Boards Must Play A Leading Role in Effective Risk Oversight

Over the past decade, the total number of risks affecting organizations has increased rapidly. Organizations now operate in an environment that is characterized by risk exposures that are more complex, more interrelated and potentially more destructive than ever before.

As a result of this evolving business world, there is increased pressure on senior executives and their boards to effectively manage risks so that stakeholder value is preserved and enhanced. They must adequately recognize and manage risks associated with strategic and operational decisions being made throughout the organization and clearly understand the devastating effects of these risks on business performance.

To ensure that risk management forms part of the organization’s strategic and operational decision making processes and help drive business performance, the board must establish the appropriate tone at the top. Effective enterprise risk management (ERM) requires a top-down holistic view of risks faced by the organization. Thus the actions of the board and senior management team should provide a clear message to the organization that policies and procedures are to be followed thoroughly.

Although the board is not involved in the actual day-to-day management of risks faced by the organization, it is the responsibility of the board to exercise significant oversight and ensure that the implemented risk management processes are aligned to the organization’s strategy and functioning as designed. By actively exercising its oversight role, the board is able to send an important message to the company’s senior management and its employees that ERM is an important element of the organization’s corporate strategy, culture and value-creation process.

Without the board’s direction and support, efforts to implement an effective ERM process are destined to fail. It is therefore important for the board and its senior management team to develop a risk-aware culture that operates within the agreed risk appetite that aligns with the organization’s corporate strategy. Excessive risk taking can have devastating effects on the overall business performance. Lessons can be learned from the recent collapse of African Bank Limited Investments (ABIL) in South Africa. The bank’s board and its senior management team have come under public and regulatory pressure for poor risk management oversight and poor processes.

To avoid liability in their oversight role, boards must ensure that their organizations have implemented comprehensive monitoring systems bespoke to each category of risk. For example, the monitoring systems in place must include reports on significant matters that have been levied against the company and may be used as evidence in shareholder litigation. Such reports can act as red flags or violations of risk limits for the board and these should not be ignored as they warrant further investigation and ultimately action. Furthermore, these monitoring systems ought to be reviewed regularly and their robustness tested and measured.

Where the board assigns primary risk oversight responsibility to a committee of the full board such as the executive audit and risk committee, it is important that the committee periodically delivers reports on the status of the ERM process to the full board to help ensure that the entire board has a clearer understanding of the company’s risk profile and the steps management has taken to monitor and control such exposures. The idea is to facilitate serious and thoughtful board-level discussion of the organization’s ERM process, the trends in the key risks the company faces and the robustness of the company’s policies, procedures, and actions designed to respond to and treat these risks.

Actively devoting meeting time to discuss and analyze information about the organization’s ERM program and the most significant risks impacting the company’s ability to achieve its strategic objectives enables the board to fully discharge its fiduciary duties. In-depth knowledge of the organization’s fundamental operations is necessary for understanding the implications of the key risks the organization is exposed to and then assessing the organization’s planned responses to these risks.

Board composition plays a critical role when it comes to performing the risk oversight role. To effectively monitor the organization’s ERM program, boards should pay particular attention to the background and experience of the individual board members serving on the committee charged with the oversight of the ERM function.

This is because the board’s ability to perform its oversight role effectively is heavily reliant on the flow of information between the directors, senior management and the ERM executives in the organization. Such information include the external and internal risk environment faced by the firm, key material risk exposures affecting the company, risk assessment and prioritization policies, key risks treatment strategies, strengths and weaknesses of the organization’s ERM program etc.

In conclusion, it is important for the board and senior management team to realize that the traditional practice of managing risk on an adhoc basis is no longer tolerable. Instead, the board needs to adopt ERM as a process to develop a more robust and holistic top-down view of the key risks facing the organization. An ERM focus assists boards and senior executives to think about risks more holistically and also helps avoid managing risks inconsistently or within each individual risk manager’s personal tolerance for risk.

I welcome your thoughts and comments

Ten Qualities of A Good ERM Report

In order to make informed decisions, risk reporting must be of high quality. Managers need to be able to evaluate the suitability of the risk management methods they are employing to identify, assess, mitigate and monitor enterprise risks. Are these methods working? Do employees know when these methods are not working? What are the consequences of risk management failure? How can this risk management failure be resolved?

