessary to deploy the most advanced techniques for all risks, no organization has the resources—or a viable business reason—to do that. Thus, thinking in terms of capability maturity can facilitate the resource allocation process.
Questions for Boards
The following are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
At what stage of maturity are our organization’s risk management capabilities, both for the enterprise as a whole and for each of our most critical risks?
Do our organization’s risk responses to address individual risks reflect a careful assessment of the appropriate capabilities needed to reduce risk to an acceptable level?
If our risk management capabilities require improvement, do we have a plan to take them to the next level of maturity?
Are we over-reliant on our people to manage some of our critical risks and, therefore, exposed in the event of an unexpected departure or termination?
Jim DeLoach is a managing director with Protiviti, a global consulting firm.
While the Internet initially was a communication tool between the U.S. Department of Defense and multiple academic organizations, it has become the backbone of a global economy and government operations, the Hon. Tom Ridge told a rapt audience of more than 200 directors at the NACD Strategy & Risk Forum in San Diego. The first secretary of the U.S. Department of Homeland Security, Ridge currently serves as president and CEO of the strategic consulting firm Ridge Global and is a director for the Hershey Co. Ridge delivered the opening keynote to directors convened for the two-day forum co-hosted by the National Association of Corporate Directors (NACD) and its sponsors.
“We’ve come a long way from a simple communication tool,” Ridge said. “What’s really remarkable is the tool is designed to be an open platform.… It wasn’t designed to be secure. It wasn’t designed to be global. The ubiquity of the Internet is its strength, and the ubiquity of the Internet is its weakness. For every promise of connectivity, there’s a potential vulnerability.”
A report released last year by McKinsey & Co. and the World Economic Forum found that more than half of all respondents surveyed—and 70 percent of executives from financial institutions—view cybersecurity as a strategic risk to their companies. The report was based on interviews with more than 200 chief information officers, chief information security officers, law enforcement officials, and other practitioners in the United States and around the world.
“In this world, you’ve got to manage the risk before it manages you,” Ridge advised the audience.
Support for the forum was provided by BDO USA, the Center for Audit Quality, Dechert, Dentons, Diligent, Heidrick & Struggles, KPMG’s Audit Committee Institute, Latham & Watkins, Pearl Meyer & Partners, Rapid7, and Vinson & Elkins.
The Chattering Class
Risks to reputation are nuanced and numerous. Jonathan Blum, senior vice president and chief public affairs and global nutrition officer for Yum! Brands Inc., which operates 41,000 KFC, Pizza Hut, and Taco Bell restaurants worldwide, has seen firsthand the damage that can be done to a company’s reputation. He recounted an incident that hit the brand’s reputation and bottom line, and ultimately spurred substantial changes in the company’s supply chain.
In December 2012, a state-owned television network in China reported that some local poultry suppliers were putting unlawful amounts of antibiotics in chicken. One of the many suppliers investigated happened to be one of KFC’s suppliers, albeit one of the restaurant chain’s smallest. “But, because we’re the largest brand in China, not just the largest restaurant, we obviously bore the brunt of the publicity,” Blum said.
The most damaging aspect of the negative attention, according to Blum, was not the investigative report that aired on television, but rather the chatter on social media in the wake of the report. The fallout was a tarnished reputation, a sharp downturn in sales, and some decisive action.
“Consumer trust plummeted. Belief in our brand plummeted. Our sales plummeted. We saw a huge drop in our stock,” Blum said. “Now, this was at the end of 2012, so the impact on our financial results that year was negligible. Up until 2013, we had had a 10-year run of at least 10 percent [earnings per share] growth year over year, which is pretty unusual. In 2013, given the ditch we were in in China, our earnings per share dropped 9 percent. We lost $270 million in profit as a result of this incident, and it took about a year to rebound.” In the aftermath of the negative publicity, Yum! Brands learned that its stakeholders wanted answers to three questions:
What was being done about it?
How would the company would prevent it from happening again?
Yum! Brands apologized to the public, fired about 1,000 small poultry suppliers, and worked with the Chinese government to upgrade the quality of the poultry supply.
“Over time, that rebuilt consumer trust,” Blum said.
The company also took a significant step toward managing its reputation on social media. “As a result of this incident, around the globe, 24/7, we monitor what consumers are saying about us and we immediately respond,” Blum said.
The Metropolitan Corporate Counsel recently interviewed NACD President Peter R. Gleason on how boards are recalibrating their approach to risk oversight and strategy development. The original interview can be found here.
MCC: Risk oversight is a key responsibility for corporate boards. What are the major areas of risk?
