Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Risk reporting to the board

Richard M. Steinberg | June 7, 2016

A few months ago, Jim DeLoach wrote “Six Principles for Improving Board Risk Reporting.” Having worked together over many years, Jim and I are colleagues and friends, and we continue to stay in touch and share experiences. As a leading expert on risk management, his words are worth noting. Here I briefly summarize his six principles, and then address what also is of absolutely critical importance that requires corporate boards’ close attention.

Jim puts forth the following interrelated “board risk reporting principles” that focus directors on significant risks, enabling them to bring to bear their knowledge and expertise in ways that add and preserve enterprise value:

Focus on critical enterprise and emerging risks. Critical enterprise risks represent those that can threaten a company’s strategy, business model, or viability, and consequently warrant the most attention from the board’s risk oversight process. The board also needs to be mindful of emerging risks triggered by unanticipated and potentially disruptive events.  

Address ongoing business management risks on an outlier basis. For risks that are not critical enterprise risks, risk reporting should be integrated with periodic status reports on line-of-business, product, geographic, functional, or program performance, and triggered by the escalation of unusual matters that warrant immediate board attention.

Ensure risk reporting is linked to key business objectives. The relevancy of risk reporting is more firmly established with directors when it is closely tied to strategic business plans and the critical objectives and initiatives management has communicated to them.

Use risk reporting to advance dialogues around risk appetite. Risk reporting should call attention to the level of risk the organization is undertaking in the pursuit of value creation and disclose when conditions change and the agreed-upon parameters are approached or breached.

Where should responsibility lie? It must rest with the chief executive officer, his/her direct reports, and so on—cascading at every management level throughout in their spheres of responsibility.

Integrate risk reporting with performance reporting. When line-of-business, product, geographic, functional, or program managers report on performance to the board, they should also disclose the related key risks—enabling a dialogue with directors on underlying risks and assumptions inherent in executing the strategy and achieving performance targets.

Report on whether changes in the external environment affect critical assumptions underlying the strategy. Risk reporting should provide insights as to whether executive management’s assumptions about markets, customers, competition, technology, regulations, commodity prices, and other external factors remain valid—including whether changes in these environmental factors could alter the fundamentals underlying the business model, providing “early warning” capability.

The Steinberg board risk oversight principles

As usual, Jim does a great job of focusing attention on what corporate boards should be looking for from the CEO and senior management team. Now we’ll expand the scope, going beyond what risk information management reports to the board to additional matters boards should be certain to home in on—in the form of what I put forth as four additional principles. Experience shows that sharp adherence to these interrelated principles is absolutely critical in order for boards to effectively carry out their oversight responsibility related to risk management.

Ensure an effective risk management process. A board needs to know how management knows what are the significant risks the company faces, and how they are being managed. That is, the board must get to the fundamentals of the risk management process—how it is designed, the way in which it is implemented, and how effectively it is working. Receiving information on risks is very important—but unless the board knows that management has an effective process for identifying, analyzing, communicating, and managing risks, it cannot be sure that management is providing all relevant significant information.

It’s fair to say that this is the most significant information a board needs in effectively overseeing a company’s risks. It needs to be comfortable that the risk management process is in place and working effectively.

Avoid reporting to the board being the primary objective. Yes, a board must receive information related to the more significant risks the company faces. Too often, however, because a board will press management to report such risks, the risk management process is designed with reporting to the board as the first and foremost objective. And when that happens, more often than not the risk management process is either inadequately designed or poorly executed. In such circumstances an executive risk management committee may be put in place to identify major risks for the board or regulatory filings—but the process ignores or is only tangentially connected to the rest of the organization. Executive risk management committees can serve a useful purpose, but cannot take the place of a process effected throughout the organization, in every business line, unit, and location, and at every level. It is closest to the business activity level where some of the more critical emerging risks need to be identified and acted upon.

Determine who is responsible for risk management. Many companies with which I’ve worked initially placed such responsibility with the chief risk officer. This may be appealing on its face to the CEO, as well as the board, believing responsibility is best fixed with one senior executive and thereby helping to assure it is accepted and carried out effectively. The reality, however, is that such an arrangement simply is doomed to failure. For the process to truly work, risk must be considered at every level, from strategic planning by the senior management team to every-day decision making going downstream in the organization. Where should responsibility lie? It must rest with the chief executive officer, his/her direct reports, and so on—cascading at every management level throughout in their spheres of responsibility.

Certainly a critical catalyst for the CEO is designing, implementing, and providing needed support to the management hierarchy. The CRO should ensure managers have the needed tools and techniques and reporting mechanisms. But the board needs to be sure that responsibility for risk management is where it needs to be in order for the process to work effectively.

See that communication channels are effective. The board needs to be satisfied that senior management is appropriately communicating expectations for identifying, analyzing, and managing emerging and ongoing risks throughout the organization—and is holding managers at every level accountable for reviewing risk-related decision making and reaching agreement on how risks are to be managed. Communication channels need to be open and free-flowing where personnel identify relevant risks in business decision making and discuss them with the people to whom they have a direct reporting line. This is a normal element of every manager’s responsibility, which must be done well.

Unfortunately, breakdowns in communication channels are not uncommon, too often resulting in bad decision making and related losses of resources or lost opportunities. One needs to look no further than to the horrendous results of communication failures at such companies as Volkswagen and Mitsubishi. While the investigations are yet to fully play out, we can surmise that either information about cheating in emissions testing wasn’t communicated upstream, or as some experts suggest, management failed to act on the information. This in turn gets into one major segment of risk management, namely compliance with laws and regulations, and the critical need for integrity and ethical values and not lying internally or to customers or regulators.

So, I thank Jim DeLoach for his six principles and providing a jumping off point for expanding the scope to add these additional four. As such, boards of directors are well positioned to provide truly effective oversight of risk reporting and risk management.