Having a formal integrated and proactive approach to risk assessment and management is critical for value creation and driving business growth in today’s emerging environment.
When evaluating the different strategic alternatives, it is imperative that boards and their management clearly understand the different risks that pose enormous threat to strategy execution.
Enterprise risk management (ERM) should become a priority if the business is to succeed. Risk should be ingrained deeply into the DNA of the organization and become an everyday conversation.
Unfortunately, in many organizations, risk management is seen as a non-value adding activity. Risk is it is seen as a box-ticking compliance activity.
As long as the organization ticks all the boxes of the regulatory requirements, the board and its management are happy.
Effective risk management is not about box-ticking. Instead it is about exploiting opportunities and preserving value created by the business.
To successfully evaluate strategic alternatives, execute strategy and drive business performance, boards must clearly and fully understand the language of enterprise risk management.
Developing, deploying and maintaining a practical, holistic risk management approach can help them lead through immediate, long–term, and evolving risks and succeed in the new business environment.
In order to enhance effective risk oversight, company boards must:
Align risk management with strategy planning and execution: Risk management is not a box-ticking or transactional activity only.
When boards set the tone for risk conversations during strategy setting and execution, they are able to challenge various assumptions through scenario modelling and this helps determine whether the organization has the right strategies and capabilities to execute.
Challenging also helps determine how the company’s cost structure, market share, growth, and product and service offering fairs against competitors.
It also helps the boards determine the organization’s ability to absorb shocks and to what extent.
When having these risk conversations, it is important that the board has them with people who are very knowledgeable about the various risks facing the organization and this also involves getting independent input to challenge the management’s risk management approach and assumptions.
Clearly identify and define information needs: In order to gain clear clarity on strategy and the risks inherent in the strategy, boards must refrain from acting on intuition alone.
They must invest time in identifying and defining enterprise risk information needs.
To avoid collecting, analyzing and acting on wrong information, boards must work with their management to identify the real KPIs and KRIs of the company, identify and evaluate the real value drivers of the business.
This means getting behind the financials to understand the true value drivers and how the organization is performing against them.
The Balanced Scorecard method can be used by the organization to identify the right risks and monitor risks in the context of the changing company risk profile.
Ensure that there is right risk level of expertise within the board: It is important to note that managing risk is not a “one-man” activity but rather a team activity that requires pooling of minds, skills and expertise.
Although the board is accountable for risk oversight, it must also determine how it engages with specific risk owners and management on certain key risk areas.
In order to achieve effective risk oversight, the board must ensure separation of risk processes and risk context as these require quite a number of different skill sets.
Risk processes deal with the organization’s structure for managing risks and developing a holistic view of risks.
On the other hand, risk content relates to risk ownership, evaluating and monitoring the quality of risk mitigation actions and re-aligning strategy to the organization’s risk profile.
Having experts on board with different risk skillsets helps a lot in achieving risk oversight so long these people work together and reach an agreement on important enterprise risks.