Tag Archive: Risk Management

The Board’s Role in Brand Oversight

Published by
Jim DeLoach

Jim DeLoach

Branding is the process by which a company establishes a significant and differentiated presence in the marketplace that attracts and retains loyal, long-term customers. A strong brand has a significant impact on the company’s shareholder value. As such, the board should dedicate some time to oversight of the brand’s reputation and stability.

Several thoughts on the board’s governance and oversight of the company’s branding and brand management follow that are based on my firm’s experience and a recent NACD Dallas chapter roundtable discussion I facilitated in September involving active directors and marketing executives.

  • Understand the brand and brand portfolio. While the board’s governance role is rarely involved in the intricacies of managing or communicating the brand, directors should understand the company’s positioning and related brand promise. This baseline understanding is the price of entry into any conversation about a company’s branding. For example, what expectations does the brand inspire in current and prospective customers that differentiate the company’s offerings from competitors’ offerings? Does the company deliver on that brand promise in every customer interaction? Most importantly, how does management know this vital alignment exists? Consider brand implications from other aspects of the business, too: employee relations, supplier interactions, quality processes, research and development, and advertising.
  • Ask management where and when they would value input. Does the board clearly understand the type of interaction management would like to have with respect to the brand management process? Executives and directors should have a mutual objective: engage in dialogue in the right way and at the right time, and focus on the issues that most demand board oversight.
  • Think strategically about branding and brand management. Brand discussions are tied inextricably to discussions about strategy and markets. Therefore, the board’s focus should be directed to strategic oversight rather than to the tactical, day-to-day nuances of managing the brand or brand portfolio. For example, one company conducts a two-day strategy retreat where directors and senior management focus on important questions about what the future looks like, the pain points that present opportunities, what the company is doing to face the future confidently, and the adjustments necessary to the strategy. Debates about strategic direction incorporate discussions about the company’s markets, key differentiators, and brands.
  • Measure the contribution of branding to shareholder value. The level of investment in the company’s brands, the return on those investments, and the process for monitoring each brand’s performance are worthwhile topics on the board’s agenda. How is the company measuring the return on investment (ROI) and sustaining and increasing the contribution of branding to shareholder value? ROI can be difficult to measure because customer loyalty, which helps to promote stable cash flow over time, is an integral component. That said, the math underlying the cost of winning new customers versus that of retaining existing customers is not difficult to understand. Neither is the contribution of effective brand management to reducing the volatility associated with future growth expectations and economic downturns.
  • Be involved in discussions about new branding opportunities and building value from acquired brands. How does management decide whether to build or buy a brand to diversify the brand portfolio? This conversation can evolve into a mergers and acquisitions (M&A)-type dialogue that, if the transaction is significant, should take on all characteristics of board M&A oversight spanning the pre-acquisition, acquisition, and post-acquisition integration phases of the process. If the company is acquisitive, the board should understand the possible strategic contribution of acquired brands when approving the company’s strategic plan. The board may also want to become familiar with the M&A pipeline and the potential targets in management’s line of sight. If brand acquisitions are an integral part of the strategy, directors need to ensure that the management team includes individuals with the requisite skills to execute transactions and integrate acquired brands into the company’s portfolio.
  • Oversee the management of how risks impact branding. There are many risks to consider with respect to brand image. Risk management is an important skill from a branding standpoint because severe unmitigated risks can erode the value of a brand if there are persistent headlines about a high-profile crisis (e.g., data breaches, pervasive quality failures, corruption violations, litigation, and egregious financial restatements). In addition, when there is a re-branding with a new “look and feel” to the brand, a thorough search related to the proposed brand name, word marks, logos, tag lines, and other intellectual property (IP) should be conducted to ensure the new brand is unique and does not infringe on another company’s rights. As the initial years of using a new brand are a period in which opposition can be raised, an effective search process is a prudent investment to undertake before the company spends heavily on the roll out and advertising campaigns. Once a branding architecture is established and protected by trademark, there is a need to monitor and protect the brand from other users to avoid dilution.
  • Periodically evaluate the board’s experience and diversity. Directors with a background in marketing and/or experience with brand-driven organizations are more likely to be comfortable inquiring and raising issues about management’s branding process. Even though industry experience helps, this is an area where perspectives outside the industry may contribute even more value. As in other realms of oversight, the more diverse the board members’ experience and backgrounds, the healthier the debate leading to a more robust branding strategy.

An important closing comment: The board can help temper the propensity of an aggressive management team to develop or acquire new additions to the brand portfolio. Management must have the capacity to manage new and acquired brands to deliver to ROI expectations. The board can help management frame a realistic portfolio diversification strategy. Then, it’s up to management to execute.


Jim DeLoach is managing director with Protiviti, a global consulting firm. 

Positioning Independent Risk Management to Succeed

Published by
Jim DeLoach

Jim DeLoach

Effective chief risk officers are concerned with what the institution may not know. They must occasionally offer a contrarian point of view at crucial decision-making moments when a given strategy, transaction, or deal is under scrutiny or is likely to expose the organization to unacceptable risk. If they do not, who will?

