Effective risk assessment is fundamental to the management and oversight of risk. While the risk assessment process must be tailored to the individual needs of each organization, the hallmark of a successful risk assessment is one that helps directors and executive management identify emerging risks and face the future confidently. Rather than shuffle “known knowns” around on a risk map, a risk assessment should help decision makers understand what they don’t know.
To that end, 10 practices are summarized below that will help management and directors maximize the value derived from the risk assessment process.
1. Involve the appropriate people. Surveys we have conducted over the years indicate, without exception, that viewpoints and perspectives about risk often differ across a broad range of senior executives, operating units, and functional leaders. Therefore, it is important to involve appropriate stakeholders across the C-suite and vertically into the organization in the risk assessment process to ensure relevant points of view are heard.
2. Reduce the danger of groupthink. The risk assessment process should encourage an open, positive dialogue among key executives and stakeholders for identifying and evaluating opportunities and risks. As a safeguard against executives forming opinions or reaching conclusions without robust debate or considering dissenting views, management should ensure that all perspectives are heard from the right sources and considered in the process. Accordingly, anything an executive truly fears should be out in the open and any concerns about opportunities missed should be aired. The board should set the tone for this kind of open process.
3. Focus comprehensively on the distinctive dimensions of strategic risk. According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), there are three dimensions to strategic risk: the implications from the strategy; the possibility of strategy not aligning with an organization’s mission, vision and core values; and the risks to executing the strategy. All three dimensions need to be addressed if the company expects to avoid unintended consequences that could lead to lost opportunities or an unacceptable loss of enterprise value.
4. Understand the assumptions underlying the strategy. Boards and executives that are navigating the risk assessment process should consider how the organization’s strategy and risk appetite work in tandem, and how it will drive behavior across the organization in setting objectives, allocating resources, and making key decisions. Are risks evaluated in the context of their impact on the organization’s strategy and operations? Is adequate consideration given to macroeconomic issues? Is there a business intelligence process for monitoring the environment to ensure that critical assumptions remain valid? Is the board informed when assumptions are no longer valid? Are strategic assumptions stress-tested?
5. Consider the impact of disruptive change. The rapid pace of change in the global business environment is risky for entities of all types. Change alters risk profiles. The unique aspect of disruptive change is that it represents a choice: On which side of the change curve does an organization want to be? With the speed of change and constant advances in technology, rapid and innovative responses to new market opportunities and emerging risks can be a major source of competitive advantage. Conversely, failure to remain abreast or ahead of the change curve can place an organization in a position of becoming captive to events rather than charting its own course. The risk assessment process must be dynamic enough to account for significant change.
6. Consider appropriate criteria to assess “high impact, low likelihood” risks. When considering extreme risk scenarios, the operative question is: How resilient is our organization in the event one or more of these scenarios occurs? Velocity of the impact as the scenario evolves, persistence of the impact over time, and the entity’s response readiness are useful risk criteria to consider when answering this question.
7. Understand the sources of risk. One of the most difficult tasks in risk management is translating a risk assessment into actionable steps in the business plan. Risk owners often don’t know what to do to address significant risks based on risk assessments displayed on the traditional two-dimensional graph. Accordingly, it may make sense to source the root causes of the most significant risks to better understand them and design more effective risk responses. Therefore, the process should be designed to identify patterns that connect potential interrelated risk events—risks that are not necessarily mutually exclusive.
8. Inform the board of the results in a timely manner. Directors should agree with management’s determination of the organization’s significant risks and incorporate those risks into the board’s risk oversight process. In addition, significant risk issues warranting combined attention by executive management and the board should be escalated to directors’ attention in a timely manner. A process for identifying emerging risks should be in place to supplement the ongoing risk assessment process.
9. Integrate risk considerations into decision-making. As important as the risk assessment process is, it may be just as important to consider the impact of major decisions on the organization’s risk profile. If risk is understood to be the distribution of possible outcomes over a given time horizon due to changes in key underlying variables, it should be noted that major decisions either create new or different outcomes, some of which may be unintended, or alter previously considered outcomes. Significant decisions, therefore, should involve the board’s understanding of the organization’s appetite for risk and consider how those decisions impact the entity’s risk profile.
