Risk Intelligent Governance: A Practical Guide for Boards
As this whitepaper by Deloitte LLP asserts, in many organizations risk governance is seen as an opposite of a value-adding process or activity. It is important to understand that risk governance and value creation actually go hand in hand. “Risk Intelligent” governance strives to integrate procedures regarding risk management for all risks an entity must face, not to avoid risk altogether. This whitepaper is a part of Deloitte’s Risk Intelligent series and provides detailed actions that board members can take to help their company develop better procedures regarding risk governance and oversight. The six key actions are as follows:
1. Define the Board’s Risk Oversight Role
It is important for a company to define the responsibilities of the board regarding risk governance. Boards are expected to set the tone for management and express their expectations regarding risk. They should also communicate risk management procedures with management and hold risk management at a high level of priority within the company.
The board should oversee management’s processes for risk management and also be included in the risk oversight process. In some cases, it may make sense for the board to allocate certain risk responsibilities to specific board committees, however, these committees should understand that risk oversight is not the responsibility of one committee, but instead the responsibility of the board and management as a whole. If separate committees are given risk responsibilities, they should meet and discuss their findings with the entire board to foster the idea that risk oversight is the responsibility of everyone in the organization. The roles of each committee should be explicitly defined.
The board should also consist of knowledgeable and experienced individuals. It is imperative that board members have inspiring, open-minded conversations about risk management and that many different perspectives are present. It may be beneficial to have an evaluation performed of the board members’ experiences and knowledge base. In addition to their composition, members of the board should also perform site visits in order to gain a better understanding of the company. This will aid in their abilities to identify significant risks and allow them to relate to the employees who will have to uphold this risk intelligent philosophy.
An enterprise-wide risk management framework proves to be valuable when designing risk management procedures. An entity-level risk management framework can help management identify their long-term goals, their methods and procedures for dealing with risk, and any training programs that might be necessary if their risk procedures are not already incorporated. Deloitte’s whitepaper suggests the Casualty Actuarial Society’s framework, COSO, and the Treasury Board of Canada Secretariat as a reference point. Incorporating a risk evaluation into each goal and activity will enable management to manage risk on an entity-wide level.
Deloitte also provides steps that boards have taken as a reference point as well as tools that may be used by board members during this process.
2. Foster a Risk Intelligent Culture
In order to have an effective risk governance and oversight program, it is important to instill the board and management’s values regarding risk throughout all individuals in the enterprise. Management’s goal should be to create a culture that is not risk averse, but instead is aware of the implications of risks taken to achieve a reward. The board and management should set an example by communicating appropriate messages about risk throughout the company. Board members should also work with management to obtain a better understanding of their risk management processes. Constant communication is key and enables the board to express their opinions and guide management towards practices that support the views of the shareholders.
Another way to create a culture that supports open discussion about risk and concerns is to incorporate job descriptions that are risk-related. Employees will likely embrace the concepts of risk management if they believe they will be rewarded for making informed decisions about risk. The importance will be realized if positions dealing with risk management are brought into the corporate hierarchy.
External third-party reviews are also a helpful tool in creating a Risk Intelligent culture. By reviewing risk management policies, a third-party can help point out flaws and best practices to the board and management. This can provide a method for benchmarking against other companies as well as against the entity itself over a period of years.
3. Help Management Incorporate Risk Intelligence into Strategy
Integrating Risk Intelligence into management’s strategy is a primary responsibility of board members. As Deloitte describes, incorporating risk procedures into every level of corporate strategy can help management move away from a negative view of risk to a positive view where risk is associated with reward. In order to converge Risk Intelligence with management’s strategic objectives, the board can design processes for considering risk. These processes may include guidance for setting priorities among risk and then assigning the appropriate risk management resources to specific strategic objectives. Risk appetite and risk tolerance for the entity should be defined so that management has an understanding of which risks are acceptable and which risks fit into the strategic goals of the entity.
After these procedures have been instituted, the board should monitor the alignment of strategic objectives with risk management processes. There must be assurance that any risk-related issue will be brought to management’s attention and will then be communicated to the board. In order to facilitate this communication, the board should establish ways for management to be held accountable for managing risk according to the strategic plan. This can be done by offering ongoing feedback about management’s ability to manage risk effectively or even a formal evaluation of management’s responsibilities regarding risk oversight.
4. Help define Risk Appetite
Risk appetite is defined as the level of risk that management is willing to take regarding specific actions or events related to the entity as a whole. The board has the responsibility to either approve or challenge risk appetite levels suggested by management. There may be different risk appetite levels for different types of risks a company may face. There are often higher risk appetites associated with rewarded risks and lower risk appetites associated with unrewarded risks. Management should recognize that some risks are inherent to their business and that a risk appetite does not eliminate all risk.
Management also needs to set a risk target or a risk tolerance level. There will likely be some risks that an entity is not willing to take and developing a risk tolerance level will make it easier to communicate what those risks may be. Risk tolerance differs from risk appetite in the way that tolerance levels should still be within the risk appetite. Risk appetite is often a percentage of revenues or other financial measurement, whereas risk tolerance may be related to a certain type of activity or event. It is important for the board to assist management in keeping these two separate and ensuring that management’s tolerance levels relate to their appetite. The board should exist in this process as a resource for management to help define appetite and tolerance levels as well as to make sure they align with each other.
5. Execute the Risk Intelligent Governance Process
The board should work with management to design risk management processes that are effective and create value for the entity as a whole. Although it is management’s responsibility to effectively manage risk, the board has the responsibility to challenge management’s practices if they are not deemed sufficient. The board is responsible for governing the risk management processes. Procedures should be in place to evaluate whether or not management is conducting risk processes in the way the board communicated. In order to ensure that management is upholding risk management responsibilities, the board can evaluate their performance, assess the performance of the risk procedures, and create a means for holding management accountable for their actions regarding risk management. Communication between the board and management is required and the board is encouraged to discuss any issues with management if doubts exist regarding certain risk management practices.
6. Benchmark and Evaluate the Governance Process
In addition to benchmarking and evaluating the risk management processes, risk governance processes should also be reviewed. Risk governance is an ongoing process that can be monitored and compared internally or externally. To gain perspective on their performance, the board could request periodic feedback reviews from senior management regarding their responsibilities for risk governance. In order to prepare for review, the board would benefit from taking appropriate training classes as well as individual research about risk management in the internal and external environment. During the annual self-assessment of the board, risk should be discussed and the effectiveness of providing governance should be addressed.
These six focal points support the notion that actions taken to mitigate risk are just as important as taking risks to enable growth and rewards. Although risk mitigation is important, it should not be management’s goal to avoid risk completely. Certain risks are necessary for a business to operate effectively.
“Risk Intelligent” governance can aid in the allocation of risk-related resources, enhancement of competitive advantage, and the long-term growth of an entity. By developing a “Risk Intelligent” program, the board is strengthening management’s ability to meet strategic objectives while protecting the company from risks that may arise.
Click below to read the whitepaper.
Source: “Risk Intelligence Governance: A Practical Guide for Boards.” Deloitte LLP. August 20, 2009. Web.