Expectations for boards of directors to provide greater oversight of the processes executives use to manage risks affecting the enterprise continue to increase. Often boards are delegating aspects of risk oversight to the audit committee. As the featured speaker at the ERM Initiative’s ERM Roundtable on February 29, 2008, Doug Anderson, General Auditor at The Dow Chemical Company, described how management and the board of directors at Dow, including the audit committee, are responding to meet these expectations for greater risk oversight.
Key Risk Drivers at Dow
The nature of Dow’s products and services in the chemical industry creates a wide range of risk management challenges for management and the board. As if managing a complex portfolio of over 3500 chemical related products isn’t fraught with enough risks, Dow’s risk profile is impacted by its sheer size and its global footprint. Dow’s customer base extends across 160 countries, and sixty percent of its business operations reside outside the United States involving over 46,000 employees. Much of Dow’s growth strategies are based on emerging economies, such as those in India, China, and Russia, and they are continually moving more of the company’s shared services offshore. Imagine the challenges of managing the multitude of risks that could arise from doing business at this global level. Then, add to that the fact that a large portion of Dow’s products are based on oil and gas inputs and one can quickly gain a sense for the complex challenge of managing risks at Dow.
How Risk Management is Viewed at Dow
The board and management’s emphasis in its risk oversight efforts is to position risk management as a strategic activity at Dow. The objective of effective enterprise risk management is to improve management’s ability to run its business under the view that if they can manage risks better, they can be more competitive. Management and the board realize that they have a responsibility to pursue opportunities, which will require the assumption of risks. They seek to assume those risks in a well-managed, controlled manner that recognizes the reality that as new strategies are created, new risks arise that need to be considered in the context of their strategic objectives.
Positioning ERM to Add Value
In its effort to manage risks associated with new strategic opportunities, Dow’s management and board have embraced enterprise risk management (ERM) to bring an explicit focus on risks. ERM helps provide structure, consistency, and transparency to the company’s approach to risk management spanning the complex nature of the Dow enterprise. The company’s disciplined approach to ERM strengthens the company’s ability to anticipate risks before they become impactful, costly, and disruptive. And, ERM increases management’s ability to identify opportunities that enable innovation. Dow management believes that a company’s ability to manage risks better than others creates opportunity.
There is no single ERM group, officer, or focal point within Dow that leads the ERM effort on a full time basis. Rather, ERM is a shared responsibility among the business functions, management, and the board. Using this team approach, management seeks to look across the enterprise in their identification of risks, avoiding a silo mentality for risk management. Risks are categorized among these risk categories: compliance and financial reporting risks; operational risks; market/business environment risks; and strategic business risks.
The Role of the Board and Audit Committee in Risk Oversight
Dow’s board of directors has assumed overall responsibility for ensuring that risks are managed. Obviously, the volume and complexity of risks affecting Dow are endless, so the board does not necessarily see every risk. Instead, the board delegates the operation of the risk management framework to the executives of the management committee under the belief that key executives can manage most of the key risks. Only the most significant risks (from a probability and impact perspective) are reserved for the board’s review and discussion.
The board delegates to the audit committee responsibility for monitoring management’s risk management process and assuring that the process is adequate. The audit committee’s task is to determine whether it is comfortable with the process being used by management to monitor and respond to key risks. The audit committee reviews the process used by management, the population of risks identified by that process, and determines those risk items that should be elevated to the board for oversight. The goal is to create a process that encourages and supports a structured, standard approach to risk management that leads to a transparent disclosure of key risk exposures not only to senior executives, but also to the board and audit committee.
Management focuses on developing an inventory of the company’s key risk exposures that it refers to as its “risk universe.” Once key risks affecting the company are populated, management then assigns ownership to each risk area to a member of management. The risk universe is also presented to the Audit Committee for review and discussion.
Types of Risks Elevated to the Board
The types of risks elevated to the board are those deemed to be “enterprise risks.” Enterprise risks are those that management and the audit committee believe have the potential or are perceived to have a significant impact to the enterprise requiring the attention of the board beyond the normal management process. Risks are evaluated based on the joint assessment that balances the probability of a risk occurrence and its potential impact. Those 10-20 risks that have a reasonable probability of occurring and that might have a significant impact on Dow’s objectives are put before the board for discussion and review. Impact is evaluated along several dimensions that include the financial impact, reputational impact, environmental or community impact, and customer impact. The goal is to manage those risks that might have a significant effect on long-term shareholder value.
Except for certain risk areas, such as those related to treasury and credit, Dow’s process of assessing risks does not require that all risk exposures be evaluated on a quantification basis. Instead, for most risk areas, management assesses risk exposures qualitatively using a low, medium, high assessment scale for both probability and impact dimensions. While management generally assesses risks on an inherent basis and factors in the effectiveness of risk responses (for example, the effectiveness of internal controls), management and the audit committee elevate to the full board only those risks that on a residual basis might have a significant impact to the enterprise. Thus, the board is not involved in assessing both inherent risk and residual risks. Rather, the board’s focus is on the top 10-20 risks that on a residual basis might be significant to the enterprise as a whole.
The board then dialogues about each of those key risks and assigns responsibility for overseeing each of those risks. In some cases, the audit committee might oversee certain risks while other board committees or perhaps internal audit oversee other risk areas.
Internal Audit’s Contribution to ERM at Dow
While management focuses on inherent risks and the related risk treatments, the board only focuses on those enterprise risks that on a residual basis might have a significant effect on the company as a whole. As a result, the board’s focus on key risks is dependent on the accuracy of management’s assessment of the effectiveness of the risk response in the reduction of the identified inherent risk. That is where Dow’s internal audit function provides assurance to the audit committee and the board. Internal audit’s involvement focuses on the completeness of the risk universe and the adequacy and effectiveness of management’s risk response to ensure that the assessment of the reduction in an inherent risk due to a particular risk mitigation strategy is accurately assessed and presented to the audit committee and board by management. Thus, internal audit is heavily involved in assessing the risk mitigation initiatives so that the board is confident that the list of residual risks elevated to them is accurately assessed and complete.