Gleason: It’s interesting. When you think about it, everything falls into the risk category. Where we used to have discussions around financial reporting or compensation, the conversation has evolved to financial reporting risk or compensation risk (or the risks in these areas). And traditional categories are still on the agenda, such as competitive, economic and reputational risk.
We see geopolitical risk, which is closely linked to cyber risk, at the forefront. Take, for instance, the falling price of oil, which benefits U.S. consumers but has complex global implications for companies or countries that are suppliers of oil. How do falling prices affect the countries’ economies? How does it affect the companies’ financial situations relative to competitors or their geographic environment?
MCC: Given this complexity, how does the board identify and prioritize the potential risks facing a company?
Gleason: While the board will use a variety of approaches to identify risk, these all rely on board engagement with the management team around strategy. Last October, NACD released a Blue Ribbon Commission report on strategy development that discussed how board members have to move away from the traditional review-and-approve approach to management’s strategy and, instead, engage in earlier-stage dialogue about the various options management is considering during the process.
For example, traditionally, the management team may discuss three or four options and then choose “strategy A” for presentation to the board. As part of this deeper engagement, directors should ask “but what other strategies were on the table? Why did they choose A over B? What were the assumptions underlying that strategy that we should discuss as a board?”
This level of dialogue allows boards to identify risks to the business and to the execution of a particular strategy. The engaged dialogue within the process helps identify risks within the strategy itself, within the industry, and then within the economic purview of the company as it relates to the global economy. With this level of knowledge, directors can quickly change course, as needed, if the company’s strategy is later disrupted by a previously unidentified risk or by a geopolitical event.
MCC: These are dynamic issues. What is the right approach to this world of emerging or unidentified risks?
Gleason: This topic is under constant discussion in our Advisory Councils: how do we know what we don’t know? Or as our CEO Ken Daly phrases it, “how do we make the completely unknown merely uncertain?” There is no way of knowing; by definition you can’t predict the proverbial black swan. There is, however, the idea of gathering different perspectives and more information, engaging in more dialogue, and establishing ongoing discussion with management that helps identify issues, or even realms of issues, that are not yet on the radar screen.
This idea of “constructive dialogue” is tied directly into the Blue Ribbon Commission’s focus on continuously reviewing and testing the assumptions that underlie management’s strategic plan. For example, in the context of geopolitical events, let’s say, as a company, that we get all of our “chemical AAB” from a country in Eastern Europe, but that chemical is no longer available because of terrorism activity. Where can we get the chemical now, and how does that change affect our supply chain, costs and pricing?
While this individual situation may seem minimal in the big scheme of the company’s strategy, those discussions are essential because they identify risks that the company may face more broadly.
Frankly, board engagement provides focus. Take the financial crisis, as another example, which arose from strategies that created incentives in the mortgage industry to drive volume, but not necessarily quality. This generated huge portfolios of poor-quality loans and major economic disruption. In hindsight, better oversight was needed to ask, fundamentally, about the risk within this strategy, and to identify and discuss the possible consequences before adopting it.
MCC: Which groups within the board should be responsible for risk oversight?
Gleason: The board’s job is to oversee the enterprise risk management process, to make sure measures are in place to identify risks, to get the right reporting, to bring insight from the directors’ own experiences, and to participate in dialogue with management about strategies to address the issues.
In terms of who should have the primary responsibility, we look at risk oversight as a full-board function. Risk is too big for any one committee. Traditionally it has been the purview of the audit committee; however, adding oversight for the entire organization’s risk profile would overwhelm the committee’s already heavy agenda. Although we still see a number of companies placing risk oversight squarely on the audit committee, interestingly enough, NACD’s annual public company governance survey reflects that a significant portion of respondents from those companies believe that risk oversight really ought to be a full-board activity.
There has been a trend in recent years of establishing mandated risk committees – for example on the boards of financial institutions – and we may see similar changes in other industries going forward. At NACD, we don’t necessarily see a risk committee as the panacea. The bigger question is how does it execute? Every board takes a different approach to identifying and overseeing risk, and that’s okay because boards have to adapt their structure, style and processes to the company.
MCC: Expand a bit on how boards work effectively with the executive team to ensure that directors are asking the right questions and management is providing the right information.
Gleason: A prevalent challenge for every board is asymmetric information risk. This risk is inherent in directorship, given that management will – and should – have vastly more knowledge about the company’s business than the board ever will. A balancing act exists in that management needs to provide the board with the right information – not all the information – to enable a productive discussion of risk. Further, today’s directors own at least one device that provides access to any and all information about the company. So the question becomes, to what extent should board members rely, so to speak, on their own detective work to get information beyond what management reports? That balance is so critical because, in turn, directors can overwhelm management with one-off requests for information.
