categoryEnterprise Risk Management

Current State of Enterprise Risk Oversight

A recent publication, Global Risk Oversight, by North Carolina ERM Initiative, in partnership with the Chartered Global Management Accountant ( CGMA ) provides insights on the current state of enterprise – wide risk oversight, including identified similarities and differences in different parts of the world.

Here are some key findings, with emphasis added:

  • Organizations all around the world perceive an increasingly complex risk environment.
  • Risk management practices appear to be relatively immature cross the globe. Around 30% or less of organizations indicate they have ‘complete’ enterprise risk management ( ERM ) processes in place. Only about 25% of the survey respondents describe their organization’s risk maturity as “mature” or “robust”.
  • Most organizations struggle to integrate their risk management processes with strategic panning. Despite the fact that most strategies maybe impacted by a number of risks, only about 50% of organizations around the world “mostly” or “extensively” consider risk exposures when evaluating new strategic initiatives. 
  • There is a lack of detailed risk oversight infrastructure in most organizations. Only a few organizations have formal risk management policy statements and frequently update risk reports.
  • Around 80% of organizations have not conducted any formal training risk management training for their executives.
  • There is increased pressure on management to strengthen risk oversight. Depending on the geographical location of the organization,  this pressure is coming from either the board of directors, the CEO or the audit committee.
  • Lack of sufficient resources to invest in ERM and the perception that there are more pressing competing priorities have been identified as the biggest barriers impeding the progress of maturing the organization’s risk management processes.

In light of these findings, the authors of the report recommend that:

  • Senior executives and boards of directors honestly and regularly assess their organization’s current approach to risk oversight in the today’s changing risk environment.
  • Management genuinely consider whether the process used to understand and evaluate risks associated with the organization’s strategies actually delivers any unique capabilities to manage and execute their strategies.
  • Organizations appoint a risk champion such as a Chief Risk Officer (CRO) or create a management-level risk committee in order to help strengthen the risk management function and ensure all risk management processes are appropriately designed and implemented.
  • Organizations spend time analyzing the vast amounts of data they have to generate insights about emerging risks that may impact their organizations’ strategic success.

Overall, the report is a good read and a great starting point for improving enterprise-wide risk oversight.

It helps senior executives ask important questions when evaluating their organizations’ overall approach to risk oversight. However:

  • Although the authors mention regular updating of the risk register. I would add risk management is not about list compilation,  otherwise organizations might find themselves building risk lists that lack any insight for effective decision making. It is about identifying and evaluating those key risks with the potential of derailing the organization’s strategic success and finding effective ways of mitigating any losses. Furthermore, intelligent risk decision-making does not look only at the downside of risks but also at the opportunities found in taking calculated risks.
  • There is no mention in the report about offering risk management training to middle-level and lower-level employees, only to senior executives.  The tone at the top and culture will determine if the organization succeeds at maturing risk management processes. Identifying and managing enterprise risks should be everybody’s responsibility within the organization. Thus, I believe there should be a common risk language throughout the organization.
  • Appointing a risk champion to strengthen risk oversight is critical. However, the individual appointed must have a deeper understanding of the business, its critical performance drivers and the ability to partner with the rest of the business. He or she must also be able to deliver the necessary risk training required.
  • Clear communication channels should be established to enable free flow of risk communication from top-down and bottom-up. People should not be scared to raise red flags or emerging risk issues to senior executives. Although the board of directors ultimately holds the risk oversight responsibilities to shareholders and other stakeholders of the business, if they receive inappropriate risk reporting from the bottom, the information they will feed to these interested parties will also be inadequate.
  • Risk management should be ingrained in the DNA of the business. Risk conversations should be about supporting strategic objectives achievement and enhancing business performance, as opposed to being a box-ticking exercise all the time.

Do the survey findings reflect the situation at your organization? If so, what are you doing to improve this situation?

I welcome your comments and views.

 

Defining and Evaluating Business Risks

Having an effective enterprise risk management (ERM) program that helps to measure, monitor and manage risks is no longer a nice to have but a must.

