Tag Archive: Risk Oversight

8 Risk Oversight Practices to Master in 2017

Published by

Boards and executive teams are challenged by a fast-changing, highly interdependent, and often ambiguous external environment that continually creates unforeseen opportunities and risks. Volatility is the new normal. Not surprisingly, according to the National Association of Corporate Directors’ (NACD) most recent public company governance survey, global economic uncertainty ranks as the top trend corporate directors believe will impact their company in 2017. In yet another NACD poll conducted during a recent webinar, 49 percent of directors did not feel that management was providing them with a reliable view of the future.

The recent election of Donald J. Trump as President of the United States is likely to contribute to this growing sense of uncertainty, with the corporate director community evenly divided about the potential impact, according to the NACD webinar poll. Forty-two percent of directors report that his administration will be good for business, while 42 percent are unsure about the impact, and still another 16 percent believe that a Trump presidency will not be good for business.

RiskOversightBlogDiagram

Click to enlarge in a new window.

In this complex, uncertain environment, what can boards do to gain more comfort from management that risks are accurately identified and well-controlled?

The International Standards Organization in ISO 31000 defines risk as “the effect of uncertainty on objectives,” which can be a negative or positive deviation from what is expected. More specific to business, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is currently defining risk as “The possibility that events will occur and affect the achievement of strategy and business objectives.” Each of these definitions of risk exposes a company to potential loss—indeed, yet another definition of risk authored by insurance professionals highlights risk as the possibility of loss. Yet when viewed as part of an active business dynamic, risk, as daunting as its manifestations may be, is far more than the chance of loss. Rather, risk is a level of uncertainty that can create economic opportunity.

The recently released Director Essentials: Strengthening Risk Oversight identifies eight leading risk oversight actions that directors can take to seize opportunities and avoid the loss possibilities inherent to risk. A brief outline of each action and a key question boards should consider asking follows.

1.) Clarify the Roles of the Board, Committees, and Management. The board, all board committees, and all members of senior management need to know their unique roles in risk oversight. Without clarity on ownership of specific responsibilities, redundancies and lapses can occur.

The practice of role definition helps establish a clear mandate for risk oversight by the board and offers management a blueprint for the execution of risk management.

  • Is there a common understanding among management, the board, and board committees about their respective roles, responsibilities, and accountabilities on strategy?

2.) Understand the Company’s Risk Profile. Especially in light of the new environment, all board members should be aware of the company’s key risk exposures, which collectively are referred to as the company’s risk profile. Oversight of any business requires understanding the major risks that it faces now and in the future, and making decisions accordingly. Although the universe of risks that a company faces may be almost limitless, a company’s risk profile is the composite (and analysis) of the most pressing risks that impact strategy and reputation.

  • What are the strategic assets we must protect at any cost? Are they at greater risk now?

3.) Define the Company’s Risk Appetite. Companies take risks in order to grow and compete in the marketplace, yet they need parameters for how much risk they are willing to accept. The board plays a critical role in defining the boundaries of risk for the company.

  • Given our risk profile, strategy, and the uncertainty surrounding the current business environment, what risk appetite should our company have? Have we clearly cascaded our risk appetite into decision-making processes at the level of operations?

4.) Integrate Strategy, Risk, and Performance Discussions. All too often, risk and business performance assessments are divorced from the strategy process in the organization. These silos increase the likelihood of poor, costly decisions.

  • When we discuss strategy in this evolving environment, how do we consider both risks to the strategy and the risks inherent in our chosen strategy?

5.) Ensure Transparent and Dynamic Risk Reporting. Risk reporting must reach the right people with the right information. Reports should not be limited to the metrics mandated by external disclosure rules—they should include all the information the board needs to assess the company’s risk exposure. Similarly, reporting should be dynamic, taking into consideration the velocity by which existing risks change or new risks emerge.

  • What is the threshold for risk-related reporting to the board (e.g., categories of risk, specific issues or incidents)? What situations may call for greater board engagement (e.g., perceived management failure to disclose or address a critical risk)? Do we have a protocol that defines these situations? 

6.) Reinforce Clear Accountability for Risk. The management of risk in today’s often-extended enterprise is complex, with executive teams typically transferring ownership of risks to specialist functions. But examination of recent risk disasters reveals that diffuse accountability for risk management is a major problem.

  • As we reward our executives, do we take into account their ability to anticipate and manage risk? Are accountability for and performance in managing risks effectively embedded in incentive structures at all levels of the organization? How far down the reporting chain do our incentives for risk management excellence go?

7.) Verify That Mitigation Reduces Risk Exposure. The success or failure of risk mitigation is often underreported, leaving boards with a limited understanding of whether or not risks are effectively minimized over time.

  • Do we clearly differentiate between risks that can and cannot be mitigated? Are our mitigation plans realistic? Do we understand that mitigation does not mean elimination? Have we clearly communicated our expectations for reporting on risk mitigation?

8.) Assess Risk Culture. Culture is often described as how work really gets done when no one is looking, and it is critical to ensuring a successful and sustainable strategy. More specifically, risk culture is a critical subset of overall corporate culture defined as the behavioral norms inside a company that drive both individual and collective risk decisions. A well-balanced risk culture can unleash innovation, and deter fraud and abuse.

