While risk oversight has always been an important part of the board’s agenda, the disruptive financial crisis taught everyone a lesson about just how important it is. The risk oversight playbook has evolved over recent years, during which many boards took a hard look at their membership, how they operate, and whether their operations and the information to which they have access are conducive to effective risk oversight.
In addition, regulators have taken an active interest in the board’s oversight of risk. For example, the U.S. Securities and Exchange Commission requires that proxy disclosures shine a spotlight on the board’s role in overseeing the company’s risk management process, the directors’ qualifications to understand the entity’s risks, and the board’s compensation committee’s evaluation of the entity’s various compensation arrangements to ensure that they are not encouraging the undertaking of excessive, unacceptable risks.
In 2009, the National Association of Corporate Directors (NACD) published its Report of the NACD Blue Ribbon Commission on Risk Governance: Balancing Risk and Reward. This report recommends 10 principles to assist boards in strengthening their oversight of the company’s risk management. According to the report, “these principles provide a foundation that boards can use to build a more comprehensive risk oversight system tailored to the specific needs of their respective companies.” Further, these principles provide an outstanding framework for a board to use when evaluating its current risk oversight process. Directors should use these 10 timeless principles to assess their board’s process and ascertain whether the process needs refreshment or redirection.
1. Understand the company’s key drivers of success. Understanding the business and industry, what drives value creation, how the business model works, and the critical issues affecting the company lays a vital foundation to an effective risk oversight process. Accordingly, directors must remain abreast of these matters and there must be processes in place to help them in this regard.
2. Assess the risks in the company’s strategy. This principle and the one before it are interrelated as they both focus on understanding the corporate strategy and the risks inherent in the strategy. This understanding provides a context for separating out the everyday, ongoing risks of managing the business to identify the risks that truly matter: the critical enterprise risks that threaten the execution of the company’s strategy and business model.
It is vital that directors understand the risks inherent in the business model, including the key assumptions underlying the continued viability of the business model, and agree with executive management on the company’s risk appetite in the pursuit of enterprise value creation.
3. Define the role of the full board and its standing committees with regard to risk oversight. This principle is important for directors to focus on as they collaborate in clarifying risk oversight responsibilities for the full board and the various standing committees. The NACD Blue Ribbon Commission (BRC) asserts that, “as a general rule, the full board should have primary responsibility for risk oversight, with the board’s standing committees supporting the risks inherent in their respective areas of oversight.”
At Protiviti, our experience is that the vast majority of directors agree with this general rule, as it mirrors the full board’s responsibility for strategy. It also recognizes that there are always outliers due to unique circumstances. Finally, the BRC points to the importance of distinguishing management’s responsibilities from the board’s.
4. Consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources. Risk is often an afterthought to strategy, and risk management is an appendage or “side activity” to performance management. This principle addresses such issues as positioning the chief risk officer or an equivalent executive to effectively support the board’s oversight efforts. It looks beyond mere risk identification to consider the adequacy of other dimensions of managing risk, including sourcing, measuring, mitigating and monitoring risk through appropriate policies, processes, people, reporting, methodologies, and systems and data.
5. Work with management to understand and agree on the types of risk information the board requires. This principle remains a common issue for many boards. At Protiviti, we often hear directors complaining of being overwhelmed with reports or too many agenda topics while being underwhelmed with insightful information for decision-making. Directors suffering from information overload require sharper focus on actionable information. Whether or not there is reliance on quantitative models, reporting should provide different perspectives on a given risk.
To focus the risk oversight dialogue, the NACD BRC introduces five categories of risks facing each board
Critical enterprise risks (as discussed above)
Business management risks (i.e., the normal ongoing risks)
Emerging risks and nontraditional risks (e.g., climate change, slowdown in foreign markets, disruptive technological innovation)
These categories are useful, as the critical enterprise risks and emerging risks should capture most of the board’s attention, whereas the business management risks should be addressed through periodic status reporting and escalation of significant issues.
6. Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions. This principle addresses the need for constructive engagement between boards and management on risk matters. The principle’s reference to challenging assumptions is especially important in light of the financial crisis, after which many have questioned whether boards really understood the key variables driving an institution’s success and exposing it to failure, as well as the sensitivity of those variables to changes in the market. When an organization is making a lot of money, directors need to understand the risks undertaken to achieve success, rather than simply applauding as management breaks out the champagne.
