In recent years, ERM implementations have generally focused on three questions:
Do we know what our key risks are?
Do we know how they’re being managed?
How do we know?
In responding to these three questions, executive management and boards in some companies have made progress in differentiating the truly critical enterprise risks from the risks associated with day-to-day business operations.
While seeking these answers is a useful exercise, is it enough? Directors should also ask:
Is our ERM approach helping us identify flaws and weaknesses in our strategy on a timely basis?
Is our organization able to recognize the signs of disruptive change, and is it agile and resilient enough to adapt?
Do we truly consider risk and return in our decision-making processes or do we blindly follow the herd and remain emotionally invested in the comforts of our business model?
Do we seek out what we don’t know? Are we prepared for the unexpected?
Is everyone competing for capital and funding with rose-colored glasses, making the resource and budget allocation process a grabfest?
Yes, companies have made progress in various ways with enterprise risk management, but depending on the answers to the above questions, more needs to be done.
Adoption and application of COSO’s Framework could alter the conversation by clarifying the importance of integrating risk, strategy, and enterprise performance. While a stand-alone process may be worthwhile and useful, it is not ERM as defined by COSO. The framework introduces five interrelated components and outlines 20 relevant principles arrayed among those components, offering a benchmarking option for companies seeking to enhance their ERM approach.
Four observations frame what COSO is looking for:
Integrate ERM with strategy. There are three dimensions to integrating ERM with strategy-setting and execution:
risks to the execution of the strategy;
implications from the strategy (meaning each strategic option has its unique risk-reward trade-off and resulting risk profile); and
the possibility of the strategy not aligning with the enterprise’s mission, vision and core values.
All three dimensions need to be considered as part of the strategic management process.
Integrate risk with performance. Risk reporting is not an isolated exercise. Operating within the bounds of an acceptable variation in performance provides management with greater confidence that the entity will achieve its business objectives and remain within its risk appetite.
Lay the foundation for ERM with strong risk governance and culture. The board and CEO must be vigilant in ensuring that pressures within the organization are neither excessive nor incentivizing unintended consequences. Such pressures may be spawned by unrealistic performance targets, conflicting business objectives of different stakeholders, disruptive change altering the fundamentals underlying the business model, and imbalances between rewards for short-term financial performance and stakeholders focused on the long term.
Tie risk considerations into decision-making processes. COSO defines “relevant information” as information that facilitates informed decision-making. The more information contributes to increased agility, greater proactivity, and better anticipation of changes to the enterprise, the more relevant it is and the more likely the organization will execute its strategy successfully and achieve its business objectives.
Boards should urge the executives within their companies to consider the principles embodied by the COSO framework to advance their current ERM approach. In this regard, we suggest organizations focus on three keys:
Position the organization as an early mover. When a market shift creates an opportunity to create enterprise value or invalidates critical assumptions underlying the strategy, it may be in an organization’s best interests to recognize that insight and act on it as quickly as possible. The question is: When the entity’s fundamentals change, which side of the change curve will it be on? Will it be facing a market exploitation opportunity, or will it be looking at the emerging risk of an outdated strategy? The organization attains time advantage when it obtains knowledge of a unique market opportunity or an emerging risk and creates decision-making options for its leaders before that knowledge becomes widely known.
Address the challenges of risk reporting. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile and nimble in responding to a changing business environment. To truly impact decision-making, risk reporting must address three questions:
Are we riskier today than yesterday?
Are we entering a riskier time?
What are the underlying causes?
Risk reporting is often not actionable enough to support decision-making processes. Once risk reporting is designed to answer these three questions, it becomes the key to evolving ERM to a “risk-informed” decision-making discipline.
Preserve reputation by maximizing the lines of defense. How do organizations safeguard themselves against reputation-damaging breakdowns in risk and compliance management? The widely accepted lines-of-defense model consists of three lines of defense. The first line consists of the business unit management and process owners whose activities give rise to risk. The second line consists of the independent risk and compliance functions, and internal audit is the third line. Also important is the tone of the organization—the collective impact of the tone from the top, the tone from the middle, and the tone at the bottom on risk management, compliance, and responsible business behavior. The proper tone lays the cultural foundation for the effective functioning of each of the three lines of defense. Arguably, the final line of defense is senior management and the board. For example, top management acts on risk information on a timely basis when significant issues are escalated and involves the board when necessary.
