- Corporate Security
- Governance, Risk & Compliance
- Information Security
The Board of Directors exist to help ensure that companies have strategies in place to navigate the waters of uncertainty. Financial institutions, airlines, insurance companies, and even large technology firms like Apple, Samsung, or Amazon, have a board comprised of individuals that are both internal and external to their organization. These individuals can be long-serving employees, former CEOs, lawyers, or industry experts that are elected to give their opinion on company matters. They are tasked with several responsibilities that range from managing the company’s reputation, future growth and public perception, to oversight of all legal matters, handling crises, and ensuring that all risks are managed accordingly.
These are just some of the several items boards must manage. How then, can a board be tasked with so many duties? How can a board plan future growth but manage a positive reputation in the eyes of the public? How can they manage crises, but at the same time act as a proponent of risk management? As it pertains to risk management, a board hopes that risks are being taken to facilitate company growth, so what needs to happen to impress, engage, and facilitate proper risk management discussions at the board level? This guide will walk you through ways for impressing a board with risk management by being a strategic partner and adding value.
Departments such as sales, marketing, human resources (HR), information technology (IT), and audit, all play important roles for any company where decisions are made to drive success. Marketing departments will communicate offers of products or services to the public in exchange for a transaction that usually involves the transfer of money, while HR groups oversee people management, development, and succession planning at various levels of an organization. IT will manage the hardware, software and cyber environments that employees work in to achieve their goals, while audit groups ensure that functions of any organization are working appropriately and efficiently. These departments are just one of several valuable tools organizations have to help them achieve both their short term and long term goals. So what is risk management? Simply put, risk management is also a tool.
Risk is defined as “uncertainty about outcomes that can be either negative or positive1”, while risk management is “the process of making and implementing decisions that enable an organization to optimize its level of risk2.” A mature risk management department will oversee an entire organization and determine if the decisions being made are in line with the organizations goals. In essence, risk management is like a second set of eyes that gives a sobering check to ensure that, for example, a sales group is not doing anything that can be considered offside or even illegal.
If a risk group determines—through an independent assessment—that something will have a negative outcome on the organization, then they are responsible for ensuring that the necessary steps are taken to avoid that negative outcome. For the risk management group to be seen as a strategic partner, they need to consider the following when making decisions:
If these considerations are understood, a board can feel confident that the decisions being made by the risk group ensure that the organization is growing positively and that the risks are being managed.
Boards tend to meet on a regular basis to review and make decisions on several mandates. These mandates could be something as simple as approving a policy, or something complex like selecting the next CEO of a large organization. The main point to note is that boards will meet and discuss several items – risk management is just one of those items.
As a board is prepared to review any and all line items within a meeting agenda, it is very easy for any discussion to be considered a success or a failure. Board meetings are not scheduled over a long period of time, so discussions need to be clear and concise. Knowing this, risk information needs to be presented in an efficient manner. Software facilitates the collection of risk data over time, and allows organizations to develop key risk indicators (KRIs) to understand both negative and positive trends.
An example of a negative trend being presented to a board could be an increase in the number of times a SOX control fails from one reporting period to the next (i.e. quarterly reporting). To be frank, one SOX control failing over a period of time is not going to be an issue. Even if 10 SOX controls failed, organizations would not start planning for bankruptcy hearings; even if internal audit or some regulatory body raised concerns. However, this type of proactive reporting to a board of directors is how risk groups start to be seen as valuable partners who are committed to the success of an organization.
A board could take the trends associated with this kind of information and then make decisions to strengthen SOX compliance programs. It may encourage the business to add additional funding in order to hire more resources, it may increase awareness on the importance of SOX, or devise a whole new strategy on how to improve a SOX control infrastructure. This form of proactive reporting presents information to a board of directors that outlines issues, rather than full-blown disasters. If a board can be presented with clear, data-driven information, making decisions can be easy and risks can be better managed.
Transparent communication needs to occur between groups and individuals at all levels of any organization. This could include the employees in the mailroom, all the way up to the executives, board members, and external stakeholders. While any kind of risk department is not responsible for managing pillars of communication across an organization, they are responsible for managing risk and monitoring the internal and external environment of an organization.
Risk software can be used to both assess risks and then manage those risks accordingly. Completing risk assessments, with appropriate management plans and mitigating factors in one convenient place, allows communications to be distributed amongst all levels of an organization simultaneously. This would allow appropriate stakeholders to understand the risk exposures they are facing, and reduce overall risk levels at an enterprise level. Imagine how much comfort a board would have in a risk management department if an escalated risk issue had been communicated, discussed, and effectively managed across an entire organization prior to it being presented at a board meeting. Being able to convey the successes and identify areas for opportunities in a timely fashion, can further show how risk management can be seen as a valuable partner.
There isn’t a predetermined approach to effectively impress a board of directors with risk management. Boards are tasked with multiple mandates, and for a risk department to be seen as a strategic partner, they ultimately need to be seen as tool—like marketing or sales— that effectively makes decisions to promote growth, while also managing risk exposures. In addition, proactive reporting rather than reactive reporting, can show a board of directors how risk management can be seen as a strategic partner that provides value by identifying issues or trends before they get out of hand. Communication amongst an entire organization, if facilitated through a risk group, can significantly increase the credibility of a risk function. Tools such as Resolver’s Enterprise Risk Management (ERM) Software allow these kinds of trends to be identified and encourage these communications to occur on a regular basis.
1 The Institutes (edited by M.W. Elliot) (2012). Risk Assessment and Treatment – 1st Edition. Pennsylvania, PA: American Institute For Chartered Property Casual Underwriters.