Over the past decade, the total number of risks affecting organizations has increased rapidly. Organizations now operate in an environment that is characterized by risk exposures that are more complex, more interrelated and potentially more destructive than ever before.
As a result of this evolving business world, there is increased pressure on senior executives and their boards to effectively manage risks so that stakeholder value is preserved and enhanced. They must adequately recognize and manage risks associated with strategic and operational decisions being made throughout the organization and clearly understand the devastating effects of these risks on business performance.
To ensure that risk management forms part of the organization’s strategic and operational decision making processes and help drive business performance, the board must establish the appropriate tone at the top. Effective enterprise risk management (ERM) requires a top-down holistic view of risks faced by the organization. Thus the actions of the board and senior management team should provide a clear message to the organization that policies and procedures are to be followed thoroughly.
Although the board is not involved in the actual day-to-day management of risks faced by the organization, it is the responsibility of the board to exercise significant oversight and ensure that the implemented risk management processes are aligned to the organization’s strategy and functioning as designed. By actively exercising its oversight role, the board is able to send an important message to the company’s senior management and its employees that ERM is an important element of the organization’s corporate strategy, culture and value-creation process.
Without the board’s direction and support, efforts to implement an effective ERM process are destined to fail. It is therefore important for the board and its senior management team to develop a risk-aware culture that operates within the agreed risk appetite that aligns with the organization’s corporate strategy. Excessive risk taking can have devastating effects on the overall business performance. Lessons can be learned from the recent collapse of African Bank Limited Investments (ABIL) in South Africa. The bank’s board and its senior management team have come under public and regulatory pressure for poor risk management oversight and poor processes.
To avoid liability in their oversight role, boards must ensure that their organizations have implemented comprehensive monitoring systems bespoke to each category of risk. For example, the monitoring systems in place must include reports on significant matters that have been levied against the company and may be used as evidence in shareholder litigation. Such reports can act as red flags or violations of risk limits for the board and these should not be ignored as they warrant further investigation and ultimately action. Furthermore, these monitoring systems ought to be reviewed regularly and their robustness tested and measured.
Where the board assigns primary risk oversight responsibility to a committee of the full board such as the executive audit and risk committee, it is important that the committee periodically delivers reports on the status of the ERM process to the full board to help ensure that the entire board has a clearer understanding of the company’s risk profile and the steps management has taken to monitor and control such exposures. The idea is to facilitate serious and thoughtful board-level discussion of the organization’s ERM process, the trends in the key risks the company faces and the robustness of the company’s policies, procedures, and actions designed to respond to and treat these risks.
Actively devoting meeting time to discuss and analyze information about the organization’s ERM program and the most significant risks impacting the company’s ability to achieve its strategic objectives enables the board to fully discharge its fiduciary duties. In-depth knowledge of the organization’s fundamental operations is necessary for understanding the implications of the key risks the organization is exposed to and then assessing the organization’s planned responses to these risks.
Board composition plays a critical role when it comes to performing the risk oversight role. To effectively monitor the organization’s ERM program, boards should pay particular attention to the background and experience of the individual board members serving on the committee charged with the oversight of the ERM function.
This is because the board’s ability to perform its oversight role effectively is heavily reliant on the flow of information between the directors, senior management and the ERM executives in the organization. Such information include the external and internal risk environment faced by the firm, key material risk exposures affecting the company, risk assessment and prioritization policies, key risks treatment strategies, strengths and weaknesses of the organization’s ERM program etc.
In conclusion, it is important for the board and senior management team to realize that the traditional practice of managing risk on an adhoc basis is no longer tolerable. Instead, the board needs to adopt ERM as a process to develop a more robust and holistic top-down view of the key risks facing the organization. An ERM focus assists boards and senior executives to think about risks more holistically and also helps avoid managing risks inconsistently or within each individual risk manager’s personal tolerance for risk.
I welcome your thoughts and comments