These three keys offer a focused line of sight for companies and their boards seeking to advance their ERM approach consistent with the principles and guidance in the updated COSO framework. The relationship of ERM to the processes the CEO values most can be compared to the contribution of salt, pepper, and other seasonings to a sumptuous meal. The objective is to enhance the outcomes that the organization is attempting to achieve by enabling it to be more adaptive in a volatile, complex, and uncertain world.
Lorrie Norrington has over 35 years of operating experience in technology, software, and Internet businesses. Norrington is currently an Operating Partner at Lead Edge Capital, and serves on the boards of Autodesk, Colgate-Palmolive Co., HubSpot, BigCommerce, and Eventbrite. She lives in Silicon Valley. This blog is part of the2017 NACD Global Board Leaders’ Summitseries.
A company’s board sets the tone from the top and oversees long-term strategy. However, now more than ever, boards also must actively work to understand technology trends and encourage a culture of innovation that drives long-term growth. The development of an innovation mindset has become an imperative for directors.
The pace of technological change is forcing governance needs to evolve faster than anticipated. As a result, the inability to innovate has become one of the biggest business risks in most enterprise risk management assessments. It is useful to understand that both evolutionary innovation (or the combination of small ideas into bigger change) and discontinuous innovation (which is disruptive to companies and industries) can render companies uncompetitive in months and years—not decades.
Below are some of the techniques I’ve used over the past decade as a director to keep current on my knowledge and help boards embrace technology and innovation.
Take It Personally
You don’t have to live in Silicon Valley or be a technologist to possess a solid working knowledge of innovation and technology trends. In our previous roles as executives, we were forced to keep current on business and technology changes. The same holds for board directors. It is up to you. Annual updates through events like the NACD Global Board Leaders’ Summit are essential to learn about key trends and best practices from other boards. However, given the rate of change, you cannot rely solely on annual updates. Every year, at a minimum, I read the top three business technology books on Amazon’s bestseller list, attend one technology conference (Mary Meeker’s annual pitch is a must), and read my favorite tech-focused publications (i.e., Recode and TechCrunch) daily. This routine enables me to engage in the boardroom with an informed perspective.
Go Beyond the CEO
With today’s rate of change, it isn’t realistic to expect the CEO to have all the answers regarding innovation efforts and how teams are applying technology. If your board has a technology and innovation committee, take time to understand executives’ areas of focus and ensure the agenda is balanced to include both the risks and opportunities technology change can create. If your board does not have one, ensure one of your board members is designated to engage regularly with the chief technology officer or chief product officer about their mid-and long-term innovation and technology plans.
Create an “Innovation System” for Your Board
A technology and innovation review should be part of your annual, board-level strategy or product review. Examining current technologies and innovations, as well as early-stage technologies and innovations that management believes to be part of the future, are two key behaviors to build as a part of your board’s robust “innovation system.” Last, by including technology and technical product skills as part of the criteria for new board members, you will ensure the board has the right skills long-term to encourage and challenge management.
In sum, boards set the tone for the entire organization. If you embrace technology and innovation, this empowers everyone throughout the company to do the same. In a world where the rate of technology and innovation will determine long-term success or failure, directors must embrace the changes needed to encourage and challenge management to accelerate their understanding of technology and the pace of innovation.
To learn more about technology and innovation, attend the 2017 Global Board Leaders’ Summit, Oct. 1–4, 2017, in National Harbor, MD. For the full Summit agenda, please visit the Summit website.
The National Association of Corporate Directors’ (NACD) 2016-2017 Public Company Governance Survey reported that, according to the vast majority (96%) of directors, “big picture” risks are overseen at the full board level. The big-picture view of risks includes those with broad implications for the organization’s strategic direction, including issues that can create significant reputation damage.
NACD’s findings are complemented by a recent survey of more than 700 c-suite executives who were asked to identify the top risks for 2017. Conducted in the fall of 2016 by Protiviti in partnership with North Carolina State University’s ERM Initiative, the study indicated that the overall global business context is noticeably riskier than in the two previous years, while respondents’ results in the United States implied that the risk landscape is about the same as before.
