The National Association of Corporate Directors’ (NACD) 2016-2017 Public Company Governance Survey reported that, according to the vast majority (96%) of directors, “big picture” risks are overseen at the full board level. The big-picture view of risks includes those with broad implications for the organization’s strategic direction, including issues that can create significant reputation damage.
NACD’s findings are complemented by a recent survey of more than 700 c-suite executives who were asked to identify the top risks for 2017. Conducted in the fall of 2016 by Protiviti in partnership with North Carolina State University’s ERM Initiative, the study indicated that the overall global business context is noticeably riskier than in the two previous years, while respondents’ results in the United States implied that the risk landscape is about the same as before.
The common risk themes were ranked in order of overall priority providing context for understanding the 10 most critical uncertainties companies face in 2017.
Economic conditions in the global marketplace may significantly restrict growth opportunities. There are many sources of economic uncertainty in the markets that companies operate within. Examples of factors impacting growth include market volatility, Brexit, a strong U.S. dollar, central bank monetary policies, the aftermath of the U.S. 2016 election, sluggish growth rates in various global markets, rising global debt, and the threat of deflation. Survey participants may have concerns about a “new normal” of operating in an environment of slower organic growth.
Regulatory changes and scrutiny may increase, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. Ranked at the top in our prior surveys, this risk fell to the second spot for 2017. Companies continue to display anxiety about regulatory challenges affecting their strategic direction, how they operate, and their ability to compete with global competitors on a level playing field. This risk may be particularly relevant in 2017, given the climate of uncertainty surrounding the new U.S. executive and congressional administrations and their influence on the role of government and the business environment. Any major regulatory change—whether perceived as positive or negative—is of significant interest to executives and directors.
Organizations may not be sufficiently prepared to manage cyberthreats that could significantly disrupt core operations or damage their brand. Cyber risks have evolved into a moving target. Many factors are driving change, including the ongoing digital revolution, new innovations to enhance customer experience, cloud adoption, social media, mobile device usage, and increasingly sophisticated attack strategies, among others. The harsh reality is that new technology offerings and developments in organizations are quickly extending beyond the security protections that they currently have in place.
The rapid speed of disruptive innovations and new technologies within the industry may outpace the organization’s ability to compete or manage the risk appropriately. A company’s inability to respond in a timely manner to changing market expectations can be a major competitive threat for organizations that lack agility in the face of new market opportunities and emerging risks. The speed of change and development of emerging technologies can occur anywhere and in any industry, and this risk reaches far beyond the retail marketplaces. Disruption affects all industries. No company is immune.
Privacy, identity, and information security risks are not being addressed with sufficient resources. The technological complexities giving rise to cybersecurity threats also spawn increased security risks to privacy, identity, and other sensitive forms of information. As the digital world evolves and connectivity increases, new opportunities emerge for identity theft and for the compromise of sensitive customer information. Recent hacks exposed tremendous amounts of identity data involving large companies and the federal government in the United States. These underscore the harsh realities of this growing risk concern.
Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. A number of factors are driving this risk—changing demographics in the workplace, slower economic growth, increasingly demanding customers, and growing complexity in the global marketplace. As a result, organizations are being forced to elevate their recruitment and retention efforts to acquire, develop, and retain talent with the requisite knowledge, skills, and core values to execute challenging growth strategies.
Anticipated volatility in global financial markets and currencies may create significant challenges for organizations to address. Given questions surrounding the United Kingdom’s eventual exit from the European Union, as well as uncertainties in China and other world markets, it is not surprising that this risk remains among the top 10 for 2017. Factors indicated earlier—including rising public debt, falling commodity prices, sluggish economic growth, the strong U.S. dollar, and uncertainty regarding monetary policies—all contribute to uncertainty in global financial markets and currencies.
The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues. An organization’s culture has a huge impact on the manner in which risk issues are brought to the attention of decision makers when there is still time to act. Given the overall higher levels of risk-impact scores for all risks in 2017 relative to the year before, this cultural issue may be especially concerning to senior management and boards.
