North Carolina State University’s Enterprise Risk Management Initiative and Protiviti have completed their latest survey of C-level executives and directors regarding the macroeconomic, strategic, and operational risks their organizations face. More than 500 board members and C-level executives participated in this year’s study. Noting some common themes, we’ve ranked the risks in order of priority on an overall basis below. Last year’s rankings are included in parentheses:
No. 1 (previously No. 1)—Regulatory changes and scrutiny may increase, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. This risk has been ranked at the top in each of the surveys we’ve conducted over the past four years, and is the top risk in many industry groups. The cost of regulation and its impact on business models remain high in many industries.
No. 2 (previously No. 2)—Economic conditions in markets the organization currently serves may significantly restrict growth opportunities. Declining oil and gas prices, equity markets, and commodity prices, in general, have contributed to economic uncertainty. Short-termism is a concern as business investment has yet to catch up with pre-financial crisis levels. A new normal may be unfolding as businesses adapt their operations to an environment of slower organic growth.
No. 3 (previously No. 3)—The organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage its brand.This risk continues to be an issue of escalating concern. The harsh glare of the public spotlight on high-profile breaches at major retailers, global financial institutions and other organizations has led executives and directors to realize it is most likely not a matter of if a cyber risk event might occur, but when.
No. 4 (previously No. 4)—Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. As roundtables facilitated by the National Association of Corporate Directors and Protiviti in 2015 indicated, directors understand that talent strategy is inexplicably tied to overall business strategy. Companies need talented people with the requisite knowledge, skills, and core values to execute challenging growth and innovation strategies.
No. 5 (previously No. 7)—Privacy, identity, and information security risks may not be addressed with sufficient resources. The technological complexities giving rise to cybersecurity threats also spawn increased privacy/identity and other information security risks. As the digital world enables individuals to connect and share information, it presents more opportunities for companies to lose sensitive customer and private information, in effect, creating a “moving target” for companies to manage.
No. 6 (previously No. 11)—Rapid speed of disruptive innovations and/or new technologies within the industry may outpace the organization’s ability to compete and/or manage the risk appropriately, without making significant changes to the business model. Innovation can be disruptive if it improves the customer experience in ways that the market does not expect, typically by lowering the price significantly, or by designing a product or service that transforms the way in which the consumer’s needs are fulfilled. Whereas disruptive innovations may have once taken a decade or more to transform an industry, the elapsed time frame is compressing significantly, leaving very little time for reaction. Sustaining a business model in the face of digitally enabled competition requires constant innovation to stay ahead of the change curve.
No. 7 (previously No. 6)—Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations. Positioning the organization as agile, adaptive, and resilient in the face of change is top-of-mind for many executives and directors. It’s a smart move. Early movers that exploit market opportunities and respond to emerging risks are more likely to survive and prosper in a rapidly changing environment.
No. 8 (previously No. 17)—Anticipated volatility in global financial markets and currencies may create significant, challenging issues for an organization to address. There are many forces at work that intensify this risk, e.g., high asset prices, slowing global growth, China’s approach to foreign exchange, declining commodity prices, uncertainty associated with central bank policies, and less confidence in policymakers’ ability to respond to market issues quickly and effectively.
No. 9 (previously No. 5)—The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues. The collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior has a huge effect on timely escalation of risk issues to the people who matter. This is a cultural issue requiring constant attention by management and oversight by the board.
No. 10 (previously No. 9)—Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base. Disruptive innovations and the rapid pace of change continue to drive significant changes in the marketplace. Customer preferences are subject to rapid shifts, making it difficult to retain customers in an environment of slower growth. Sustaining customer loyalty and retention is a high priority for customer-focused organizations because senior executives know that preserving customer loyalty is more cost-effective than acquiring new customers.
A board of directors may want to consider the above risks in evaluating its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If the company has not identified these issues as risks, directors should consider asking why not.
Jim DeLoach is a managing director with Protiviti, a global consulting firm.
Many companies have adopted a risk language to facilitate an ongoing dialogue regarding their risks. With respect to board risk oversight, the question arises as to whether directors should adopt their own risk language to ensure they are covering the bases and focusing the oversight process. While each board must decide for itself whether such a language is useful given the nature of the enterprise’s operations, there are several risk categories directors may want to consider.
At Protiviti, we often hear concerns from directors and executives alike about the risk oversight process being an unfocused activity. If the board is mired in the minutiae of risk management, the oversight process lacks the necessary focus to be effective. We also receive questions about how to ensure that the board’s risk oversight addresses the right issues. This question is important for several reasons:
If the board’s oversight is focused on the risks that really matter, directors are positioned to add value to senior executives.
A focused risk oversight process is one that can be aligned more effectively with the rhythm of how senior executives manage and run the business.
If the board is providing input on the right issues at the right time, it is easier to delineate between the responsibilities of the board and those of management.
How, then, is focus achieved?