10. Never end with just a list. Following completion of a formal or informal risk assessment, management should designate the appropriate risk owners for newly identified risks so that appropriate responses and accountability structures can be designed for their execution. “Enterprise list management” is aimless, loses its novelty over time, and can lead to trouble if risks are identified and nothing is done to address them.
An effective risk assessment process lays the foundation for executives and directors to navigate a changing business environment with confidence. The above practices can assist organizations in defining their most important risks and enable the board to ensure that its risk oversight is appropriately focused.
A few weeks into the Trump presidency, it is tempting to obsess about the political rhetoric and soundbites coming out of Washington, DC. While the first month of this new administration is certainly unprecedented in style, method, and message, the real cumulative impact on business remains unclear.
The combination of the chaotic start, the many political appointee vacancies across key departments and agencies, conflicting policy views between a Republican White House and Republican-controlled Congress on key issues, and ongoing investigations makes it challenging for businesses to respond and separate signal from noise.
Nevertheless, a recent pulse survey conducted by the National Association of Corporate Directors (NACD) offers some early insight into how companies and their boards are starting to navigate this new political environment.
1. A small majority of respondents (51%) is positive or very positive about the possible impact of the new administration on the growth prospects for their companies in the next 2 years. Almost 29 percent of respondents rated the possible “Trump effect” on business as either negative or very negative.
The differences in outlook are likely influenced by the relative dependence of individual companies on the benefits of international trade, the expected industry benefits of deregulation and infrastructure spending, and perceptions about the impact of a changing US leadership role in the global economy and security architecture.
2. Corporate tax reform, deregulation, and trade protectionism are the most highly ranked “policy” topics that respondents plan to discuss at their next board meeting. That’s not surprising since the (gradual) effect of policy changes in these three areas can significantly alter cost and revenue projections for business. The big question for many boards and executive teams will be whether the potential
fallout from trade protectionism (actions by the United States and possible retaliation by its trading partners) would offset any gains from a reduced tax and regulatory burden.
Trump’s unorthodox approach of injecting himself in the daily business of individual companies and their decisions seems to concern fewer respondents. Only 13 percent plan to discuss reputational exposure and management at their next board meeting.
3. Fifty-one percent of companies are now reassessing core assumptions about the impact of new and proposed policies on their strategic growth plans, which is an important exercise when so many key variables are moving or likely to move in the near future (for example, corporate tax rates, inflation, value of the dollar, interest rates, and import/export barriers).
Also, in response to the speed and ferocity with which consumers in this very polarized environment now react to corporate actions, many business leaders are beginning to proactively communicate the authenticity of their brand and their company’s contributions to society. More than 44 percent of respondents report that their companies are now reaffirming their core values and commitments to key stakeholder groups.
4. Only 25 percent of respondents decided to introduce scenario planning exercises to adapt to changes in the operating environment. Of that group, 85 percent are considering discontinuous scenarios based on major swings in key economic indicators, while 76 percent are scenario planning different outcomes from the planned overhaul of the US corporate tax system. Other macro-issues, for which boards will use scenario-planning in the coming months, include the possible repeal of the Affordable Care Act, the commercial fallout of trade protectionism, and the impact of significant geopolitical crises.
If used effectively, these scenario exercises can help open the minds of decision-makers—corporate directors included—to different signals, and prepare for surprises that directly affect the business strategy. Leading companies actively monitor for such signposts that would trigger course corrections in their strategic pathway.
To help corporate directors sense and respond to changes in this operating environment, NACD continuously assesses and interprets the impact of emerging issues. Every week we post our most recent analyses in our Emerging Issues Resource Center. Stories are accessible to all members.
Overseeing risk is no small task for boards as a company’s footprint is no longer confined to local or even national boundaries. The globalization of business—spurred in large part by the Internet—has simultaneously expanded business opportunities while also introducing new worlds of risk that an organization must contend with.
The National Association of Corporate Directors (NACD) invited Joan Meyer, a partner at Baker McKenzie LLP, and SecureWorks Chief Threat Intelligence Officer Barry Hensley to offer their insights on these issues as part of a larger panel discussion at the Leading Minds of Governance–Southwest event.
