Wednesday, August 29, 2012

Is Your Risk Strategy a True Team Effort?

The real question today is whether management and the board have the right governance processes in place to drive the critical business activities—to manage risk and calibrate strategy in a coordinated way.
As companies move beyond managing financial crisis issues, they are turning to a more holistic look at their firms' governance activities.  KPMG recently conducted a study that finds that even with risk management, contingency planning, financial reporting and controls, compliance, internal audit, strategic planning and execution, and board oversight all in place, most respondents were not satisfied that these governance activities are appropriately focused on the greatest risks to their company’s reputation and brand.  According to the KPMG survey, coordination and integration of these functions are key to adding real value to dealing with risk hotspots.

KPMG's survey revealed that only 39 percent of the 1,200 plus directors and senior management polled during the KPMG’s Spring Audit Committee Roundtable Series said they are satisfied that their company’s governance activities are appropriately focused on the greatest risks to the company’s reputation and brand. Less than a quarter said they were satisfied that key governance activities are aligned with the company’s risk hot spots, and that the company’s governance activities are integrated into the strategy and add “real value” beyond simple compliance.

How do boards help to align all aspects of their companies' risk governance processes to make sure they are keeping pace? KPMG suggests ways that boards can do their part.

1. Understanding the company’s risk “hot spots,” and how they are monitored and managed.  

Understanding areas of complexity and change in the business and the business environment that pose new or different risks is important to knowing where the "hot spots" are.  The environment is constantly changing, so this requires a continuous process, and annual, semiannual, or quarterly risk assessments may not be sufficient given the velocity and volatility of change and risk today.

2. Use the audit committee as a tool to manage and coordinate the company’s core governance activities.

Given the breadth of its oversight responsibilities over so many core governance activities, the audit committee, in conjunction with a risk oversight committee, is uniquely positioned to help assess and manage the extent to which these core governance processes are being coordinated from a risk perspective.

3. Set expectations from management for “integrated governance”—and spotting the gaps.  

An important role for the audit committee and board is to help set expectations for an integrated approach to governance (Is there a single, up-to-date “governance view” of the enterprise?), and to help identify potential gaps.  Setting goals helps a company identify who will be responsible for identifying and monitoring risk hot spots, and helps to set out the roles the CEO, CFO, etc. play in the process.  Goals and targets also make the objectives of all these risk activities clearer and allows the board and management to measure how well they are being coordinated.

Underlying all of these recommendations is one important factor, however: Culture. A company with a truly top-down risk aware culture is already a step ahead in coordinating core governance processes. If boards and management actively stay abreast of technological, financial, and business risks, they will find that it much easier think beyond mere compliance.  And that awareness can filter to every level of the organization making a company's risk function a true "team effort."