Organizations regardless of which industry they operate in are increasingly facing strong headwinds that are forcing them to rethink the way they run their businesses, build new capabilities, implement agile strategic responses and approach risk management more seriously.

New technologies, increased economic and political uncertainty in emerging markets, slowing global growth, commodities price decline and Brexit are some of the issues posing immense pressures on organizational decision makers and value chains.

In this environment, objectively defining risk and measuring its impact on the business is very imperative. This is critical for designing and implementing effective mitigation plans, creating value and improving business performance.

Benchmarking is not always the answer

Benchmarking is one of the popular tools used by decision makers to improve processes and ultimately business performance. So often business managers make reference to benchmarking information to gauge their organization’s performance against the “so called best” in the industry.

However, the fact that every business and organizational structure is unique in their own special ways, care must be taken when using benchmarking. No two businesses are exactly the same in all aspects.

Data is critical when measuring risk. Without the data, the whole process becomes pure speculation. In today’s digital economy and information age, data collection is dynamic, allowing businesses to continuously evaluate risks. However, the data type, quality, quantity and method of gathering varies by organization, process, and functionality.

Thus, in order to benefit from benchmarking, decision makers need to first clearly understand the methods used to gather the benchmarking information, the integrity of the gathering process, and how this relates to their organization’s specific situation.

Identify the risk

Identifying the risk events is one of the most critical attributes required to perform a successful risk assessment exercise.

The challenge for many people is that they consider the risk identification process as a “listing” exercise of all the things that might go wrong in any given time period.

The objective of enterprise risk assessment is not to maximize the number of key risk indicators (KRIs), but rather to take a holistic view of risk across the enterprise and prioritize resources and efforts on those risks deemed critical to the business.

Identified risks must be those significant to the business and have the potential of adversely derailing successful strategy execution. Thus, it is imperative that risks and strategic planning are clearly linked with some type of appropriate risk response.

What is the probability of occurrence?

The probability of occurrence should determine whether the identified risk(s) is/are worthy of management, control, or not. Determining this probability is not a subjective or guessing exercise.

Instead, data analysis is a critical part of the process as this provides factual information to base upon. Data is one of the most valuable assets for an organization today. Businesses that are able to leverage data and analytics in their risk assessments are uniquely positioned to better run their operations and achieve strategic, operational and financial success.

Make sure the data used in the analysis is accurate, reliable and real-time as this is critical for both performing an objective/fact-based risk assessment and presenting a truer reflection of the situation.

In today’s data and analytics world, organizations can take advantage of new technologies and incorporate predictive analysis in their data-based risk assessment models. Making strategic decisions based on information provided by backward-looking and reactive models will lead you and your business to unwanted territories.

Predictive models are forward-looking and allow business managers to be proactive. They help you identify trends and patterns, plan for the future with greater certainty and implement agile responses.

Consider the impact of the risk event(s) on the business

Unfortunately, for many organizations, risk management is a box-ticking exercise with little emphasis placed on overall impact on the business. People do not understand the impact of identified risks on the overall achievement of objectives and business performance.

Furthermore, risks today are interconnected. One risk event can lead to a chain of risk events, and if not properly mitigated, the exposure to the business is big. It is therefore imperative that you clearly understand the impact of aligned risks that occur as a result of the original risk event taking place on the achievement of objectives.

Being knowledgeable about these risks helps design and implement an effective ERM program that prioritizes identification, assessment and management of those risks considered significant to cause havoc to the business and negatively affect performance.

Build a good foundation

Designing and implementing a successful ERM program is not once-off or short term business objective. Instead, it is a continuous strategic initiative for the long-term success of the organization.

Laying up a good foundation starts with the organization clearly defining its ERM strategy, identifying key risks to the business and utilizing an effective set of KRIs.

If properly designed, these KRIs will help you to calculate the probability and also evaluate the impact of more than one risk across different aspects of your business. The focus is not on managing individual risks, but rather,  taking a holistic view of risks across the enterprise to ensure success.