The five broad risk categories recommended by NACD apply to every company, regardless of its industry, organizational strategy, and unique risks.
Governance risks. These risks are related to directors’ decisions regarding board leadership, composition and structure, director and CEO selection, and other governance matters. Periodically, boards must consider CEO selection and compensation, board leadership and composition, board structure, and other governance issues critical to the enterprise’s success. These decisions often require directors to weigh the risks and rewards associated with alternative courses of action. While boards can benchmark their processes for evaluating these issues by considering best practices employed by other boards, they often must rely on their collective knowledge and business judgment.
Critical enterprise risks. These are the top five to 10 risks that can threaten the company’s strategy, business model, or viability and should command the board’s risk oversight agenda. The criticality of these risks—such as credit risk in a financial institution or supply chain risk in a manufacturing business—requires full board engagement, as well as an ongoing process to identify and monitor such risks. While management is responsible for addressing these risks, the board should consider its own information requirements for understanding them. For example, the board might require management to report on the impact and likelihood of the risks to key strategic goals as compared to other enterprise risks, as well as the velocity and persistence of such risks. The board also might want to understand the status of risk mitigation efforts with input from the executives responsible for managing the risks.Other examples of relevant information might include: the effects of technological obsolescence on the business model; changes in the overall assessment of risk over time; the effect of changes in the external environment on the core assumptions underlying the company’s strategy; and interrelationships with other enterprise risks.Critical enterprise risks should be a topic on the agenda when the board provides input on the strategy-setting process. The board should be updated on these risks periodically.
Board approval risks. These risks are related to decisions the board must make with respect to important policy areas, such as major strategic initiatives, acquisitions or divestitures, major investments, and entry into new markets. Through careful consideration and timely due diligence, directors must satisfy themselves that management’s recommendations regarding strategic initiatives and other policy matters are appropriate to the enterprise before approving them. Therefore, such matters may prompt the board to ask questions about the associated risks and rewards before approving management’s recommended actions.
Business management risks. These risks are associated with normal, day-to-day business operations. Every business has myriad operational, financial, and compliance risks embedded within its day-to-day operations. Because the board simply does not have sufficient time to consider every risk individually, it should identify specific categories of business risks that pose the greatest threats and determine whether to oversee each category at the board level or delegate oversight responsibility to an appropriate committee. For example, the audit committee traditionally oversees financial reporting risks, and the finance committee might oversee risks related to strategic opportunities, mergers and acquisitions, financial exposures, and capital availability. And there are other business risks to consider, such as: operational risks associated with internal processes, information technology, intellectual property, customer service, obsolescence, manufacturing activities and the environment; financial risks, such as excessive leveraging of the balance sheet; compliance risks, such as noncompliance with a new complex law; and reputational risks, such as those that threaten the company’s brand image.If a significant issue arises for other business risks that are not considered critical enterprise risks, they may be escalated to senior management and the board on an exception basis. In addition, the board may request periodic briefings from the primary owners of specific business risk areas.
Emerging risks. These are the external risks outside the scope of the previous four categories. While management is responsible for addressing those external environment risks outside of the scope of the risks noted above, directors need to understand them. The effects of demographic shifts, climate change, catastrophic events and new security threats are examples of emerging risks.Disruptive change is a business reality. Adapting to disruption is a game every organization must play to survive and thrive in a rapidly changing business environment. Properly focused, the board’s risk oversight process can assist management in adapting the organization successfully to market forces—and identifying emerging risks is a key aspect of the adaptation process.
These risk categories provide a useful context for boards to ensure the risk oversight process is focused and sufficiently comprehensive. Board approval risks require directors and management to agree on the matters the board approves in advance and the timeliness of board involvement with such matters. With respect to the other three risk categories, the lion’s share of the board’s risk oversight is directed to critical enterprise risks and emerging risks.
The board should satisfy itself that the organization has effective processes in place to identify emerging risks so that the company can position itself as an early mover in terms of addressing those risks. Finally, with respect to business management risks, the board should expect escalation of significant issues on a timely basis and periodic briefings in specific areas.
Questions for Boards
Is there a process to identify the organization’s critical enterprise risks? Are these risks reported to the board or its designated committee(s) to prioritize the board’s risk oversight focus?
Is the board approving major strategic and policy issues on a before-the-fact basis?
Is there a process in place for identifying and communicating emerging risks to enable management and the board to be proactive in responding to them?
Are significant, unexpected risk issues escalated to executive management and the board on a timely basis?
Jim DeLoach is a managing director with Protiviti and works closely with companies to improve their board risk oversight, including the communications between management and the board. He is a member of Protiviti’s Executive Council to the CEO and was named to NACD Directorship’s 2012 list of the 100 most influential people in corporate governance. Protiviti is a global consulting firm that assists board members, and the companies on which they serve, in protecting and enhancing their enterprise value by solving critical business problems in the areas of finance, technology, operations, risk and internal audit.