In sum, boards have to ask constructive questions about whether they are getting the relevant information, such as outside opinions from financial experts or reports from whistleblower hotlines, so they can make decisions about the company’s ongoing performance and sustainability.
MCC: Do outside perspectives vary as to assigning accountability for effective risk management? NACD’s Advisory Council on Risk Oversight has noted that “the general pattern is that investors are more tuned in, while regulators will blame the board.”
Gleason: Right now, we are looking at how shareholders themselves can present a risk to the organization. Look at what’s happening at DuPont with Trian Partners. Here’s a company that has outperformed the market and its peers for the last five years but is still facing an activist investor. Companies are wondering which of them will be the next to face challenges to management or board structures and corporate strategies; the number of activist engagements has doubled in the last couple of years, and the funding behind new activist initiatives is growing.
I think companies are facing unparalleled levels of pressure not only from investors but also from regulators. Large shareholders generally understand what boards face, but they have a responsibility to deliver a return on their portfolios. The regulators are proving to be a wildcard, of sorts. With the unfolding of Dodd-Frank they are putting pressure on boards to perform at a certain level in response to situations.
MCC: What is the general counsel’s role in optimizing the interaction between board and management?
Gleason: The GC or the corporate secretary is the gatekeeper, with information generally flowing through them from the management team to the board. Their job is to see that specific information is produced at the appropriate time and as aligned with the agendas of the standing committees. GCs and their teams also keep the board apprised of the company’s legal risks. So the legal team is in the middle of the dialogue between directors and shareholders, especially for large public corporations. For instance, in response to activist issues, GCs will play a central role in assessing the risks and addressing the legal requirements related to the production of disclosure documents.
MCC: Tell us about NACD’s Advisory Councils more generally. On what issues do they focus, and who participates?
Gleason: Our Advisory Councils are made up of committee chairs on Fortune 500 boards, as well as regulators and shareholders, and they all engage in a multi-stakeholder dialogue. We originally created three councils for the key committees – audit, compensation and nominating/governance – and then we added a fourth on risk. This Advisory Council on Risk Oversight is a bit of a hybrid because not many companies have a standing risk committee.
At council meetings, we invite speakers to talk about issues that the council has identified as top-of-mind priorities. We bring in large institutional shareholders like Vanguard and T. Rowe Price as well as regulators like the Financial Accounting Standards Board (FASB) or the SEC. Representatives from Institutional Shareholder Services (ISS) have joined us to talk about their perspective. So the councils are designed to get different perspectives around issues and, as you mentioned earlier, start to identify the unknown issues.
All of our councils function on a similar basis, and we keep it fresh, relevant and topical. For example, council meetings aren’t always standard roundtable discussions. Recently, the Advisory Council on Risk Oversight staged a mock cyber crisis in which everyone had an assigned role to play, including the role of the CFO, the GC, the risk committee and the advisory council itself. The idea was to play out the scene, identify the issues and decide how to approach the crisis. Interestingly, during this scenario disclosures became a primary concern. In a cyber breach, while you know you have regulators to satisfy, law enforcement may be telling you to wait, essentially to allow them time to catch the perpetrator in the act. So the question debated in the meeting was: what do you do when the SEC says you need to disclose to your investors right now, but the FBI is saying you can’t?
MCC: And of course this is all done for the benefit of NACD’s members.
Gleason: Yes it is. At Advisory Council meetings, it is NACD’s job to capture and distribute the key discussion points so our members can learn from them. Our membership ranges by ownership structure – from public and private, to nonprofits – and by size, from the smallest to the biggest global players. They all appreciate our ability to convene different perspectives around critical issues, facilitate group discussion and then deliver insights in exceptional reporting and educational programs.
The largest companies out there are participating in our Advisory Councils and education programs, and our in-boardroom programs also help us surface the important issues. We have peer exchanges on a regular basis where we put a topic on a table, let a group of seven to ten directors discuss it and then report out.
That is a goal of NACD’s 2020 initiative, now in its third year, which ties together the key components of effective board leadership with emerging risk oversight in programs we offer nationwide. Through this initiative, directors can learn about how various boards have approached disruptive forces and then look forward to how boards will operate in 2020. Our goal is to keep the directors informed and help them do their jobs better.
It is important to remember that all boards are struggling with risk to some degree, and managing it is a balancing act. One commissioner from our Blue Ribbon Commission on Risk Governance said it well: “A car in neutral goes nowhere.” If you’re not driving the business, you’re not going to face any risks, and you’re not going to enjoy any rewards.