An article I read recently in National Association of Corporate Directors NACD Directorship drew attention to the significance of risk management and its oversight as a pivotal point of concern for directors in the boardroom.
The article cited a KPMG survey that found operational risk and risk environment was a concern of a third of participants (after relatively uncontrollable topics like economic, social, and political volatility and government regulation). About half of those surveyed said they are concerned about their risk management program.
Those numbers worry me. Thinking critically about risk and developing a comprehensive plan is one of the most important things an executive can do for their company, and many companies treat the creation of a risk management plan as a check-the-box exercise.
Worse, many companies develop a plan and don't execute it. Even if it's a great plan, if it's poorly executed, it will lead to inadequate risk understanding and may increase the company's liability. In fact, a less-than-perfect plan that's executed is better than a non-executed top-notch plan.
Given top-level concern over risk and risk management, here are some questions executives and directors should be asking:
• Is the risk management program truly an enterprise wide risk assessment and management program (ERM)? Companies are at high risk when their assessment addresses some, but not all, elements of internal and external risk sources. As I wrote in the April newsletter, sources can emanate from all strategic and operational areas of a company and its environment-they all need to be assessed.
• Does the risk assessment process routinely challenge underlying assumptions? There are countless examples of assumptions being built into a business plan, choice of supplier, or marketing approach that were not sufficiently challenged as the environment changed. As the business environment evolved, the risk increased substantially-unbeknownst to the leaders.
• Is there a bias for action across the leadership and the board to address the risks non-emotionally? What evidence do you have to support your response? Highlighting risk is not the end of the process; it's the beginning. Not all risks warrant a plan B and plan C. The team needs to understand the difference between the risks that require multiple levels of risk mitigation and the ones you're willing to live with and then take appropriate and timely action.
• What do the numbers say? It's important to consider all of the metrics and trends in your business (in addition to financial). Is the team looking at the numbers through the lens of what can happen if the trend continues versus explaining the trends to keep management happy?
• Are your directors getting the whole story? If not, ask yourself what you can do to create an environment where it is easier to tell the whole story.
• What committee has risk oversight, and would strengthening that committee with technical and ERM expertise increase its effectiveness?
Execution is critical in all efforts, but particularly so with ERM. ERM is more than an exercise-it can be the tool that enables you to meet commitments to stakeholders, revenue, EBITA, and EPS.