If the data used to identify and assess enterprise risks is flawed, regardless of how excellent the risk mitigation strategies are, the organization will just be wasting resources. One advantage of good regular enterprise risk reporting is that it helps management identify and evaluate the risk profile and risk strategy of the organization.

Poor enterprise risk reporting often leads to poor decision making and in the worst case scenario no decision making at all. Today, sources of risk data are vast. Managers need to know what to do with this data.  They must be able to turn this huge amount of data into a strategic asset in the form of information and knowledge that can be used to make effective decisions capable of helping the organization mitigate risks, achieve its strategic objectives and drive business performance.

The problem so many managers make poor enterprise risk management decisions is because of basing their decisions on poor quality reports. There is little value in carrying out the processes in your enterprise risk management framework without good reporting. Thus when designing and building your enterprise risk reporting structure, it is important to ensure that the report:

• Is defined clearly: When defining the report it is important to consider the name of the report, objective(s) of the report, distribution list of the recipients, names of fields to be used, calculations required in each field, manual actions to be performed in each field and how the final report will be used. You should start considering design of the report only after the definition stage.
• Uses a common language understood throughout the organization: Employees normally have a different understanding of the true meaning of risk. It is therefore important to ensure that there is a common understanding of the terms used in the organization’s risk report. The terms used must be clear and mean the same thing to every employee who reads them. One way of achieving this involves managers running risk awareness programs/workshops or incorporating a glossary in the enterprise risk policy document.
• Highlights the important messages: Since managers have busy schedules, because of the limited time at their disposal, sometimes they just scan through the reports. It is therefore important that the produced risk report highlights the critical risk areas. The producer of the report need not assume that they possess equal enterprise risk management knowledge as the reader. By highlighting those critical risk areas that need management attention, for example through colour shades, managers will know where their focus is highly required and will therefore not spend much time in unimportant parts of the report.
• Integrates quantitative and qualitative information: Enterprise risk management generates both quantitative and qualitative data thus both sets of data must be interlinked in risk reports. Relying on one set of information to report risks leads to treating risks in isolation and in turn flawed decision making.
• Uses reliable quality data: The quality of data used in enterprise risk reporting is critical to making informed decisions. How reliable are your risk data sources? Failure to fully embed ERM throughout the organization leads to poor data quality as risk and control assessments are still not yet accepted. Continuously using data of poor quality to produce reports used by senior managers to make strategic decisions can cause them to make poor and loss-making decisions and this in turn affects buy-in of ERM throughout the organization.
• Guides effective decision-making: Are your reports stirring up action? Many at times managers receive reports that are useless. A lot of time and resources is spent producing these reports but they serve no purpose in aiding effective decision-making. In addition to highlighting values, a good risk report must guide managers in deciding whether or not action is required. If the produced reports fail to highlight the need for action or some form of decision, then their existence should be question.
• Is produced in a timely manner: Let us suppose that risk reporting is done on a monthly basis, chances are that values in the report will change monthly, there is no point in producing a risk report halfway through the month as the report would have relatively little value. It is therefore important to ensure that reports are produced in time to enable management make use of them and embed ERM throughout the organization.
• The report’s structure is evaluated continuously:  In a constantly dynamic and volatile business environment, the organization’s risk profile, indicators and controls is also most likely to change. This therefore signals a need for change in the structure of the organization’s risk report. For example, if the risks confronting the organization increase in number, the risk report(s) can easily grow in both length and number. It is therefore important for the report producers to establish what information really matters to the audience for whom the report is intended.
• Enables risk ownership: Management need to take ownership of the information contained in the risk report. Thus a risk owner must be identified and this can either be an individual or a department or business line. A good risk report should enable the risk owner to take action when required to.
• Is integrated with other processes: Organizational risks do not happen in isolation. Other business processes play a part and these should be taken into account when reporting enterprise risks. For example, by taking into account audit conclusions, resources will not be wasted as a number of people seek to solve the same problem. Also, taking into account of other processes reduces confusion and chances of inaction as the report will indicate risk acceptable actions from the other processes.

Good reports are essential to good enterprise risk management. Thus a good risk report should be able to deliver information in such a way as to support informed business decisions on the organization’s risk profile.

What else would you say are the qualities of good enterprise risk reports?

I welcome your thoughts and comments.