Senior management commitment towards ERM is also required to ensure middle and lower level employees continuously recognise risk management an important strategic imperative critical for driving performance.

I welcome your thoughts and comments.

The Basics of Cyber Risk Management

New technologies, increasing digitization and globalization are transforming customer behaviors, operations and business models, presenting huge opportunities for business success, at the same time driving up cyber incidents .As organizations embark on their digital transformation journeys, it is imperative that they also assess possible threats presented by these new technologies.

Traditionally, the focus for risk management has exclusively been on protecting value. However, in today’s digital economy, there has to be a shift from value protection to value creation. How best can you leverage risk management to benefit from new technologies and digital innovation?

Companies that are placing a higher emphasis on value protection and risk avoidance are most likely to find themselves behind the packing order. On the contrary, those organizations that are approaching risk management the appropriate way and establishing better ways to address cyber risk are in a unique position to achieve greater competitive advantage and superior business performance.

Cyber Risk Should Become a Strategic Imperative

As the number of reported cyber incidents continue to escalate, it shows that cyber risk is now a top tier business risk. This means cyber risk management must become a strategic priority. The challenge for many C-suite executives and boards is that they lack a deeper understanding of cyber risk and its implications on the business.

This lack of deeper knowledge and an understanding of the cyber threat landscape is making it difficult for many executives to make meaning conversations around the topic.

Although cyber risk is everyone’s responsibility within the organization, boards and C-suite executives play the ultimate oversight role. They have to make sure the organization has a functioning cyber program that is aligned with risk appetite and threshold.

As one of the members of the C-suite, in partnership with the CEO, the CFO can play a critical role in ensuring that there are frequent discussions around the strategy table concerning cyber risk.

Risk and performance are interrelated, and since the CFO is mainly responsible for organizational performance improvement, s/he possesses the business acumen and analytical capabilities to create awareness of cyber risks and provide regular reporting to the CEO and the board.

The business environment is increasingly complex and so is the enterprise risk landscape. Successfully driving performance in this environment therefore, demands the board and C-suite level to have a deeper understanding of risks capable of derailing strategic execution.

In other words, these senior personnel must develop a positive risk mindset and as well as the ability to ask the key performance questions. This is necessary to gauge the organization’s cyber risk exposure and build cyber resilience.

It is therefore, critical that boards and C-suite executives stay informed about cyber threats and their potential impact on the organization’s strategy execution, reputation, financial and operational performance.

Understand the Nature of Cyber Threats and Attacks

In order to effectively manage cyber risk, it is important for senior executives and their teams to have thorough knowledge and full awareness of the different types of cyber incidents. Over the past few years, cyber crime has grown from simple cases of theft and fraud. Cyber threat has grown to include digital terrorism, government sponsored hacks, disruption of services, corruption of data, Man in the Middle (MITM) attacks, malvertising, rogue software, ransomware and advanced persistent threats.

The above cyber incidents can all result in the organization incurring huge tangible and intangible costs. Organizations that have fallen victim to cyber criminals can attest that the aftermath cost are detrimental to the long-term survival of the business. Costs incurred by these organizations include regulatory penalties, legal damages, financial compensation to affected parties, loss of competitive advantage, loss of customer and business partner trust and ultimate damage to the organization’s reputation and brand image.

How is your organization’s track record in terms of documented cyber attacks and data breaches?

Having an experienced and knowledgeable leader surrounded by a capable team is key to ensuring that the organization has the traits to detect, monitor and proactively respond to cyber threats and attacks.

Today, stakeholders are placing higher confidence in leaders who are exhibiting greater risk awareness and have sound strategies in place to protect business assets against unknown threats.

Important to note though is that cyber risk management goes beyond technical. Not everyone needs to be an IT Security specialist.

Having business acumen and enough appropriate knowledge to engage in intelligent conversations concerning cyber security and risk is key to grasping the fundamentals of cyber risk.