Resistance to change could restrict organizations from making necessary adjustments to their business model and core operations. The cultural issues noted above combined with a lack of organizational resiliency can be lethal in these uncertain times. Organizations committed to continuous improvement and breakthrough change are more apt to be early movers in exploiting market opportunities and responding to emerging risks than those companies that cling to the status quo.
Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and demographic shifts in the existing customer base. Protecting the customer base is not easy in today’s highly competitive environment of disruptive change. This may be what is on the minds of the survey participants rating this risk.
The company’s directors may want to consider the risks ranked here when determining the organization’s “big picture risks” to be evaluated in 2017. Boards should be aware of the context of the nature of the entity’s risks inherent in its operations. If your board has not identified these issues as risks, your company’s directors should consider their relevance and ask why not.
Recently, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated enterprise risk management (ERM) framework for public exposure and comment. Why is it important for directors to heed and apply these updates to their work? What follows is a summary of five important insights for directors to implement in the boardroom from the revised framework.
1. Identifying risks to the execution of the strategy is not enough. Many organizations focus on identifying risks that might affect the execution of the chosen strategy. The process of identifying these risks is an inherently good exercise. However, COSO asserts that “risks to the strategy” are only one dimension of strategic risk. There are two additional dimensions to applying ERM in strategy setting that can significantly affect an enterprise’s risk profile.
The “possibility of strategy not aligning” with an organization’s mission, vision, and core values, which define what the organization is trying to achieve and how it intends to conduct business. Directors should ensure that the company doesn’t put into play a misaligned strategy that increases the possibility that the organization may run askew of its mission and vision, even if that strategy is successfully executed.
The “implications from the strategy.” COSO states: “When management develops a strategy and works through alternatives with the board, they make decisions on the tradeoffs inherent in the strategy. Each alternative strategy has its own risk profile—these are the implications from the strategy.” When overseeing the strategy-setting process, directors need to consider how the strategy works in tandem with the organization’s risk appetite, and how it will drive behavior across the organization in setting objectives, allocating resources, and making key decisions.
In summary, the updated COSO framework asserts that all three dimensions need to be considered as part of the strategy-setting process. Failure to address all three could result in unintended consequences that lead to missed opportunities or loss of enterprise value.
2. Recognizing and acting on market opportunities and emerging risks on a timely basis is a differentiating skill. COSO asserts that an organization can be viable in the long term only if it is able to anticipate and respond to change—not only to survive, but also to evolve. Enterprise resilience, or the ability to function as an early mover, is an indispensable characteristic in an uncertain business environment. Therefore, corporate strategies must accommodate uncertainty while staying true to the organization’s mission. Organizations need to exhibit traits that drive an effective response to change, including agile decision-making, the ability to respond in a cohesive manner, the adaptive capacity to reorganize, and high levels of trust and collaboration among stakeholders.
3. Strengthening risk governance and culture sets the right tone. Effective risk governance sets the tone for the organization and reinforces the importance of, and establishes oversight responsibilities for, ERM. In this context, culture pertains to ethical values and responsible business behaviors, particularly those reflected in decision-making. COSO asserts that several principles drive the risk governance and culture needed to lay a strong foundation for effective ERM:
fostering effective board risk oversight;
recognizing the risk profile introduced by the operating model;
encouraging risk awareness;
demonstrating commitment to integrity and ethics;
establishing accountability for ERM; and
attracting, developing, and retaining talented individuals.
Whether an organization considers itself risk averse, risk neutral, or risk aggressive, COSO suggests that it should encourage a risk-aware culture. A culture in alignment with COSO’s revised principles is characterized by strong leadership, a participative management style, accountability for actions and results, embedding risk in decision-making processes, and open and positive risk dialogues.
4. Advancing the risk appetite dialogue adds value to the strategy-setting process. The institution’s risk appetite statement is considered during the strategy-setting process, communicated by management, embraced by the board, and integrated across the organization. Risk appetite is shaped by the enterprise’s mission, vision, and core values, and considers its risk profile, risk capacity, risk capability, and maturity, culture, and business context.