  • Do we have a culture in which staff at all levels know what risks to take and what risks to avoid? How willing are employees to speak up about problems that can cause significant risk to the organization?

By adopting the above eight practices, directors can help their companies prepare for risks in 2017 and beyond.

For more NACD insight and support on board risk oversight, please visit our Risk Oversight Resource Center.

Is Internal Audit Meeting the Board’s Expectations?

Published by
Jim DeLoach

Jim DeLoach

Recently, the world’s largest ongoing study of the internal audit profession—the Global Internal Audit Common Body of Knowledge (CBOK)—was completed by the Institute of Internal Auditors (IIA) and Protiviti to ascertain expectations from key stakeholders regarding internal audit performance at organizations of varying operational models and sizes. The study sought input from members of audit committees all over the world about their expectations of the internal auditor’s role in the organization. We think all directors will find the results of the study applicable to their work in the coming year and beyond.

Below are six imperatives for internal auditors from the CBOK study based on feedback from audit committee members.

1. Focus more on strategic risks. According to the CBOK study, two out of three board members believe internal audit should have a more active role in evaluating the organization’s strategic risks. Study respondents indicated that internal audit should focus on strategic risks (as well as operational, financial and compliance risks) during audit projects (86 percent) and periodically evaluate and communicate key risks to the board and executive management (76 percent). Accordingly, chief audit executives (CAE) must focus their function sufficiently on the bigger picture to think more strategically when evaluating risks, proposing risk-based audit plans, and formulating audit findings. By understanding the organization’s business objectives and strategy, and identifying risks that create barriers to the organization achieving its objectives and executing its strategy successfully, the CAE increases internal audit’s value proposition.

2. Think beyond the scope. The call for internal auditors to think strategically leads to another challenge: thinking beyond the scope of the audit plan. Thinking beyond scope means, for example, that the auditor should:

  • “Connect the dots” when considering enterprisewide implications of the findings of multiple audits, particularly findings with significant business model underpinnings;
  • Broaden the focus on operations, compliance, and nonfinancial reporting issues; and
  • Watch for patterns or signs indicating a deteriorating risk culture.

By focusing more broadly on the implications of audit findings, and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical, and harder-hitting recommendations aligned with what directors are seeking.

3. Add more value through consulting. In today’s era of slower economic growth, a high premium is placed on operational effectiveness and efficiency. The CBOK study respondents picked up on this point, as 73 percent of respondents recommended that internal audit advise on business process improvements. For example, consulting activities by internal audit can result in: strengthening of the lines of defense that make risk management work; more effective collaboration with other independent functions focused on managing risk and compliance; improvements in the control structure, including greater use of automated controls; and suggestions for improving and streamlining compliance. These study findings underscore the benefit of investing in consulting services that will strengthen business processes.

4. Facilitate effective, high-quality communication. Board members generally rate internal audit’s communication at a high level of confidence. For example, a large majority of directors give high scores for the quality (83 percent) and frequency (81 percent) of internal audit’s communication. That’s good news and a great foundation on which to build the board’s satisfaction with the internal auditor’s role.

5. Elevate stature and perspective. Intentionally positioning the CAE and internal audit within the organization is vitally important to their ability to meet elevated expectations. Access and perspective have always been keys to positioning. Access has typically been attained through direct reporting to the audit committee, as well as to the C-suite. But beyond these reporting lines, the study reports that two out of three board members rank the CAE’s participation in board settings beyond the traditional audit committee meetings as an effective strategy for broadening the CAE’s perspective. The board settings that are relevant in this context must be defined by directors to fit the organization’s specific needs. However the goal is defined, increased access to and more frequent interaction with the board broadens the CAE’s perspective of the organization and elevates the stature and visibility of the internal audit function within it. It also enables the CAE to establish relationships with directors, understand their views on addressing competing audit priorities, and earn the right to be viewed as a valued source of insight for the board.

6. Align with stakeholder expectations. In most organizations, not all stakeholders see eye to eye or want the same value from internal audit. This reality creates a significant challenge for CAEs tasked with building consensus among stakeholders. While directors may not expect their company’s CAE to address all of the above imperatives, they should initially and periodically assess whether internal audit is doing what matters based on previously-established imperatives. The CAE bears the brunt of the responsibility for addressing this challenge by articulating the value that a top-down, risk-based audit plan contributes to each facet of the organization, and by providing an assurance and advisory perspective that the board, executive management, and other stakeholders can understand.

Following are some suggested questions that directors may consider based on the risks inherent in the entity’s operations.

  • Does the board periodically evaluate the scope of internal audit’s activities and discuss whether modifications are needed in view of changes in company operations and the business environment? Is the board getting the insights it needs?
  • Does internal audit provide adequate attention to strategic risk issues, including barriers to the organization’s execution of the strategy?
  • Does internal audit have an appropriate mix of consulting and assurance activities?
  • Does internal audit have the stature and access necessary to maximize its effectiveness?

Jim DeLoach is managing director with Protiviti, a global consulting firm. 

