We’re living in an era of unforeseen events that give rise to risks, including geographic conflicts and a “black swan” event—something so unpredictable that it’s not on anyone’s radar—a global pandemic with far-reaching economic and social consequences. While a company can’t always anticipate what might be around the corner, strong risk oversight by the board can help the company respond with more rigor and agility. The number and types of risks the board oversees continue to grow, even as their nature changes. Some become more likely as businesses are more interconnected. Some are likely to impact just a certain area of the business. Others could severely impact the entire brand. The last few years have reinforced the need for companies to recognize the possibility of what once seemed like unlikely events. How can organizations and their boards use this lesson to improve their risk oversight processes? Keeping an open, yet skeptical, mind is a big piece of it. Given the collective experience of most boards—and the fact that directors sit outside of the day-to-day running of the business—they are well-suited to bring this open-mindedness and willingness to explore the “what-if” scenarios. Taking a long view on risks aligned to the strategic plan at the board level allows company leadership to focus on the day-to-day management of those risks.
The evolution of ERM
ERM has always been about identifying and managing the top risks to the organization. That hasn’t changed. The inputs, the methodology, the output, and the overall process have—because they had to. As depicted below, there are several drivers for the evolution of ERM and risk oversight processes.
The link between strategy and risk
Large institutional investors have been pushing for more information about how a company’s statement of purpose is linked to its long-term strategy and success. With this growing external focus on strategy, boards should understand how their company’s purpose informs its processes to both identify risk and determine the company’s risk appetite. The company’s risks and risk appetite should be viewed not only from the company’s perspective, but also from the perspective of shareholders and other stakeholders (e.g., employees, customers, suppliers, communities, and regulators).
Let’s use ESG risks to illustrate this. For many companies, these risks were already on their radar— somewhere. But the recent focus by large institutional investors, combined with an increase in shareholder proposals seeking disclosure, have brought these risks to the forefront. Large institutional investors are suggesting that ESG risks could have an impact on the long-term sustainable value of the company. For example, perhaps the company relies on water as a key resource. Due to climate change, sourcing that water in the future might be a challenge, which will ultimately affect the long-term value of the company. Companies are now more focused on identifying material ESG risks of this type, monitoring and overseeing those risks, and communicating their efforts to shareholders and other stakeholders.
The board needs to focus on which key business risks are actively tracked and monitored at all levels, including at the board level. They can add real value by stepping back and asking about what risks might be missing and what risks may not be fully appreciated.
First things first: board composition
Risk oversight is a full board responsibility. Having diverse skills, backgrounds, and experiences on the board is vital to understanding the broad range of risks a company can face. It is important to have some board members with deep expertise in the industry who can help anticipate what’s to come. On the other hand, it is also important to have fresh perspectives—whether it’s new directors, those with experience in different industries, or different skill sets—to view risk through different lenses. Directors who have specific risk management expertise can also bring real value.
Board diversity can also impact risk oversight. In fact, 76% of respondents to our 2021 Annual Corporate Directors Survey agreed that diversity on the board improves strategy/risk oversight and may alleviate the chance of missing out on key risks. Once directors have evaluated the board’s composition and whether they have the right skills on the board to effectively oversee risk, the next area of focus is understanding how the company is identifying and managing these risks
Understanding and maximizing ERM
Enterprise risk management (ERM) means different things to different people. Some companies simply use ERM to identify, prioritize, and report on risks—protecting value. The best companies also use ERM to make better, more informed decisions, and improve their strategic, financial, and operational performance—driving value. But it takes work and buy-in at all levels to make that happen.
What ERM is—and isn’t
ERM is the collection of capabilities, culture, processes, and practices that helps companies make better decisions as they face uncertainty. It gives employees a framework and policies to help them understand, identify, assess, manage, and monitor risks so the company can meet its objectives. It’s most valuable when it’s integrated with strategic planning and decision-making.
Just assessing risk—identifying and prioritizing the key risks—isn’t ERM. If a company stops there, it may know about risk, but not be actively managing it. That’s not to say that identifying and assessing risk isn’t a key part of maximizing the value of ERM to the company. Searching for risks requires not only understanding the organization’s value drivers but also the risks—and opportunities—that may arise when those value drivers change. ERM can be a tool to help organizations consider the potential upside of the decisions associated with each particular risk. For example, many organizations changed their business models as a result of the COVID-19 pandemic, embracing a remote workforce and providing customers and clients with other ways of interacting with them, thus opening new distribution channels that will continue.
Boards and senior leaders need to look beyond this quarter or this year to craft the right strategy and take the right bets. ERM and senior management are unlikely to predict the next “black swan” event. But robust ERM can shine a light on disruptive technology; new competitors; environmental or social issues; and changes in regulations, economics, or the political landscape. The company’s ongoing risk assessment should encompass emerging risks to help the company focus on future risks to identify any strategic impact. It’s also important to bear in mind that risk oversight isn’t just about avoiding all risks. To have a successful strategy, companies must take some risks. Properly done, ERM identifies the key risks that could stand in the way and ensures they’re (a) communicated to the stakeholders who need to know, and (b) managed appropriately. But ERM looks and feels different at every company, so how can directors know if it’s working at their company?
Making sure ERM lives beyond the C-suite
If ERM operates only at the executive level, it’s not going to influence behavior across the organization. In fact, some companies find it helpful to assess risks or risk prioritization at different levels. If you ask different groups of people to prioritize a handful of key risks at the company, you may get different answers based on each individual’s purview. The board and the executive team might be aligned on risk prioritization, but middle management might have a very different prioritization. It’s worth asking those outside the C-suite how they might prioritize risks. This could identify two things—either middle management is getting more risk insights from customers, suppliers, and other employees that the ERM process is not picking up, or the executive team is not effectively educating middle management about key risks and the need to focus on mitigation. Either way, this insight can be very helpful in understanding how the company is aligned on identifying and prioritizing risks
The key elements underpinning an effective risk management function: When understanding a company’s risk management program, boards may find it helpful to consider these broad leading practices:
A single risk language. Common definitions and standard categories of risk make it easier to accurately combine risk information across the business and spot discrepancies and interdependencies.
A common risk assessment approach. One risk assessment approach with a single set of criteria makes it easier to share, compare, and combine different teams’ perspectives on the various risks the company faces.
A streamlined approach to controls. As companies address specific risks over the years, they can end up with inefficient and overlapping controls. When possible, streamlining those processes can improve performance without sacrificing effectiveness.
Cross-functional collaboration. Better information-sharing across all functions that contributes to risk management can improve processes.
A single risk officer. A chief risk officer or similar executive can support risk management efforts across the company and coordinate risk reporting for both executive management and the board.
Courtesy PwC. Click here for full report