Many boards find themselves under both greater scrutiny from regulators, shareholders, the media and analysts and rising expectations for improved governance and risk management. And the more effective boards are looking closely at their organization’s level of emphasis on risk management practices, strategies, processes and approaches.
“Effective boards also are putting in place a comprehensive and forward-looking foundation—beginning with risk oversight and including risk culture, risk appetite, maturity assessments, alignment of risk, strategy and disclosure,” notes Henry Ristuccia, partner, Deloitte & Touche LLP, and global leader, Governance, Risk and Compliance Services, Deloitte Touche Tohmatsu Limited (DTTL).
Six actions can help boards take a broader approach to risk management—encompassing both value protection and value creation. Using these steps, directors can steer their organizations toward an understanding of risk management not as a separate or standalone issue, but as an integral component of everything the board considers.
1. Define the board’s risk oversight role“As risk is intrinsic to the conduct of business, it is an essential consideration in every decision and activity,” says Maureen Bujno, a director in Deloitte LLP’s Center for Corporate Governance.
An effective risk oversight process helps the board determine that the organization has a system in place for identifying, evaluating, prioritizing, managing and adapting to critical risks. This process begins with a distinct demarcation of the board’s roles and responsibilities, which includes assuring that management defines the risk governance infrastructure, positions risk as a priority for the organization, and initiates risk management communications and activities. The process may be further improved when boards work with management to map risk oversight responsibilities to specific board committees and create mechanisms for board committees to collaborate on risk-related activities. Boards also should insist on clear, periodic reports on risk-related activities, including trends and assumptions, and position themselves to oversee significant, strategic and enterprise-wide risks.
In addition, board members should be satisfied that, regardless of the process, the CEO takes ultimate responsibility for risk management and that specific risks and activities are assigned to appropriate members of the management team.
2. Foster a risk-aware culture
A risk-aware culture should be reflected in employees’ general attitude and behavior toward risk. It is a key indicator of how risk is managed within an organization, and how widely its risk management policies and practices have been adopted. Embedded in day-to-day practices, a risk-aware culture covers all activities and is influenced by an organization’s incentives, management systems and behavioral norms. It helps an organization achieve its mission and strategic objectives; it is communicated by leadership; and it promotes strong risk management, transparency and accountability.
Boards can help cultivate a risk aware culture by building an environment in which employees are comfortable challenging others, including authority figures, and the people who are being challenged respond positively. In addition, the board should establish “safe/free” zones for those reporting potential issues. It’s also critical that boards provide the right “tone at the top” to promote ownership, accountability, transparency and collaboration and encourage management to create processes to continuously improve the organization’s risk culture.
Other ways boards can help their organizations cultivate a culture that embeds a strong awareness of risk matters include:
- Encourage management to create repeatable processes to assess and continuously improve the risk culture of the organization.
- Reward people who focus on managing and mitigating risk by aligning incentive, reward and performance systems with a focus on risk, compliance and controls.
- Support management in its commitment to enhance the risk culture through appropriate allocations in resources and funding, focused risk management training programs, and distribution of risk culture surveys and survey results.
3. Understand and improve an appropriate risk appetite
In some industries, the concept of risk appetite is more quantitative; in others, it is more qualitative. Whether dealing with hard metrics or softer guidelines, determining the level and types of risks an organization is willing to take is a difficult task—yet one that is critical to business success. Therefore, evaluating appropriate risk appetite levels is a vital responsibility of the board.
Boards can become more effective in reviewing and approving risk appetite levels—and in helping the organization apply risk appetite to strategic decisions—in a number of ways. They can provide escalation guidance when business decisions may exceed the approved risk appetite. Boards also should work with management to create a risk appetite approach to keep pace with changes within both the organization and the marketplace.
Boards can also consider adopting advanced methods for defining risk appetite in both qualitative and quantitative ways and reviewing “look back” analysis to determine how closely the organization has followed approved risk appetites in making business decisions.
4. Help management incorporate strategic risk thinking into strategy
One of the board’s primary roles is advising management on the development of a strategy that aligns with the mission of the organization, as well as the short and long-term vision of stakeholders. At the heart of all strategic issues competing for the board’s attention is the risk—that is, the potential for loss or diminished opportunity for gain—that the strategy poses to the organization’s priorities.
Boards can be in a stronger position to determine if strategic risks are identified and addressed in the organization’s strategic planning by providing “active oversight” in developing the strategy, regularly engaging on strategic objectives as well as strategic risks, confirming that key strategic risk indicators are monitored and assessing potential new strategic risks on an ongoing basis.
5. Assess the maturity of the risk governance process
An organization’s risk management capabilities, along with the board’s risk governance processes, can be assessed according to their maturity—that is, where they reside on a curve that progresses toward optimal risk awareness. From ad hoc practices to formal and embedded processes, and various stages in between, there is no definitive threshold that organizations should achieve. But there is a level of maturity that is right for each organization.
Additional steps for assessing the maturity of a risk governance process include:
- Assessing the board’s skills and knowledge to identify competency gaps in key areas.
- Implementing an ongoing development plan to enhance competencies through recruitment, education and the use of outside advisors.
- Periodically reviewing the overall quality, quantity and usability of risk-related information provided to the board.
6. Make sure the organization discloses the risk story to stakeholders
The SEC proxy disclosure rules require U.S. public companies to explain how the board administers its risk oversight responsibilities and how the board works with management on risk-related activities. Organizations can more effectively disclose their risk story to stakeholders when they provide visibility into how the process actually works, including the roles of the board and its committees, in addition to discussing the structure of risk oversight. The board should encourage plain-English disclosures or supplement risk disclosures with quantitative analysis and graphic presentations.
Risk-related disclosures in proxy statements also can provide insight into a company’s risk oversight and risk management practices.
“The trends and forces that impact business—along with the attendant risks—can change in a heartbeat, so the work of improving risk oversight is an ever-evolving process,” says Mr. Ristuccia.