Embed Cyber Risk into the ERM Framework

Having an enterprise-wide cyber risk policy that is approved by the by the board and embedded into businesses’ ERM framework. The cyber risk program must take into account all the aspects of the business that are susceptible to attacks and data breaches. Are there adequate security controls in place? Does the organization have capabilities to detect and monitor vulnerabilities?

Moreover, KRIs and KPIs must be developed and monitored regularly. This will help immediately identify any threshold and performance breaches, and in turn, escalate such breaches to senior management.

When cyber risk is part of the ERM framework a cyber-aware culture is promoted, which means cyber risk management becomes an everyday part of the business. People will take own responsibility for the management of risk and proactively involve others when needed.

The board and C-suite should set the right tone at the top in order to ensure there is a buy-in at the lower levels. If the top level is not concerned and ignorant of cyber risk, it is extremely difficult for the lower levels to prioritize cyber risk management.

Thus, it is important that when executives talk about cyber risk, they do so openly and honestly using common language that promotes shared understanding throughout the organization.

I welcome your thoughts and comments.

Finance’s Role in Managing Enterprise Risks

The risk landscape is changing fast. Risks are multiplying at an alarming rate threatening to cause both financial and reputation ruin to the business. Because of this increasing risk complexity, there is a heightened focus on effective risk management.

Senior management and board members are consistently looking for a deeper understanding of the organization’s risk profile and how various risks to the business are managed.

Risk management is an enabler of higher level performance.

Without taking risks, organizations cannot grow and achieve strategic success. Risk is no longer something to only dread, minimize and avoid. Instead, leading organizations are using risk management activities to create value and help them improve their businesses.

It is therefore critical to ensure that efforts to mitigate the downside impact of risks are coordinated with efforts to manage risks that support business growth.

As a strategic thinker, the CFO should play an important role in helping other executives and the board get a deeper understanding of the organization’s key risks and risk management capabilities. He or she can help build an ERM framework that is entrenched in the organization’s management processes and functions.

A well-structured and coordinated ERM framework provides support and guidance on risk management activities, helps identify and manage enterprise risks holistically and makes risk consideration an inherent part of key decision-making processes. On the contrary, a siloed approach to managing risks exposes the business to significant risks and value erosion.

Unfortunately, in most organizations, risk management is a disjointed process. Multiple functions are managing one or more aspects of the company’s risk profile, and there is minimal coordination with each other. For instance, each function carries out its own risk assessment process using different risk terminologies, methodologies and reporting practices. Decision makers are overwhelmed with more than one versions of the truth.

The problem with this approach is that it often leads to confusion on the true meaning of risk, duplication of efforts, unnecessary bureaucracy and costs and poor risk decision-making processes.

When there is a common risk language across the enterprise better decisions are made, for example, concerning market entry, new products and acquisitions. This often leads to reduced earnings fluctuations and increased stakeholder confidence.

Build a clear picture of significant risks.

As the role of the CFO continues to evolve into a more business-partnering one, it is imperative that the finance organization is rightly equipped to proactively identify all the potential risks and defend their businesses.

What are the key risks to the achievement of your business objectives? Do you have the required risk management capabilities to address this risk profile? Who is responsible for monitoring and reporting risk information to decision makers?

Thus, the CFO and his team need to consistently assess, improve and monitor the way the organization manages its evolving risk profile. The risk assessment process must provide actionable and real-time insights on inherent risks and link them to the organization’s objectives, initiatives and business processes.

A thorough risk assessment process helps identify and prioritize risks that require urgent monitoring and mitigation. It also allows for the testing of existing internal controls and identification of opportunities for improving controls and risk mitigation strategies.

On the other hand, insufficient risk management processes can lead to costly lawsuits, significant financial losses, massive reputational damage and fly-by-night financial reporting, which can raise fundamental questions about the business as whole, its management team and viability.

An effective continuous risk assessment and management system therefore requires the team given the responsibility to do so to develop thorough knowledge of the company’s strategic objectives, operations, products, services, risk history, internal environment and its external environment.