Brexit Fallout: Seven Board Actions to Protect Your 2016–17 Results

Published by

It has become clear that Britain’s vote to leave the European Union (EU) is a major disruption to global business plans, and its consequences clearly rise to the board level. Ongoing political chaos in the United Kingdom (UK) is having seismic economic effects and has already amplified downside political risks across Europe.

“Wait and see” is a dangerous response to a highly uncertain situation. Proactive board leaders can undertake several immediate initiatives that will minimize the damage to 2016 results in Europe and improve the resiliency of your company’s plans for 2017 and beyond.

What we know today: The UK’s economy will contract next year. Frontier Strategy Group’s (FSG) Europe, the Middle East, and Africa (EMEA) Team forecasts a sharp slowdown in UK growth in the second half of 2016, deepening into a recession of -0.5 percent in 2017. Regardless of the pace and the aim of its exit negotiations with the EU, deep splits within the UK’s major political parties and energized independence movements in Scotland and Northern Ireland guarantee governmental dysfunction and depressed sentiment among consumers and businesses.

Beyond the UK, certain economies are especially vulnerable. Ireland, Norway, and the Netherlands will be hurt quickly as UK demand shrinks. Around the world, UK and European economic woes are likely to hit Poland, South Africa, Algeria, Azerbaijan, Bangladesh, and Costa Rica especially hard in their respective regions.

What we won’t know anytime soon: As of yet, it is impossible to predict (1) whether the European Union will change fundamentally or lose additional members, (2) the political and economic effects of energized populist parties in many European countries, (3) the downside risk to the UK from regional separatism, or (4) the new destinations for foreign investment that may leave the UK. Scenarios and contingency plans are essential tools to manage risk and identify targeted opportunities in this environment.

Bolster Commercial Execution in the Second Half of 2016

Boards should expect to receive a rapid-response sales strategy review from UK executives and risk assessments for Europe overall. Is management being sufficiently proactive in managing new risks?

  1. Prioritize risks to 2016 sales targets—In the UK, business investment is most likely to see near-term declines as companies worried about growth move to limit expenditures (hiring is sharply down in London), while consumer sentiment will be dragged down by housing-price shocks. Sterling and euro depreciation will hit specific customer segments hard. Expect management to proactively engage customers about changes to their expected spending, and redeploy sales and marketing resources to the least vulnerable territories.
  2. Target contingency plans on talent and finance—Uncertainty about visa requirements for Europeans in the UK (and for non-UK citizens generally) is a serious engagement and retention risk. Currency effects are wiping out margins for some UK subsidiaries and should force a near-term rethink of hedging and payment terms. Expect management to document contingency plans with signposts and priority actions by function, especially for finance and human resources (HR).
  3. Track leading indicators of changes in demand—Volatility in currency markets and commodities markets will have global ripple effects on business and consumer sentiment, and on government finances—especially in emerging markets. Ask if European management teams are adjusting their dashboards and monthly/quarterly agendas accordingly.

Stress-Test Strategic Plans for 2017 and Beyond

The next planning cycle will be more demanding than usual. Updating forecast data is a small part of the needed response. So much will remain uncertain that plans for Europe (and for markets with links to Europe) should be stress-tested for resiliency against downside scenarios. Contingency plans should be put in place for big bets.

  1. Use scenarios to model UK and EU demand—FSG’s benchmarking found that simple scenarios are key to organizational alignment and resilience; the companies that do this best grow market share 2.1 times faster than their competition in volatile markets. My pre-Brexit vote NACD post highlights a range of risks worthy of incorporating into scenario plans.
  2. Evaluate risk exposure in European operations and the supply chain—Profitability and pricing power for imported products will diminish if barriers to trade with the UK increase and European currencies weaken further. Scenario analysis can help evaluate potentially improved returns from localized production and supply-chain structure.
  3. Rethink Europe/EMEA hub locations—Potential changes that affect HR, legal, regulatory, and finance teams may tip the scales in favor of revisiting the UK as a hub for EMEA, Europe, or Western Europe leadership and operations. Balance financial and political/reputational considerations along with change-management costs. Retention of European nationals currently based in the UK is becoming a factor as well.
  4. Reassess global market-portfolio prioritization—Long-term investment plans for Europe must be rebalanced given the likelihood of a UK recession in 2017 and ripple effects varying among other European countries. Moreover, investment cases for Europe are likely to face sharply skeptical review even as EMEA leaders strive to make up the gap that UK underperformance will create. At the global level, Asia-Pacific and Latin America leaders have an opportunity to put forward more aggressive plans for 2017 and beyond. India in particular is a substantial market that remains under-penetrated by foreign companies; higher-risk big bets there may be more warmly received when Europe looks so uncertain.

When uncertainty is high, boards have a valuable role in helping management bring focus to the most important decisions rather than falling victim to firefighting and analysis paralysis. Companies that set a proactive agenda now for a mid-year course correction and forward planning will be well positioned despite market volatility in the year ahead.

Joel Whitaker is Senior Vice President of Global Research at Frontier Strategy Group (FSG), an information and advisory services firm supporting senior executives in emerging markets.

For more on the Brexit fallout and what it means for your board, join us for: