Of particular interest to executive management and the board of directors are normal and ongoing business management risks, emerging risks, and critical enterprise risks. In this column, we focus on the last category, which we define as the top five to 10 risks that can threaten the viability and/or execution of the company’s strategy and business model. These risks should be a significant focal point for executive management and the board as they provide an important foundation for the board’s risk oversight.
Paring down the company’s risks to the ones that really matter is a test of the effectiveness of enterprise risk management. If the risk assessment process generates a laundry list of risks, it’s “game over” in the C-suite and boardroom. What senior management and directors want to know is information about the risks that can make or break the company. It all starts with an appropriately designed risk assessment process based on the following principles:
To illustrate, one consumer products company filters its risks down to the vital few through a risk assessment process that considers velocity and persistence of impact in addition to significance of impact and likelihood of occurrence. Also, the assessment process focuses on upstream supply chain issues and on protecting the company’s brands. The risk assessment criteria are considered by various risk sub-committees that identify potential critical risks and provide input regarding such risks to the corporate risk management committee. Meanwhile, the operating units and corporate functions report critical risks (as well as emerging risks) to the strategic planning function. Based on their respective assessments using the inputs they receive, the corporate risk management committee and strategic planning function provide input on the critical risks to executive management which, in turn, reports “The Top Risks List” to the board. The company’s chief risk officer supports the process at all points. For example, he consolidates all potential critical risks identified by the individual risk subcommittees and submits a summary to the corporate risk management committee membership prior to the next scheduled committee meeting.
While management is responsible for addressing the critical enterprise risks, the board should consider the information it needs to understand them. Both might benefit from the following reporting:
The above information is illustrative and is not intended to be exhaustive or applicable to every organization. Reporting to executive management and the board is an iterative process and is fine-tuned over time.
Jim DeLoach has more than 35 years of experience and is a member of the Protiviti Solutions Leadership Team. His market focus is on helping organizations succeed in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner that reduces risk to an acceptable level. He also assists companies with integrating risk management with strategy setting and performance management. Jim also serves as a member of Protiviti’s Executive Council to the CEO.