It is crucial that boards of directors are well-versed on the risks confronting their companies, but changing risk landscapes create challenges. Failure to understand high-risk areas and risk-mitigation procedures can decrease the effectiveness of the board’s oversight of management and its ability to constructively challenge proposed changes in the best interest of the company. Asking the following three questions can help educate board members on existing risks and procedures to make sure the entire committee is on the same page.
1. How is our organization identifying risks across the enterprise?
Boards need to understand risks across their entire organization and be aware of how they can affect operations and profitability. A board can’t evaluate these risks, however, if the organization hasn’t identified what they are. Pinpointing risk factors early allows time to plan mitigation strategies, which could save your business from potential disruptions in the future.
Risk identification can be done at the board level, management level or individual business unit level. Some strategies to consider integrating into your enterprise risk identification program are:
- Facilitate a brainstorming session with key stakeholders to share risks and current procedures. Invite key stakeholders, such as board members, management and business unit leaders, to share the risks they are aware of that may be unknown to others.
- Conduct a SWOT (strength, weaknesses, opportunities and threats) Analysis to map out current weaknesses and threats to your organization.
- Use information technology resources to scan for potential digital threats against your organization.
- Hire a third party to review your operations, exposures and current strategies and identify ways to improve them.
2. What emerging risks are we currently aware of?
Mitigation plans that are developed based on identified enterprise risks need to remain flexible to account for emerging risks. These risks can evolve quickly and often destroy businesses that are not prepared to face them. Some key risks companies may face in 2016 include:
- cyber-related risks and attacks
- rules and regulations in foreign markets
- growth and volatility in the global economy
- talent management and succession planning
- risks associated with third-party vendor relationships
3. Does our existing reporting structure meet industry standards?
How effective your risk management program is depends on how effectively your organization communicates. Risk reporting should be used to illustrate success, failure and opportunity to key stakeholders. These communications should be interactive, with time built in for questions and discussion. If your organization does not have a reporting structure in place, consider establishing one to drive transparency. If you have a reporting structure, you could benefit from benchmarking your process and frequency against industry peers.
Enterprise risk management is an ongoing process. Identifying and reporting risks a single time is not sufficient to prepare an organization for potential disruptions. It is important that board members are well-versed on the ongoing enterprise risk management program so they can effectively provide guidance and oversight to the organization. When a board of directors takes an active interest in the company’s internal controls, that organization is better equipped to meet the challenges in its current environment.