A recent research study conducted by Ernst & Young finds that companies define risk in a different way than in previous years as a result of current economic conditions. The survey shows that risk management must take on a more holistic view and focus on external factors affecting risk within the entity.  More companies are realizing that viewing risk management from a compliance-only perspective is neither sufficient nor appropriate.  More are realizing that risk perspectives need to be dynamic where new risks are viewed as constantly emerging.

While it is important to identify risks, it is equally essential to monitor the entity’s responses to those identified risks. Evaluating the quality of an entity’s risk management processes can provide insight and is a significant task. According to Ernst & Young’s research study, there are six questions that one should ask when evaluating the quality of risk management.

1. Who owns risk management?

Many companies are designating a chief risk officer (CRO) to take responsibility for managing risk within a company. Although a leader is important, the risk culture depends on the tone set by top management. A risk management process should have specific roles and responsibilities set in order to ensure that all risks are accounted for. A chief risk officer can aid in the identification of risks, but it is necessary for other professionals to be aware of the risks that are traced back to their specific business unit or department.

2. What is the best structure for risk management?

Prior to the introduction of enterprise risk management, many entities managed their risks in separate silos connected to each business unit or department within the organization. In order to appropriately manage risk, it is necessary to map each risk identified back to a set of company risks that are aligned with the company’s strategy. One huge issue that concerned the participants is the integration of risk management with internal audit functions. Audit functions help to integrate risk with company strategies and objectives because they are aware of business processes and risks that may be associated with them. Risk management processes should be structured to include seamless communication between the board of directors, audit committee, and management. Internal audit, however, is somewhat concerned with being involved in risk identification and risk oversight due to independence issues. They need to feel confident in their findings and be able to voice gaps to the audit committee without hesitation.

3. Does the risk organization have the right skills?

The risk managers within an entity need to have strong personalities and confidence in their abilities to carry out their day to day tasks. They will be communicating with the board and audit committee and must have the skills necessary to challenge management and report honestly to the board and audit committee. There are two key skills that Ernst & Young’s research study found to be essential to risk management professionals.

  • They must possess business knowledge and sector acumen. It is insufficient to be able to analyze risk; they must also be able to relate those risks back to an entity’s products and services.
  • They must have the confidence to say no to management. It is essential for risk managers to have confidence in their abilities and have the stability to voice both positive and negative findings to senior management and the board. In some situations, it will be necessary for risk professionals to challenge management’s processes and opinions.

4. Does the corporate culture encourage open communication upwards to senior levels?

There is often a sense of strict hierarchies within certain entities that may discourage lower level managers to bring up concerns to senior management. In order for a risk management program to be effective, it is extremely important that the entity inspires a culture that fosters open communication between all management levels. Some participants suggested that promotions of employees created problems for some entities because managers assumed the person taking over their role would inherit their issues and concerns.

The first step to establishing this culture is have a senior management team that is focused on clear, open communication, and who is willing to address problems before they come up with answers. Senior management should raise their issues and concerns with risk managers instead of attempting to solve all problems on their own, which could lead to strategic misalignment. Lower level managers feel more comfortable knowing that their senior management is willing to express areas with which they are unsure. Honest dialogue is critical for establishing an effective risk management strategy.

5. Is risk management properly incorporated into key management processes?

Risk management processes should be integrated into daily business processes and “baked” into a company’s strategy. Risk management should be a factor in daily decisions made by management and used when assessing new business propositions. If an entity’s culture and strategy do not support and utilize risk information, the risk management process will have no foundation to fall back on.

6. Does our approach to remuneration align with sound risk management?

Boards and management have given remuneration and incentive policies low priority in the past, but due to the current crisis, they are being forced to move these policies up on the risk assessment scale. According to one participant, “If a firm doesn’t have an adequate compensation policy, it doesn’t have an adequate risk policy.” Employees must be informed of risk and encouraged to evaluate it in their day-to-day decision making. Employee pay should be aligned with risk management in order to emphasize its importance in business performance. Balanced scorecards could be adjusted to incorporate risk metrics and integrated with employee performance evaluations.

In order to improve risk oversight practices, boards should be more involved in risk assessment and should give approval of the company’s risk appetite. The board should take the initiative to understand risks identified by management and ensure that management’s risk appetite is in alignment with the firm’s business strategy. Although defining a risk appetite might be difficult, it is one of the most important parts of managing risks within an entity. Ernst & Young gives four approaches that may help a company in identifying the types of risks they are willing to accept.

  • Capture historical risks
  • Focus on risks and opportunities
  • Look for inter-dependencies and aggregate portfolio risk
  • Adopt approval limits from the board downwards

Audit committees and boards of directors need to question management practices more now than in prior years. It may be necessary for them to seek further education and recruit members with additional expertise. Since the board and the audit committee will be given a greater responsibility to provide risk oversight, it will be necessary for them to be skeptical of management and ask questions when they do not understand an issue. Many participants in the study noted that boards were not familiar with daily business processes. In order to provide effective risk oversight, the board and audit committee should focus on understanding the business and how value is generated within the organization.

A comfortable environment where management is open to questions from the board should be established. Management’s assumptions should be questioned and the board should evoke further explanations out of discussions with management. Here is a short list of tips for risk management oversight from audit committee chairs including:

  • Clarify board and committee chairs
  • Ensure proper coordination across committees
  • Conduct thorough meeting preparation
  • Create additional opportunities to learn about risks

Both internal and external advisers to the board and audit committee will prove to be a key resource for risk management oversight. Internal audit will have more responsibility to ensure that management has identified and mitigated risks accurately. Questioning management assumptions will be critical to internal audit’s role. Internal audit also needs to have confidence in their abilities and knowledge of their role. They should be given opportunities to express their concerns and should not be afraid to do so. A working relationship with the audit committee should be established and internal audit should not hesitate to report to the audit committee when instances where management may be inhibiting their ability to do their job occur.

The role of the external auditor in this process will also become more prominent. Since the external auditor should have a deep understanding of the business and industry, the board and audit committee should look to them to provide insight into the risk management processes of the entity. They can help to identify key risks that may emerge during their auditing procedures. It might also be possible that a review of risk detection becomes required. Regulation for this review has already been established in some countries and might be possible for the United States.

In conclusion, risk management should become more long-term focused and driven by external risk factors. Dynamic risk assessments have become necessary. Review of risk management processes will become more stringent and the board and audit committee should be actively involved in risk oversight in addition to approving the risk appetite and alignment with management’s key strategies.

This abstract is based on the white paper “A New Landscape for Risk Management and Oversight:  Considerations for Audit Committees” by EY.  Please contact EY for a copy.