Highlights from their conversation with NACD Directorship Publisher Christopher Y. Clark follow.
What is your outlook on the complexities of being an international company?
Joan Meyer: It’s becoming extremely complex because there is increasing enforcement from other jurisdictions. Five or six years ago, the U.S. was the predominant regulator and multinationals only had to deal with certain European countries in addition to the United States. Now, we are seeing emerging markets that are getting extremely aggressive. They are also putting in more restrictive laws and data privacy rules about the transfer of data. It’s a real conundrum for companies because they not only have to comply with U.S. law but the more robust law of various regimes, which create conflicts. Some of that risk may be theoretical because certain jurisdictions have not begun enforcing these laws —but it’s out there.
If you are disclosing information to a U.S. enforcement authority but you can’t get information out of a foreign jurisdiction, a U.S. regulator might not care— they just want the information. In this situation, not only is executive management caught in a bind, but the board will be asked: “What do we do?”
The U.S. Department of Justice is also pursuing individual prosecutions of mid-level managers and the C-suite, and there is increasing pressure on companies dealing with U.S. authorities to get cooperation credit by identifying individuals who are culpable for the misconduct. And it’s not only in the U.S. where that’s happening. Because the government wants real-time cooperation in pursuing individuals, it’s frustrating for companies because they are being pushed to provide investigatory conclusions to the government which they may not have completed. On a global basis—whether it’s Saudi Arabia, China, Russia, or Brazil—individuals are being actively pursued. The problem is compounded if they are expatriates who are working in these foreign countries for a limited period of time, don’t understand the culture, and are suddenly being subjected to detention or prosecution. This puts managers working outside countries with an established legal system at real risk because they may be pursued by authorities simply for a perceived failure to exercise their supervisory responsibilities in the right way.
What questions should a board chair ask the chief information security officer [CISO]?
Barry Hensley: First: What are our top five risks? Only by thinking like the enemy can the CISO begin to itemize and categorize the company’s security risks. Consider the following ways you may be attractive to cyber threats: your brand and how you’re perceived on the world stage; your digital capital, such as intellectual property, electronic currency, and personal data and how it’s secured; and your internet-exposed vulnerabilities.
Second: Does our security program have the visibility to detect an advanced adversary whose work eludes security controls? The threat does not remain static nor does the network. While some tactics and tradecraft are well known, the adversary is innovating, always seeking opportunities to bypass traditional protections. For example, while implementing multi-factor authentication is important, bad actors are finding ways to impersonate users and hijack credentials. Does your risk assessment learn from the headlines and adapt? It’s important to keep risk assessments current and update your mitigation strategies and budgets against these threats.
Third: Does your staff collectively understand the term “breach” and the conditions that trigger a formal response? Are you prepared with a meaningful, rehearsed, cross-disciplinary crisis response plan? While no company wants to dwell on the potential for serious incidents and breaches, preparation is still essential. This requires a real understanding of what constitutes an addressable incident, what triggers it, the steps that must occur to resolve the incident, and the people involved. Key tenets should be established, such as: knowing who’s in charge, how the board contacts the key players, and what the measurable actions we take to address the incident are.
Fourth: Is security training tailored to ensure appropriate audiences are aware of threat actors and their tactics? Different segments of the workforce present different risks, and the CISO must make sure each segment is aware of the tactics being used to exploit all avenues of compromise. Boards need to ask: Do employees understand how phishing works? Do administrators know the value of frequently changed passwords and vulnerability scans? Do web designers understand the importance of secure coding practices? Do executives and financial managers recognize that they are extremely lucrative targets for social engineering? And remember: there is no such thing as one-size-fits-all security training.
Want more? A panel of Fortune 500 company directors and subject matter experts will offer their insights on issues ranging from cyber resilience to the latest regulatory trends at Leading Minds of Governance–Southeast. Join us on March 16 in New Orleans, LA. Space is limited—register today.
Click here to read addition coverage of the Leading Minds of Governance–Southwest event with highlights from a discussion on the board’s role in overseeing talent and tone.