Businesses regularly assess and mitigate a broad spectrum of risks, including strategic, compliance, internal audit, fraud, credit, supply chain, information technology, marketing and sales, and reputational risk. Assessments can be top-down or bottom-up, high-level or granular, and employ a laundry list of well-known methodologies and procedures and practices. Reports are typically delivered to managers, senior executives, the board of directors, or a committee of the board, including commonly the audit committee. These risks are measured against the organization’s defined risk appetite and tolerance, and provide a basis for risk mitigation and evaluating residual risk.
Assessing risk in silos
While businesses have been conducting risk assessment for years often the exercise takes place in silos. Instead of applying a holistic approach to assessing risk and risk appetite and tolerance across the entire organization, the assessment of risk and implementation of mitigation measures has largely occurred on a functional, business unit, geographical, or other basis. The downside in doing so is resources are not employed effectively, interdependencies between risks are not properly identified, and the opportunity to better enrich the qualitative and quantitative nature of the data extracted from the assessments, by tightening the focus of the assessments, is lost (e.g. applying probabilistic and non-probabilistic models).
It is a significant challenge to align individual risk assessment that occurs in silos with key corporate objectives, such as creating shareholder value, maintaining market share, and promoting innovation (especially important in Canada).
Adopting a concerted approach
A concerted approach instead centralizes risk assessment and mitigation by proactively taking steps such as appointing an enterprise-wide risk officer, agreeing on a common nomenclature internally to discuss risk, and creating a risk registry where the reports are filed, and synthesized.
An additional step is to bring together in the same boardroom senior management and either the executive management team or the owners of each risk assessment process (i.e. the silo owners), and collectively agree on identifying the risks faced by the business, weigh the risks, and define the organization’s risk appetite and tolerance.
I have helped lead enterprise-wide risk management assessments. I am of the opinion in-house counsel are well-equipped to facilitate these sorts of reviews. We support multiple client groups and intersect with them regarding the management of risk on a regular basis — both conceptually as well as practically.
The first such time I was somewhat taken aback by the wide divergence of views in regards to the probability of specific risks and their potential impact. It was only by sitting in the same boardroom that we were able to achieve a coherent view of the relative risks to the organization, the probability that they may occur, the impact they would have on the organization and its business, and the resources which would be required to mitigate against those risks.
An additional benefit was achieving a collective buy-in with regard to reallocating resources (be it heads, time, budget, etc.) across the enterprise (rather than within the silo) to mitigate against the risks we identified. Furthermore we were able to more amply spot interdependencies across the business and implement risk-informed decision-making to address those risks.
Documenting the discussion
Software tools that contain enterprise risk management questionnaires and other templates are readily available on the market, however, a questionnaire can easily be created by the participants themselves. The latter has the advantage of allowing the participants to zero in on risks specific to their organization, the industry it operates in, and its business.
The conclusions of the participants can be effectively captured in a “heat map” or risk matrix identifying and prioritizing risk according to its probability (e.g. likely to occur, not likely to occur), its expected impact (e.g. catastrophic, temporary business interruption) and mitigation measures (e.g. internal control). Where risks do not lend themselves to quantification, and ordinal or interval scales are not practical, qualitative terms such as “very likely to occur” as in the above examples are handy substitutes.
A comprehensive review (rather than individual assessments) is more likely to ensure risk management is aligned with corporate objectives. Shareholders are increasingly demanding transparency, and audit committees are being called on to demonstrate that risk is being managed effectively, adding additional support for a centralized approach.
Adopting a concerted approach to risk management can help ensure an organization is not working at cross purposes. Risk needs to be discussed holistically, and even more so given the unstable, non-linear, and fast-paced nature of the business world today. Reviews of this kind require strong leadership and organizational skills, which in-house counsel are well equipped to provide.