3 Questions Every Board Needs to Ask About Enterprise Risks (article)
As today’s risk landscape continues to change and evolve, it can create challenges for Boards of Directors in their oversight of risks confronting their companies. A 2015 study conducted by the American Institute of Certified Public Accountants (AICPA) concluded that a majority of companies were affected by these emerging risks. Collectively, 65 percent of participating managers and directors admitted that they were caught-off guard by an operational surprise over the past five years.
It is crucial that senior management and Board members are well-versed on the risks that affect their companies. Failure to adequately understand the areas at highest risk and the procedures in place to mitigate them can decrease the effectiveness of the Board’s oversight of management and its ability to constructively challenge proposed changes in the best interest of the company. Asking these three questions at your next Board of Directors meeting can help educate members on existing risks and procedures to make sure the entire committee is on the same page.
How is our organization identifying risks across the enterprise?
It is necessary that a Board understands the risks across the entire organization, Members should also be aware of how they can affect operations and profitability. A Board can’t evaluate these risks, however, if the organization hasn’t identified what they are. Pinpointing risk factors early allows time to plan a strategy for mitigation, which could save a business from continuity-disrupting events in the future.
Risk identification could be done at the Board-level, management-level or even individual business unit-level. Some strategies to consider integrating into an enterprise risk identification program are:
- Facilitate a Brainstorming Session:Invite key stakeholders, such as Board members, management and business unit leaders, to share the risks that they are aware of that may be unknown to others.
- Conduct a SWOT (strengths, weaknesses, opportunities and threats) Analysis: Focus on the weaknesses and threats to your organization. Take the learnings from the discussion to map out your current and emerging risks.
- Use Information Technology Resources: Organizations with robust IT departments can use their expertise to scan for potential digital threats against the organization, such as a cyber-attack or data breach.
- Hire a Third Party to Conduct Analysis:Enterprise risk management specialists can review your operations, exposures and current risk management strategies and insurance to identify ways to improve them.
What emerging risks are we currently aware of?
Even if a mitigation plan is developed based on identified enterprise risks, the plan needs to remain flexible and easy-to-update to account for rapidly changing or emerging risks. These risks can evolve quickly and often destroy businesses that are not prepared to face them. The emerging risk landscape is uncertain, but some key risks to watch out for in 2016 include:
- Cyber-related Risks and Attacks: Any company that uses technology to conduct business and manage client information needs to know what’s at stake. When cybersecurity is not part of the business process, it leaves a company vulnerable to data breaches and the loss of financial, personal or proprietary information. IT risks should be continually monitored and systems need to be updated to keep pace with the ever-evolving cyber threat environment.
- Predictability and Uncertainty in Foreign Markets: The fluctuation of commodity prices and currency values has created uncertainties that make strategic planning difficult. In 2016, growth and volatility is expected to define the global economy, but with this degree in variation comes tremendous risk to companies. Be sure that you understand the rules and regulations you face in the international market. Reassess your budgets and forecasts on a semi-annual basis to account for changes that could affect your cash flow or profitability.
- Talent Management and Succession Planning: Company leadership is essential to keeping your business running smoothly, but when executives move on or retire, they create important gaps that need to be filled. You should be sure you have a process in place to identify the right successor or shift the responsibilities to reshape the vacancy to a role better suited to the needs of your organization.
- Third Party Vendor Relationships: Each of your organization’s third party vendors poses unique risks. For example, a vendor that assists your company with payroll and billing has increased risk because that vendor handles sensitive, financial information. Conducting an annual vendor risk assessment and performing necessary due diligence can help you identify what each vendor will require in terms of controls and monitoring.
Does our existing reporting structure meet industry standards?
How effective the overall risk management program is depends on how effectively the organization communicates. Risk reporting should be used by organizations to illustrate success, failure and opportunity to key stakeholders. These communications should be interactive, with time built in for the Board to ask questions and discuss components of the outputs. If your organization does not currently have a reporting structure in place, consider establishing this component to drive transparency to the process. If your organization does have a reporting structure, you could benefit from benchmarking your process and frequency against industry peers.
Enterprise risk management is an ongoing process. Identifying and reporting your risks a single time is not sufficient to keep your organization prepared for potential disruptions to day-to-day operations. Constantly revisiting your enterprise risk management program to account for emerging risks or changes to the reporting structure will ensure your business is always ready to respond to threats.
Copyright © 2016, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).