As the business environment changes, risk profiles change and business models are exposed to disruption, there are many questions that directors can ask about the organisation’s risks and risk management. Mike Purvis, MD of global business consulting and internal audit firm Protiviti, says there are five key questions directors should be asking.
1. Does our risk profile reflect the significant risks we face currently?
When management reports on the company’s top risks, the reporting should highlight:
- Whether the noted risks increased or decreased
- Any risks that are new
- Whether the current summary excludes risks previously reported. In addition to addressing the severity of impact and likelihood of occurrence, it may be useful to prioritise “high impact, low likelihood” risks in terms of their reputational effect, velocity to impact, and persistence of impact, as well as the enterprise’s response readiness.
Companies should strive to keep risk assessments fresh. A critical aspect of keeping a risk profile current is the timely identification of emerging risks.
2. Are our risk management capabilities continuously improving to ensure we are managing our risks effectively in a changing business environment?
Once the key risks are targeted, someone must own them. Gaps and overlaps in risk ownership should be minimised, if not eliminated, so accountability for results is firmly established with the lines of business and process owners.
The board should satisfy itself that:
3. Are directors and executive management on the same page in terms of risk appetite?
- A robust process for managing and monitoring each of the critical enterprise risks is in place, including effective response plans in the event of a crisis;
- Risk management capabilities are improved continuously as the speed and complexity of business changes; and
- Reporting on risks and risk management performance is timely and reliable.
Directors should engage management in a periodic dialogue about the risks the enterprise should take, the risks it should avoid and the parameters within which it should operate. A robust risk appetite dialogue frames the following question: “How do we know we are executing our business model within the parameters of our risk appetite?” The only way to know for sure is to decompose the risk appetite statement into more specific risk tolerances and use them to manage performance variability around the achievement of business objectives.
4. Is our risk culture encouraging the right behaviours?
If the CEO chooses to ignore the warning signs raised by risk managers over dysfunctional organisational behaviour, or the reward system is wrongly focused on short-term performance targets, directors are not asking the tough questions about the assumptions and risks underlying the strategy.
A risk culture conducive to effective risk management reflects the shared values, goals, practices, reinforcement mechanisms and attitudes that embed risk into an organisation’s decision-making processes and operations. It encourages open communication, sharing of knowledge and best practices, continuous process improvement, and a commitment to ethical and responsible business behaviour. It also balances entrepreneurial activities and control activities.
5. Have we integrated risk management with the appropriate management processes?
By integrating risk management with other executive management matters, organisations can achieve their risk management objectives more readily and more successfully execute their risk management strategy. Integration could include such processes as strategy-setting, annual business planning, performance management, budgeting, competitive intelligence, capital expenditure funding, and merger and acquisition (M&A) targeting, due diligence and integration.