7. Closely monitor the potential risks to the company’s culture and its incentive structure. This principle also points to another lesson of the financial crisis: a company’s culture and incentive compensation structure can potentially impact behaviors, decisions, and attitudes toward taking and managing risk.
Culture and incentives form the glue that binds all elements of the risk management infrastructure together, because they reflect the shared values, goals, practices and reinforcement mechanisms that embed risk into an organization’s decision-making processes and risk management into its operating processes. In effect, they represent a look into the soul of an organization to ascertain whether risk-reward trade-offs really matter to its leaders.
One of the significant lessons of the financial crisis is the danger of “heads I win, tails you lose” compensation structures for executives whose behaviors can expose the organization to significant risks well beyond the level of risk the board might consider acceptable.
8. Monitor critical alignments of strategy, risk, controls, compliance, incentives and people. This principle speaks to the importance of aligning critical elements to get everyone and everything—people, processes and the organization—on the same page. Without alignment, there is likely to be a disconnect between a company’s strategy and its execution, and a disconnect can be costly as well as risky. Nevertheless, alignment is hard for management to achieve—and even more challenging for directors to oversee.
9. Consider emerging and interrelated risks: What’s around the next corner? Emerging risks deal with issues that are not on management’s radar currently. They require an anticipatory and forward-looking focus. The worst kind of uncertainty is being unaware of what we don’t know; while senior managers have knowledge from internal and external sources, do they really understand what they don’t know?
The fundamental question raised by this principle is an inquiry as to whether management looks out far enough, is monitoring what matters in the external environment and devotes sufficient time to “connecting the dots.” Sooner or later, something fundamental in the organization’s business will change. And when disruptive change occurs, a company’s risk profile is likely to be altered in significant ways. Therefore, directors need to know that management devotes sufficient time to thinking about the unthinkable and response readiness preparation, as both are key to a world-class reaction.
10. Periodically assess the board’s risk oversight processes: Do they enable the board to achieve its risk oversight objectives? The last principle advocates applying the best practice of periodic board self-evaluations to the risk oversight process.
Questions for Boards
The following are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
Has the board articulated its risk oversight objectives? Are those objectives incorporated into the board’s charter?
Has the board evaluated the effectiveness of its processes in achieving its risk oversight objectives? If so, has the board considered the NACD BRC’s 10 principles of effective risk oversight in evaluating its risk oversight processes?
Is the board proactively taking steps to address any gaps that impede its risk oversight effectiveness?
Risk governance varies radically across industries and organizations because a one-size-fits-all approach simply does not exist. There are, however, five interrelated principles that underlie effective risk management within all organizations in both good times and bad: integrity in the discipline of risk management, constructive board engagement, effective risk positioning, strong risk culture, and appropriate incentives.
Integrity in the Discipline of Risk Management
Integrity in the discipline of risk management means having a firm grasp of business realities and disruptive market forces. It also means engaging in straight talk with the board and within executive management about the related risks in achieving the organization’s objectives and the capabilities needed to reduce those risks to an acceptable level.
Integrity in the discipline is tied to strong tone at the top. If tone at the top is lacking, the executive team is not likely paying attention to the warning signs.
Consider the following common examples of integrity failures:
Not clearly grasping business realities. The 2008 global financial crisis is a good example of what can happen when the inherent risks associated with aggressive, growth-oriented market strategies are discounted, ignored, or never considered. Breakdowns in time-tested underwriting standards, failures to consider concentration risks, and excessive reliance on third-party assessments of structured products were among the root causes of the crisis.
Not integrating risk with strategy-setting. When risk is an afterthought to strategy, risk management fails to reach its full potential. The critical assumptions underlying the corporate strategy must be understood at the highest levels of the institution, and the external environment must be monitored to ensure that these assumptions remain valid over time.
Not tying risk tolerance to performance. Risk is often treated as an appendage to performance management. But how does management or the board know if risk is being efficiently managed if risk appetites and tolerances have not been delineated? Performance and risk must be integrated, and to that end, defining thresholds is essential.