To be useful, risk appetite must be driven down from the board and executives into the organization. To that end, COSO defines the “acceptable variation in performance” (sometimes referred to as risk tolerance) as the range of acceptable outcomes related to achieving a specific business objective. While risk appetite is broad, acceptable variation in performance is tactical and operational. Acceptable variation in performance relates risk appetite to specific business objectives and provides measures that can identify when risks to the achievement of those objectives emerge. Operating within acceptable parameters of variation in performance provides management with greater confidence that the entity remains within its risk appetite; in turn, this provides a higher degree of comfort that the entity will achieve its business objectives in a manner consistent with its mission, vision, and core values.
5. Monitoring what really matters is essential to effective ERM. The organization monitors risk management performance and how well the components of ERM function over time, in view of any substantial changes in the external or internal environment. If not considered on a timely basis, change can either create significant performance gaps vis-à-vis competitors or can invalidate the critical assumptions underlying the strategy. Monitoring of substantial changes is built into business processes in the ordinary course of running the business and conducted on a real-time basis. As ERM is integrated across the organization, the embedding of continuous evaluations can systematically assist leadership with identifying process improvements.
Following are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
Is the board satisfied that the organization is adaptive to change, and that management is considering the effects of volatility, complexity, and uncertainty in the marketplace when evaluating alternative strategies and executing the current strategy?
Should management consider the principles supporting effective implementation of ERM, as set forth by COSO, to ascertain whether improvements are needed to the enterprise’s risk management capabilities?
Jim DeLoach is managing director with Protiviti, a global consulting firm.
The U.S. Securities and Exchange Commission (SEC) requires companies to use a “suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404 of the Sarbanes-Oxley Act of 2002 (SOX). In 2013, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated its Internal Control—Integrated Framework, which was first released in 1992. This revised framework meets the SEC’s criteria for suitability and many companies have accordingly transitioned to this updated version. However, in addition to supporting the evaluation of IFCR, the framework offers other important lessons to boards of directors on the relevance of internal control to their risk oversight.
The control environment is vital to preserving an organization’s reputation and brand image. Since the release of the COSO framework, there have been a number of corporate scandals related to operational, compliance and reporting issues. These companies likely lacked a strong control environment in the areas that contributed to the crisis.
The control environment lays the foundation for a strong culture around the organization’s internal control system. It consists of the policies, standards, processes and structures that provide the basis for carrying out effective internal control across the organization. Through their actions, decisions, and communications, the board and senior management establish the organization’s tone regarding the importance of internal control. Management reinforces expectations at the various levels of the organization in an effort to ensure alignment of the tone in the middle with the tone at the top.
According to the COSO framework, the control environment comprises the
organization’s commitment to integrity and ethical values;
oversight provided by the board in carrying out its governance responsibilities;
organizational structure and assignment of authority and responsibility;
process for attracting, developing, and retaining competent people; and
rigor around performance measures, incentives, and rewards to drive accountability for performance.
Without a supportive boardroom culture and effective support from executive and operating management for internal control, the organization is susceptible to embarrassing control breakdowns that could tarnish its reputation and brand image. This issue is likely a contributing factor at the companies that have been hit recently with headline-grabbing scandals.
The control environment applies to outsourced processes. Organizations typically extend their activities beyond their four walls through strategic partnerships and relationships. The blurred lines of responsibility between the entity’s internal control system and those of outsourced service providers create a need for more rigorous controls over communication between all parties involved. For example, information obtained from outsourced service providers that manage business processes on behalf of the entity, and other external parties on which the entity depends for processing its information, should be subject to the same internal control expectations as information processed internally.
The point is clear: management retains responsibility for controls over outsourced activities. Therefore, these processes should be included in the scope of any evaluation of internal control over operations, compliance, and reporting, to the extent a top-down, risk-based approach determines they are relevant. Controls supporting the organization’s ability to rely on information processed by external parties include:
Vendor due diligence;
Inclusion of right-to-audit clauses in service agreements;
Exercise of right-to-audit clauses;
Obtaining an independent assessment over the service provider’s controls that is sufficiently focused on relevant control objectives (e.g., a service organization controls report); and
Effective input and output controls over information submitted to and received from the service provider.
