Reporting on risk to the board is not the end objective. Reporting on risk to the board is more about ensuring that the board is effective, and the knowledge of risks enables the board to do that.
My good friend, Jim DeLoach of Protiviti, seems to be everywhere. He writes about risk management (and was an advisor to COSO for its 2017 ERM update), internal audit (I last saw him at the recent IIA General Audit Management Conference), and governance. He works closely with board members, often participating in meetings of the National Association of Corporate Directors.
He has a great perspective, as you might expect from a veteran who is familiar with all of these areas.
Most of the time, we agree – but disagree on how concepts should be communicated.
His latest piece, Communicating Critical Enterprise Risks to the Board, is an example of how we differ.
While it focuses on risk assessment, it has some general comments which are excellent. But I believe it misses some key points as well.
For example, he says (emphasis added):
Certain risks require directors and executive management to have sufficient information in advance to prepare them for discussions about risks and how they are managed. For example, the critical enterprise risks are the ones that threaten the company’s strategy and the viability of its business model – such as credit risk to a financial institution, supply chain risk to a manufacturer, commodity price risk to a power company, country risk to an oil exploration company, research and development risk to a pharmaceutical company or unique risks that make a company an outlier among its competitors. Often, these risks require full board engagement because they are strategic in nature.
Paring a company’s risks down to the ones that really matter maximizes the value of the board’s risk oversight input and effectiveness of the executive team’s risk focus.
He continues by suggesting 8 principles.
The first, with which I agree, is “Begin with the end in mind”. As he says:
Risks require a context provided by the enterprise’s business objectives and strategy. Strategic objectives are high-level goals aligned with the organization’s mission, vision and core values. These objectives reflect the management team’s choice as to how they intend to create stakeholder value. These choices almost always entail risk-reward trade-offs.
That is fine.
But I don’t think he has defined (at least to my satisfaction) what the “end” is that we should “keep in mind”.
The “end” we should “keep in mind” is not reporting to the board. It is enabling the board to be effective.
We should tell them what they need to know to help the organization succeed. That is not the same as providing a list of risks, even critical enterprise risks (however defined). It is certainly not limiting them to the review of a list of top risks – “enterprise list management”, in Jim’s own words.
Those charged with reporting on risk to the board and to the executive team should understand:
- What are they trying to achieve?
- What information do they need to be successful?
- How can we help?
The board should NOT be trying to “manage” or “provide oversight” on the management of risk.
It should be trying to manage the setting and achievement of objectives, providing oversight on how management does that.
Along the way, they will need assurance that management understands and is addressing what might happen (risk).
Risks are important only in so far as they might affect (both positively and negatively) the achievement of enterprise objectives and the strategies employed to do so.
So, it is essential for the success of the organization and of the board’s contribution to that success to start by answering these questions:
- How likely are we to achieve our objectives?
- Is that likelihood acceptable?
- Can we improve it?
- Can we also improve the extent of success?
- What might happen that would have a significant effect on our success?
- Are we doing enough about that – both the upside and downside?
This may be unfair (sorry, Jim), but I see the risk identification and assessment processes employed by most, and apparently supported in Jim’s article, as a “bottoms-up approach”.
It answers the questions of (a) what might happen (risk), and (b) how those risks would affect our objectives.
That is useful, but what is missing is a top-down approach.
For each objective, what might happen (at least reasonably likely) that would have a significant effect on the achievement of objectives?
Now, assess those risks – individually and collectively.
What is the likelihood and extent of success given all the things that might happen?
In my experience, you will identify some different sources of risk when you take the top-down approach.
Both the top-down and bottoms-up approach should be used and information provided to the board and the top management team so they can see how all these sources of risk (what might happen) when taken together might affect each enterprise objective.
Jim closes with three questions for executives and directors.
I suggest changing them to these four:
- Is there a process for considering, for each enterprise objectives, its current achievement level (KPI), what might happen (KRI), and the projected likelihood and level of achievement?
- Is that process reliable?
- Are the board and executive team satisfied with the reporting they receive periodically regarding each of the enterprise objectives?
- Are the board and executive team satisfied that decisions made across the enterprise are informed and intelligent, resulting in taking the right level of the right risk – so that both the creation and preservation of value are optimized?
What do you think?
Are you helping the board and management team “manage risk” or manage the enterprise to success?
I welcome your comments.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021