Limiting risk management to a compliance activity. Integrity in the discipline means knowing that undertaking initiatives to manage risk in the pursuit of business objectives is not strictly a regulatory compliance measure. Viewing risk management as a “regulatory” check-the-box matter restrains its value proposition.
Hoping that risks are managed sufficiently while knowing that business realities are not actively monitored, risk is not really understood, tolerance levels are not set, and risk management is addressed solely to meet regulatory guidelines is a clear indicator that integrity in the discipline is lacking.
Constructive Board Engagement
Effective risk oversight by the board begins with defining the role of the full board and its standing committees with regard to the oversight process and working with management to understand and agree on the types of risk information the board requires. Directors need to understand the company’s key drivers of success, assess the risks in the strategy, and encourage a dynamic dialogue with management regarding strategic assumptions and critical risks.
The scope of the board’s risk oversight should consider whether the company’s risk management system—the people and processes—is appropriate and has sufficient resources. The board should pay attention to the potential risks in the company’s culture and monitor critical alignments in the organization: strategy, risk, controls, compliance, incentives, and people. Finally, the board should consider emerging and interrelated risks.
Effective Risk Positioning
The expectations of the board and executive management for the chief risk officer (CRO) and the risk management function must be carefully considered and, given those expectations, the function positioned for success. To this end, six key success factors constitute a significant step toward a successful and effective risk management function.
The CRO (or equivalent executive) is viewed as a peer with business-line leaders in virtually all respects (e.g., compensation, authority, and direct access and reporting to the CEO) and likewise down through the business hierarchy and across the organization.
The CRO has a dotted reporting line to the board or a committee of the board and faces no constraints of any kind in reporting to the board.
The board, senior management, and operating personnel believe that managing risk is an organizational imperative and everyone’s job.
Management values risk management as a discipline equal to opportunity pursuit.
The organization clearly views the CRO as undertaking a broader risk focus than compliance.
The CRO’s position, and how it interfaces with senior line and functional management, is clearly defined.
Taking one or more of these elements away should send up a red flag indicating that the risk management function may be unable to fulfill its expected role and lacks real authority or influence. Depending on the expectations, the function may be set up to fail.
Strong Risk Culture
An actionable risk culture helps to balance the inevitable tension between creating enterprise value through the strategy and driving performance on the one hand, and protecting enterprise value through risk appetite and managing risk on the other hand. While risk culture has gained traction in terms of relevancy in financial services institutions in the post-global financial crisis era, the decision-making preceding the occurrence of reputation-damaging risk events and lack of response readiness when those events occur have made risk culture a topic of interest in other industries as well.
Culture is influenced by many factors. In addition to tone at the top and the quality of the board’s risk discussions, other factors include:
Accountability. Successful risk management requires employees at all levels to understand the core values of the institution and its approach to risk, be capable of performing their prescribed roles, and be aware that they are held accountable for their actions in relation to expected risk-taking behaviors.
Effective challenge. A sound risk culture encourages an environment in which decision-making processes allow expression of a range of views, manage the effect of bias and facilitate reality testing of the status quo.
Collaboration and open communications. A positive, freely open and collaborative environment engages the most knowledgeable people and leads to the best decisions.
Incentives that encourage risk awareness help shape risk culture, as discussed below.
Performance and talent management should encourage and reinforce maintenance of the organization’s desired risk behavior. The old saying “What gets rewarded, gets done” is as true with risk management as it is with any other business process. Disconnects in the organization’s compensation structure and an excessive near-term focus can lead to the wrong behaviors, neutralizing otherwise effective oversight by the board, CRO and other executives.
For example, if lending officers are compensated based on loan volumes and speed of lending without regard for asset quality, reasonable underwriting standards and process excellence, the financial institution may be encouraging the officers to game the system to drive up their compensation, exposing the company to unacceptable credit risk.
This principle requires more than focusing on C-suite executive compensation and upper management. Equally important is an understanding of the incentive plans driving behavior in the sales force and on the “factory floor” where production takes place, as this is where the individual “moments of truth” occur that add, subtract or neutralize the buildup of risk within the organization’s processes, each and every day.