In many organizations, board risk oversight is enhanced when the board and executive management are supported by an effective independent risk management function. Positioning the chief risk officer (CRO) (or equivalent executive) and the independent risk management function to deliver to expectations requires an understanding of how the CRO role can succeed. Let’s explore how to support this essential role.

Key Considerations

While not all CROs are alike, there are factors that offer the board a discussion framework for positioning the CRO (and independent risk management) to succeed.

1.) Inculcate an “everyone is responsible for risk” culture.  If the board, senior management, and operating personnel believe that the CRO is the only position within the organization concerned with risk, the game is over before it begins. Ideally, front-line business unit, process, and functional owners should also be risk owners, or the first line of defense when it comes to identifying, sourcing, managing, and monitoring risk.

2.) Integrate risk into opportunity pursuits and decision-making processes. Striking the appropriate balance between the organization’s market-making and control-related activities is fundamental to what a CRO attempts to achieve. It typically begins with formulating and documenting a risk appetite framework approved by executive management and the board, and integrating that framework into operations. From there, risk considerations are incorporated into decision-making processes, performance evaluations, compensation decisions, and the discipline of monitoring the impact of changes in the business environment on the risk profile.

3.) Clearly define the CRO position. Two distinct CRO roles exist in practice. While there are variants, an understanding of these two roles provides a context for framing the positioning conversation:

  • The “champion” CRO advances and enables the organization’s risk management framework (and supporting methodologies, tools, and techniques), and plays the roles of coordinator and integrator to ensure consistency in application across operating units and functions. The champion CRO plays such roles as educator (as a provider of insights); facilitator (of risk assessments and formalization of risk mitigation plans); and consultant, communicator, and reporter. The champion CRO supports evaluations of enterprise risks and provides transparency into the capabilities around managing the priority risks across the institution.
  • The “line of defense” CRO undertakes the activities of the champion, but also is authorized to play a combination of other roles. These roles include evaluator; initiator; approver (of policies and risk response design); escalator (of significant issues to executive management, including the CEO, and, through appropriate channels, the board); vetoer (of activities affecting compliance with established internal policies); and arbitrator (of disagreements between operating and functional units affecting risk management). The line of defense CRO may not be authorized to assume all of these roles, but clearly reaches beyond a champion CRO with escalatory and/or veto authority.

The key is for the board and CEO to have a mutual understanding of the CRO’s role and function. In heavily regulated industries, such as financial services, the line-of-defense CRO is likely the preferred option. If the focus is primarily on understanding and coordinating an organization’s fragmented risk management efforts and reporting on the state of risk management, a champion CRO might work.

4.) Position the CRO to deliver to expectations. To serve as a second line of defense, a CRO must have sufficient stature with business-line leaders and across the organization. Stature comes from the authority, compensation, and direct reporting lines that command respect. In short, for business-line leaders to collabo­rate effectively with the CRO, they must view the CRO as a peer. This positioning is accentuated if the CRO:

  • Reports to someone who has strong influence on the organization, such as the CEO or executive committee (with administrative reporting to an appropriate C-level executive);
  • Has direct access to a standing committee of the board (i.e., through dotted-line reporting); Engages in mandatory, regularly scheduled executive sessions with the board or a standing committee of the board;
  • Provides periodic reports and escalates issues to executive management and the board; Has influence on compensation practices incenting the desired risk management behaviors; and
  • Is sufficiently resourced with an adequate support staff.

5.) Undertake a strategic focus. Consistent with the premise that risks must be owned by the lines of business and functional activities that generate them, the CRO generally operates in a strategic oversight role with authority vested by the executive committee (or a designated risk management committee), the CEO, and/or the board (or a committee of the board). The CRO’s focus must be on understanding enterprise risk, monitoring changes in the risk profile, and aligning risk with tolerance. Therefore, the board needs to ensure that there is an appropriate risk focus. The CRO role should not be perceived as a check-the-box compliance function that forces the business to follow rules imposed on it, as opposed to linking risk and opportunity effectively when creating and protecting enterprise value.

6.) Foster effective board communication. The CRO should have open and free access to the appropriate board contact. For line of defense CROs, the board must be vigilant in ensuring that there is nothing constraining the CRO from reporting to it when significant risk issues arise. To that end, a formalized escalation process should exist, such as written procedures and agreements requiring escalation of any significant issues raised by the risk management function that are being argued by business-line executives, even in circumstances where the CEO resolves disputes between the first and second lines of defense.

In summary, there is no one-size-fits-all approach to the CRO role. Positioning the CRO function within the organization is more than defining the role itself. The depth and breadth of the CRO’s relationships with senior executives and business-line and functional leaders have a significant impact on the CRO’s effectiveness. The stronger these relationships, the more effective the CRO will be in realizing the intended value proposition. As expectations increase, the need for more sophisticated risk professionals grows.


Jim DeLoach is managing director with Protiviti, a global consulting firm. 