Some organizations are leveraging data analytics tools to access forward-looking data from a range of sources, generate insights about changing market conditions and behavioural changes, evaluate metrics and integrate this real-time information to build risk models and forecasts as well as comprehensive risk strategies.

Coordinate and align business processes.

Risk management activities should be a key element of normal business operations. For this to happen, there must be top management buy-in to the business case for embedding risk strategy into the day-to-day running of the business as well as enhancing risk management performance.

It is therefore important to receive clear communication, proper oversight and accountability from senior management and the board concerning risk and governance. This will ensure that a common risk framework and universe is embraced and implemented across the organization.

Maturity models and benchmarks of leading practices can be used to help management determine the existing state of their organization’s risk management capabilities and define the desired state.

As one of the organization’s senior executives, the CFO should play a leading role in defining risk management objectives and embedding risk principles into the business processes. They can leverage their analytical and communication skills to broadcast to the business the benefits of risk management and the disadvantages of inadequate risk management processes.

The CFO plays a critical role in establishing the organization’s risk appetite, determining how the business will measure risk and ensures risk taking is within the acceptable risk thresholds of the organization.

By regularly reporting risk information and coverage to business unit managers, a risk aware culture is embedded in everyday business practices, and this in turn will help business managers understand the implications of their decisions on business performance.

I welcome your thoughts and comments.

Rethinking and Elevating the Status of Risk Management

Enterprise risk management (ERM) is at the heart of effective decision making and should be at the forefront of everybody’s thinking within the organization. Today’s risk-filled macroeconomic environment requires front-line employees, middle management, senior executives and the board to take a proactive approach in managing the various risks the business is exposed to.

Risks are increasing and impacting the business at a very alarming level, and as a result, senior management and their teams have to be more prepared to respond quickly than in the past. This means adapting a new view of the risk universe.

Whereas in the past risk management was seen as a compliance and box ticking exercise, this limited view no longer cuts it. Not to say that compliance management is a waste of time, the function still plays a critical role in helping the business achieve its objectives.

What is critical and required in today’s VUCA environment is view risk management with a different pair of lenses, assess its role in helping management successfully execute the broader strategy of the business and increase the overall value of the business.

It is no secret that over the past decade the number of corporate crises and scandals the world has witnessed have increased significantly.  From natural disasters, product-related mishaps, supply chain failures, employee fraud, to IT system failures and too-big-to fail company liquidations, the media hasn’t been short of a story to post as a headline.

Most of these risk events, maybe apart from natural disasters, would have been mitigated had the management and board played their critical role in the effective identification, assessment, management and oversight of risk management within the organization.

Unfortunately, in many organizations today, senior management and the board are turning a blind eye on important risks and effective risk management.  Risk management is considered an after-thought activity.

Instead of integrating risk management with strategic decision making, the focus is on short-term performance and incentives that are inappropriate and driving the wrong behaviour from the top and all the way down to the least ranked employee of the organization.

Although the board plays a critical role in ensuring effective risk oversight within the organization, risk management is everyone’s responsibility.

Employees, management and the board should have a clear understanding of the business model, the foundations and assumptions on which this model is based, the risks the organization faces and how they might combine.

Irrespective of which function you are working, there are risks emanating from that particular function and these risks in turn intertwine with the broader business. As a result, it is critical that each employee is aware of what risks are emanating from their line of business, at what frequency and how they fit into the overall risk strategy of the business.

If the tone of risk management from the top is rotten, how can the board except the tone below to be different? Remember the fish rots from the head down.

If the leaders are ignorant, then the whole organization will follow suit. It is therefore important that top leadership sets in motion the right organizational risk culture and lead by example.

As a starting point,  this means changing the role and status of those employees and management tasked with implementing the organization’s risk strategy so that they don’t feel inadequate but can confidently report all that they find to the board. One of the challenges facing many businesses is that of complacency.

There is a misguided belief that good times will last indefinitely. As a result, many businesses are failing to recognize the rapid change in the business environment. Risks change overtime, and it is essential that management and boards are aware of all the important risks capable of derailing their plans.