Questions for Boards
The following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:
Has the board articulated its risk oversight objectives and evaluated the effectiveness of its processes in achieving those objectives? If there are any gaps that may impede risk oversight effectiveness, is the board taking steps to address them?
Are there any elements of ineffective positioning of the risk management function present in the organization? Is the CRO (or equivalent executive) viewed as a peer with business-line leaders? Does the board leverage the CRO in obtaining relevant and insightful risk reports? Does the CRO have a direct reporting line to the board?
Does executive management openly support each line of defense (e.g., the primary risk owners [business-line leaders and process owners whose activities create risk], independent risk and compliance management functions, and internal audit) to ensure it functions effectively and that there is timely consideration of escalated matters by executive management and the board?
Do primary risk owners identify and understand their respective risks and risk appetites? Do they escalate issues to executive management in a timely manner? Is the board of directors engaged in a timely manner on significant risk issues?
Is risk management a factor in the organization’s incentives and rewards system? Is risk/reward an important factor in key decision-making processes? Do information systems provide sufficient transparency into the entity’s risks?
Jim DeLoach is a managing director with Protiviti (www. protiviti.com), a global consulting firm.
“How mature is our risk management?” Chances are good that you have been asked this question at least once. At Protiviti, we hear it frequently. The common presumption is that the more mature a process, the more effective it is. But what does that really mean, and how does the concept of maturity apply to risk management?
Effective enterprise risk management (ERM) enables timely responses to the risks that matter most to an organization. An effective risk management infrastructure is constructed using the following six elements:
People and organization
Methodologies and assumptions
Systems and data
Once in place for a given risk, these six elements pave the way for advancing the maturity of risk management. The more mature an organization’s risk management, the stronger its culture will be in balancing the inevitable tension between creating enterprise value through strategy and driving performance, and protecting enterprise value through a risk appetite framework and effective risk management capabilities.
A capability maturity framework assists management in thinking more clearly about questions such as:
Do we rely on a few well-qualified individuals to manage a particular risk in an ad hoc manner, or do we have robust capabilities that we improve continuously?
How effective do we want our risk management capabilities to be as we improve our infrastructure over time for each of our priority risks?
Should we vary the rigor and robustness of our risk responses and related control activities by risk type or, alternatively, treat all risks the same in terms of applying mature risk management capabilities?
When aligning the organization’s capabilities with its desired risk responses, choices must be made. Given that every organization has a finite amount of resources, risk management capabilities must be selectively improved by considering expected costs and benefits. The goal of ERM is to identify the organization’s most significant exposures and uncertainties and focus on improving the capabilities for managing them. That’s why an emphasis on risk management infrastructure is important. Risk management processes can advance through five levels of maturity which are defined as follows:
Initial State. Risk management is fragmented and ad hoc. Individual risks are managed in silos, and the organization is often reactive to events. There is a general lack of policies and formal processes; therefore, the entity is dependent on seasoned managers acting on their own initiative to manage risk.
There is also very little accountability due to the absence of clearly designated people charged with overseeing specific risks. When personnel leave the organization, the organization has difficulty replicating what they do. While the initial state can be rationalized for insignificant risks, the lack of direction is a breeding ground for a crisis in areas requiring more rigor and discipline.
Repeatable State. Basic risk management policy structures and processes, including risk assessment, are in place to achieve stated objectives and requirements. Human resources are allocated to risk management, with responsibilities and authorities defined for specific individuals. Accountability may still be an issue at this stage because reporting is not rigorous enough to hold specific individuals accountable for results. Thus, there is still heavy reliance on people to “take care of things.” However, when someone who saddles these responsibilities leaves, the void is not as great now that “repetition” is taking place as a result of increased process discipline and established guidelines for managing risks.
Defined State. Policies and processes are further refined and documented, resulting in more uniform risk mitigation activities and risk oversight across units and functions. For example:
A risk committee structure may be in place, along with a designated executive responsible for aggregating enterprise risks and ensuring cross-unit and cross-functional coordination.
Robust controls documentation and verification mechanisms are in place to ensure policies are followed and processes are performing as intended.
Roles and responsibilities are clearly defined. Robust management reports, supported by rigorous methodologies, add more value by integrating appropriate key performance and risk indicators into decision-making processes.