COSO ERM Revised: What It Means for Your Board

Published by
Jim DeLoach

Jim DeLoach

Recently, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated enterprise risk management (ERM) framework for public exposure and comment. Why is it important for directors to heed and apply these updates to their work? What follows is a summary of five important insights for directors to implement in the boardroom from the revised framework.

1. Identifying risks to the execution of the strategy is not enough. Many organizations focus on identifying risks that might affect the execution of the chosen strategy. The process of identifying these risks is an inherently good exercise. However, COSO asserts that “risks to the strategy” are only one dimension of strategic risk. There are two additional dimensions to applying ERM in strategy setting that can significantly affect an enterprise’s risk profile.

  • The “possibility of strategy not aligning” with an organization’s mission, vision, and core values, which define what the organization is trying to achieve and how it intends to conduct business. Directors should ensure that the company doesn’t put into play a misaligned strategy that increases the possibility that the organization may run askew of its mission and vision, even if that strategy is successfully executed.
  • The “implications from the strategy.” COSO states: “When management develops a strategy and works through alternatives with the board, they make decisions on the tradeoffs inherent in the strategy. Each alternative strategy has its own risk profile—these are the implications from the strategy.” When overseeing the strategy-setting process, directors need to consider how the strategy works in tandem with the organization’s risk appetite, and how it will drive behavior across the organization in setting objectives, allocating resources, and making key decisions.

In summary, the updated COSO framework asserts that all three dimensions need to be considered as part of the strategy-setting process. Failure to address all three could result in unintended consequences that lead to missed opportunities or loss of enterprise value.

2. Recognizing and acting on market opportunities and emerging risks on a timely basis is a differentiating skill. COSO asserts that an organization can be viable in the long term only if it is able to anticipate and respond to change—not only to survive, but also to evolve. Enterprise resilience, or the ability to function as an early mover, is an indispensable characteristic in an uncertain business environment. Therefore, corporate strategies must accommodate uncertainty while staying true to the organization’s mission. Organizations need to exhibit traits that drive an effective response to change, including agile decision-making, the ability to respond in a cohesive manner, the adaptive capacity to reorganize, and high levels of trust and collaboration among stakeholders.

3. Strengthening risk governance and culture sets the right tone. Effective risk governance sets the tone for the organization and reinforces the importance of, and establishes oversight responsibilities for, ERM. In this context, culture pertains to ethical values and responsible business behaviors, particularly those reflected in decision-making. COSO asserts that several principles drive the risk governance and culture needed to lay a strong foundation for effective ERM:

  • fostering effective board risk oversight;
  • recognizing the risk profile introduced by the operating model;
  • encouraging risk awareness;
  • demonstrating commitment to integrity and ethics;
  • establishing accountability for ERM; and
  • attracting, developing, and retaining talented individuals.

Whether an organization considers itself risk averse, risk neutral, or risk aggressive, COSO suggests that it should encourage a risk-aware culture. A culture in alignment with COSO’s revised principles is characterized by strong leadership, a participative management style, accountability for actions and results, embedding risk in decision-making processes, and open and positive risk dialogues.

4. Advancing the risk appetite dialogue adds value to the strategy-setting process. The institution’s risk appetite statement is considered during the strategy-setting process, communicated by management, embraced by the board, and integrated across the organization. Risk appetite is shaped by the enterprise’s mission, vision, and core values, and considers its risk profile, risk capacity, risk capability, and maturity, culture, and business context.

To be useful, risk appetite must be driven down from the board and executives into the organization. To that end, COSO defines the “acceptable variation in performance” (sometimes referred to as risk tolerance) as the range of acceptable outcomes related to achieving a specific business objective. While risk appetite is broad, acceptable variation in performance is tactical and operational. Acceptable variation in performance relates risk appetite to specific business objectives and provides measures that can identify when risks to the achievement of those objectives emerge. Operating within acceptable parameters of variation in performance provides management with greater confidence that the entity remains within its risk appetite; in turn, this provides a higher degree of comfort that the entity will achieve its business objectives in a manner consistent with its mission, vision, and core values.

5. Monitoring what really matters is essential to effective ERM. The organization monitors risk management performance and how well the components of ERM function over time, in view of any substantial changes in the external or internal environment. If not considered on a timely basis, change can either create significant performance gaps vis-à-vis competitors or can invalidate the critical assumptions underlying the strategy. Monitoring of substantial changes is built into business processes in the ordinary course of running the business and conducted on a real-time basis. As ERM is integrated across the organization, the embedding of continuous evaluations can systematically assist leadership with identifying process improvements.

Following are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:

  • Is the board satisfied that the organization is adaptive to change, and that management is considering the effects of volatility, complexity, and uncertainty in the marketplace when evaluating alternative strategies and executing the current strategy?
  • Should management consider the principles supporting effective implementation of ERM, as set forth by COSO, to ascertain whether improvements are needed to the enterprise’s risk management capabilities?

 

Jim DeLoach is managing director with Protiviti, a global consulting firm.