How competent is your organization when it comes to identifying and analyzing risks emerging from the company’s internal and external environment, as well as from the leaders’ activities and behaviour?

How often are you stress-testing the core of your business model?

To avoid falling into the complacency trap, management and the board must learn to ask questions all the time. For example:

  1. How is your company consistently producing exceptional results?
  2. What are the foundations of the company’s success and how sustainable are these?
  3. Even if the company’s strategy is implemented flawlessly, what other risks could undermine the business?
  4. Does your incentive structure promote any form of inappropriate behaviour?
  5. Are you focusing more on cost-saving and efficiency to the detriment of quality?

Asking the right questions helps management uncover surprises early enough and address these before they become big and damaging to the organization.  It also helps the board understand and evaluate the adequacy of the answers received.

In the financial services industry, many institutions are driven by short-term revenue, profit and ROE gains. This massive obsession with achieving short-term performance targets often results in employees bypassing internal controls and management turning a blind eye to risky behaviour.

We have witnessed cases where companies significantly rewarded an employee for making huge profits on behalf of the business, only for management and the board to find out later that these profits were made via questionable and unethical ways.

How robust and all-pervading are your company’s internal controls to monitor employee behaviour, even the most senior executives?

When the role and status of risk management is elevated within the organization, there is a free flow of information in all directions. That is up and sideways as well as down and from the very bottom to the top of the organization.

Encouraging free flow of information within the business is key to ensuring that any issues or circumstances and risks that are known within the organization, but not to the leaders, do not remain hidden from the leaders’ sight. Some risks remain unmanaged because employees are afraid of flagging these to their superiors because the manager often refuses to heed warning and advice that something is wrong.

When senior managers and decision makers are ignorant of intelligent and informed advice, risks remain unrecognized and unmanaged for longer periods than necessary. These Unknown Knowns inherently become dangerous and eventually become detrimental to the organization’s performance and reputation.

It is therefore imperative that when assessing and evaluating risk information, the organization considers all the sources of information at its disposal.

Rather than limit their focus to traditional risk areas, companies should take an enterprise-wide approach of risk, and learn from their own experiences as wells as other companies and industries. This helps identify not only challenges that might cause a particular strategy to fail, but also any major risks that might also affect long-term positioning and performance of the business.

Self-deception is often a result of failure to listen to outside perspective, and when this happens, business leaders can only see themselves as in a mirror. This often leads to poor decision-making with far-reaching consequences than would have been the case had the leader listened to outside perspective.

Risk management is not only about looking at the downside, but also at the upside. Thus, in order to take advantage of uncertainty and volatility in today’s environment, maximize gains and create value, it is critical that companies move beyond their corporate structures, and adapt more of an “outside-in” perspective when assessing their strategies, challenges and opportunities.

In today’s era of Big Data and advanced analytics, companies can also take advantage of these modern technologies and start making sense of the vast information at their finger tips, by sifting through the data, determine the most important risks and risk indicators and establish an effective enterprise risk management framework.

Effective decision-making demands the business leaders to have a more comprehensive picture of the challenges that are in front of the company. This requires integrating ERM into the overall business strategy and planning process, and changing the approach to managing enterprise risks.

ERM must effectively support the development and execution of business strategy. However, if risk management is considered a cost and not a value-adding process, there is a big risk that the business will fail to execute its strategy successfully.

Effectively implemented and aligned to the business, ERM can become an important source of information to the board as well as the business via its executives. For example, it can help them become aware of the new risks created by their strategies, evaluate the strategic impact of new technologies and identify investments that are necessary for managing risks and exploiting new opportunities.

On the contrary, if the internal audit and risk management teams are given a very low status and never listened to, they become less effective resulting in the company being exposed to unnecessary risks.

What level of status are you giving to your organization’s internal audit and risk management teams?

How does risk inform your company’s broader business strategy?

© 2019 ERPM Insights

Theme by Anders NorénUp ↑