Systems are more stable and scalable with improved functionality because technology lays a foundation for all of the other infrastructure elements.
There is evidence of risk-sensitive and risk-aware decision-making, as exceptions and “near misses” are reported in a timely manner, and lessons learned and control deficiencies drive improvement initiatives.
Managed State. Organizations functioning at the defined state are building the foundation for a strong risk governance culture. At the managed state, we see improved quantification, time-tested models and data analytics assisting decision makers with forecasting, scenario-planning and trend analysis to identify emerging risks and anticipate the potential for disruptive change. A formal lines-of-defense framework is implemented, risk measures are linked to performance goals, early warning systems are in place, and capital allocation techniques are effectively deployed.
At this stage, a risk appetite framework is also established and decomposed into risk limits allocated to operating units. When predefined limits are approached or exceeded, the situation is evaluated and corrective action, if needed, is taken. Objectives, targets and performance metrics are integrated into enterprise-wide systems providing dashboard reporting and drill-down capabilities. These enhanced capabilities facilitate the integration of risk management activities into strategy-setting, business planning, and performance management. They also position the organization as an early mover to recognize and act on emerging risks—as well as opportunities.
Optimizing State. Here, the organization has a commitment to continuously improve the capabilities at the managed state, keeping all elements of risk management infrastructure fully aligned as the business environment changes. Risk policies are evaluated on an enterprise-wide basis to achieve the desired risk/ reward balance, as well as to understand and exploit the effects of diversification across multiple risks.
In the optimizing state, best practices are routinely identified and shared across the organization, suggesting that the journey of enhancing risk management capabilities never ends because external and internal conditions are constantly changing. Corporate improvement initiatives that are established and applied enterprise-wide are integrated with risk management.
The above criteria show how each successive stage of maturity reflects further enhancements in managing risk. The more mature a company’s capabilities, the greater its prospects for success in managing risk and the lower its potential for failure. A consistent and fact-based use of a capability maturity framework by risk owners allows for a focused understanding and articulation of the current and desired states of risk management capabilities across the organization.
To illustrate, a maturity framework works as follows:
For each risk (e.g., regulatory, health and safety, or supply chain risk), the risk owner or internal audit should evaluate the current state of the entity’s risk management capabilities. The current stategenerally refers to capabilities that are present and functioning, but it may take into account planned initiativescurrently funded and underway to improve capabilities.
The risk owner then decides how much added capability is needed to achieve the desired state of risk response.When making this determination, be as realistic as possible. The objective is to select capabilities that provide the best fit with the core competencies that would be reasonably expected of an organization executing the enterprise’s business model.
Both management and the board should recognize that the desired state’s capability may vary by risk. For example, some operational risks, such as operating a nuclear power plant, may drive management to choose processes at the optimizing state of maturity because there is little margin for error in operation. Windstorms, flooding, and other environmental hazards may only warrant periodic analysis and procurement of insurance with little need for intricate risk reporting, in which case a response system at the repeatable state of maturity might be appropriate. For cyber risks involving “crown jewel” information assets and systems, a response matured to the managed statemay be desired.
Once the gap between the current state and desired state is identified, the risk owner must then evaluate the expected costs and benefits of increasing capabilities to close the gap. The actionable steps resulting from a gap analysis become an integral part of the business plan. What constitutes “best practice” in managing a particular risk at one company may seem either insufficient or overdone in the context of managing the same risk at another company. Not only is it unnecessary to deploy the most advanced techniques for all risks, no organization has the resources—or a viable business reason—to do that. Thus, thinking in terms of capability maturity can facilitate the resource allocation process.
Questions for Boards
The following are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
At what stage of maturity are our organization’s risk management capabilities, both for the enterprise as a whole and for each of our most critical risks?
Do our organization’s risk responses to address individual risks reflect a careful assessment of the appropriate capabilities needed to reduce risk to an acceptable level?
If our risk management capabilities require improvement, do we have a plan to take them to the next level of maturity?
Are we over-reliant on our people to manage some of our critical risks and, therefore, exposed in the event of an unexpected departure or termination?
Jim DeLoach is a managing director with Protiviti, a global consulting firm.