The potential for fraud should be considered explicitly when conducting periodic risk assessments. Ongoing risk assessments are an integral part of a top-down, risk-based approach to ensuring effective internal control. In these assessments, directors should ensure that management evaluates the potential for fraudulent financial and nonfinancial reporting (e.g., internal control reports, sustainability reports and reports to regulators), misappropriation of assets, and illegal acts. In addition, the potential for third-party fraud is a relevant issue for many organizations. As the COSO Framework points out, fraud risk factors include the possibility of management bias in applying accounting principles; the extent of estimates and judgments in reporting; fraud schemes common to the industry; geographical areas where the organization operates; performance incentives that potentially motivate fraudulent behavior; potential for manipulation of information in sensitive financial and nonfinancial areas; entering into unusual or complex transactions; existence or creation of complex organizational structures that potentially obscure the underlying economics of transactions; and vulnerability to management override of established controls relating to operations, compliance and reporting.
There are important lessons learned in Section 404 compliance. Investors take reporting fairness for granted; however, when public companies restate previously issued financial statements for errors in the application of accounting principles or oversight or misuse of important facts, investors notice. The bottom line is that the markets take quality public reporting at face value. Once a company loses the investing public’s confidence in its reporting, it’s tough to earn it back.
Section 404 compliance is important in the United States because material weaknesses in ICFR provide investors early warning signs of financial reporting issues. We have gleaned many lessons in our work successfully transitioning numerous companies to the 2013 COSO framework. The most important of these lessons is that a top-down, risk-based approach is vital to Section 404 compliance. Some companies forgot to apply this approach when setting the scope and objectives for using the updated framework; as a result, they went overboard with their controls testing and documentation. We can’t stress strongly enough that the 2013 COSO Framework did not change the essence of and need for a top-down, risk-based approach to comply with Section 404.
Other lessons include:
Meet with your external auditor early and often to ensure that the company is fully aligned with the auditor on the appropriate process for transitioning to the updated framework.
Establish an effective and relevant mapping approach to link established key controls to the principles outlined in the COSO framework by leveraging the points of focus provided by the framework; start with existing controls documentation, and consider the nature of the framework’s components.
Manage the level of depth when testing indirect controls (often referred to as entity-level controls) by focusing on the specific objectives germane to ICFR; for example, for the indirect control emphasizing background checks, management should scope the application of this activity to the appropriate people designated with financial reporting responsibilities rather than all employees throughout the organization (unless management wishes to expand scope beyond financial reporting).
Focus on understanding and documenting control precision by understanding the control’s track record in detecting and correcting errors and omissions to support an assertion that the control effectively meets the prescribed level of precision.
Evaluate the completeness and accuracy of information produced by the entity to support the execution of key controls; the Public Company Accounting Oversight Board inspection reports are driving auditors to place more audit emphasis on validating system reports, queries and spreadsheets.
Applying the 2013 COSO framework to operational, compliance and other reporting objectives is virgin territory. In applying the updated COSO framework, most organizations have limited their focus to ICFR. Some organizations even believe that the framework was designed exclusively for Section 404 compliance. Such is not the case. There are benefits to using the framework for other objectives relating to operations, compliance, and other reporting. However, these efforts should be segregated from Section 404 compliance. Progressive organizations are applying the COSO Framework to other areas, such as sustainability reporting, regulatory compliance and controls over federal grants, to name a few.
Questions for Boards
The board may want to consider asking the following questions, based on the risks inherent in the entity’s operations:
Have directors paid close attention to whether the organization’s control environment is functioning effectively?
Does the organization periodically consider fraud risk in its risk assessments? Is the board satisfied that the risk of third-party fraud is reduced to an acceptable level?
Does the company’s process for complying with Section 404 apply a top-down, risk-based approach, and is the process cost-effective?
Has management considered applying the COSO framework to improve internal control in areas other than financial reporting?
Jim DeLoach is a managing director with Protiviti, a global consulting firm.