A recent survey by Protiviti and COSO revealed that board members are divided on the effectiveness and maturity of their risk oversight processes and efforts. While 53 percent rated their organization’s risk oversight process as “effective” or “highly effective,” more than 70 percent indicated that their boards aren’t formally executing mature, robust risk oversight processes.
Jim DeLoach (Copyright Gittings, 2007)
As new legislation, shareholders and disclosure requirements force boards to rethink their risk oversight process, they should consider these seven recommendations in view their organizations’ current operations and risks:
1. Implement a more structured process for monitoring and reporting critical enterprise risks and emerging risks to the board – While most companies monitor and report risks, survey results suggest opportunities for improvement. For example, a company might formalize the common risk assessment methodology that is based on subjective inputs of the severity of impact of potential future events and the likelihood of those events occurring by making it a regular and more robust process with results shared with the board periodically.
2. Look for opportunities to make the risk reporting process more effective and efficient and increase the regularity of reporting according to the organization’s operations and risk profile – According to a majority of respondents, reports that the board does not receive at least annually include: scenario analyses evaluating the effect of changes in key external variables impacting the organization; a summary of exceptions to management’s established policies or limits for key risks; and a summary of significant gaps in capabilities for managing key risks and the status of initiatives to address those gaps.
3. Come to an agreement with management on the risk-related matters that need to be escalated to the board, addressing the what, when and why – Escalation protocols specifically tailored to the company’s operations and risks are important. For that reason, it’s vital to the risk oversight process to determine what must be escalated to the board (e.g., limits violations), as well as when and why.
4. Encourage employment of techniques that foster out-of-the-box, big-picture thinking focused on the critical assumptions underlying the corporate strategy to assess the strategic risks and uncertainties the enterprise faces – Given the volatility of the times, organizations may want to allocate more time and resources toward understanding what they don’t know by employing techniques focused on the critical assumptions underlying the corporate strategy. As they do so, they may identify opportunities to enhance and focus the board risk oversight process further.
5. At least annually, focus on whether developments in the business environment have resulted in changes in the critical assumptions and inherent risks underlying the organization’s strategy and the effect of such changes on the strategy and business model – Less than 15 percent of respondents are fully satisfied with the processes for understanding and challenging assumptions and inherent risks associated with the corporate strategy and monitoring the impact of changes in the environment on the strategy and business model. Implementation of, or enhancements to, these processes may help the board address two questions fundamental to the risk oversight process – “What do we do if the critical assumptions underlying our strategy and business model are no longer valid?” and “How would we know if our assumptions were no longer valid?”
6. Implement a more defined, rigorous process supporting the risk appetite dialogue between the board and management, and ensure the results of this dialogue are driven down into the organization in an appropriate manner – Risk levels and uncertainty have changed significantly over recent years for most organizations. The board and management may find it beneficial to engage in a periodic dialogue regarding risk appetite, possibly covering topics such as the maximum acceptable level of performance variability in specific operating areas; targeted strategic, financial and operating parameters; upside/downside debates on significant matters; risks and assumptions inherent in the corporate strategy; and “hard spots”/“soft spots” in the business plan. The board also may consider when and under what circumstances it should be informed of exceptions and near misses to the organization’s risk tolerance parameters and any planned actions to address them.
7. Incorporate appropriate questions relating to risk oversight in the board’s periodic evaluation of board performance effectiveness – Depending on the business and its risks, one practical approach for self-evaluating the risk oversight process is to incorporate an assessment of it within the board’s existing periodic self-assessment process, such that the evaluation of the risk oversight process is conducted at least as often as the overall assessment of board effectiveness.
For the complete survey report, visit www.protiviti.com.
Jim DeLoach is managing director of Protiviti.