The common risk themes were ranked in order of overall priority providing context for understanding the 10 most critical uncertainties companies face in 2017.
Economic conditions in the global marketplace may significantly restrict growth opportunities. There are many sources of economic uncertainty in the markets that companies operate within. Examples of factors impacting growth include market volatility, Brexit, a strong U.S. dollar, central bank monetary policies, the aftermath of the U.S. 2016 election, sluggish growth rates in various global markets, rising global debt, and the threat of deflation. Survey participants may have concerns about a “new normal” of operating in an environment of slower organic growth.
Regulatory changes and scrutiny may increase, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. Ranked at the top in our prior surveys, this risk fell to the second spot for 2017. Companies continue to display anxiety about regulatory challenges affecting their strategic direction, how they operate, and their ability to compete with global competitors on a level playing field. This risk may be particularly relevant in 2017, given the climate of uncertainty surrounding the new U.S. executive and congressional administrations and their influence on the role of government and the business environment. Any major regulatory change—whether perceived as positive or negative—is of significant interest to executives and directors.
Organizations may not be sufficiently prepared to manage cyberthreats that could significantly disrupt core operations or damage their brand. Cyber risks have evolved into a moving target. Many factors are driving change, including the ongoing digital revolution, new innovations to enhance customer experience, cloud adoption, social media, mobile device usage, and increasingly sophisticated attack strategies, among others. The harsh reality is that new technology offerings and developments in organizations are quickly extending beyond the security protections that they currently have in place.
The rapid speed of disruptive innovations and new technologies within the industry may outpace the organization’s ability to compete or manage the risk appropriately. A company’s inability to respond in a timely manner to changing market expectations can be a major competitive threat for organizations that lack agility in the face of new market opportunities and emerging risks. The speed of change and development of emerging technologies can occur anywhere and in any industry, and this risk reaches far beyond the retail marketplaces. Disruption affects all industries. No company is immune.
Privacy, identity, and information security risks are not being addressed with sufficient resources. The technological complexities giving rise to cybersecurity threats also spawn increased security risks to privacy, identity, and other sensitive forms of information. As the digital world evolves and connectivity increases, new opportunities emerge for identity theft and for the compromise of sensitive customer information. Recent hacks exposed tremendous amounts of identity data involving large companies and the federal government in the United States. These underscore the harsh realities of this growing risk concern.
Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. A number of factors are driving this risk—changing demographics in the workplace, slower economic growth, increasingly demanding customers, and growing complexity in the global marketplace. As a result, organizations are being forced to elevate their recruitment and retention efforts to acquire, develop, and retain talent with the requisite knowledge, skills, and core values to execute challenging growth strategies.
Anticipated volatility in global financial markets and currencies may create significant challenges for organizations to address. Given questions surrounding the United Kingdom’s eventual exit from the European Union, as well as uncertainties in China and other world markets, it is not surprising that this risk remains among the top 10 for 2017. Factors indicated earlier—including rising public debt, falling commodity prices, sluggish economic growth, the strong U.S. dollar, and uncertainty regarding monetary policies—all contribute to uncertainty in global financial markets and currencies.
The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues. An organization’s culture has a huge impact on the manner in which risk issues are brought to the attention of decision makers when there is still time to act. Given the overall higher levels of risk-impact scores for all risks in 2017 relative to the year before, this cultural issue may be especially concerning to senior management and boards.
Resistance to change could restrict organizations from making necessary adjustments to their business model and core operations. The cultural issues noted above combined with a lack of organizational resiliency can be lethal in these uncertain times. Organizations committed to continuous improvement and breakthrough change are more apt to be early movers in exploiting market opportunities and responding to emerging risks than those companies that cling to the status quo.
Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and demographic shifts in the existing customer base. Protecting the customer base is not easy in today’s highly competitive environment of disruptive change. This may be what is on the minds of the survey participants rating this risk.
The company’s directors may want to consider the risks ranked here when determining the organization’s “big picture risks” to be evaluated in 2017. Boards should be aware of the context of the nature of the entity’s risks inherent in its operations. If your board has not identified these issues as risks, your company’s directors should consider their relevance and ask why not.