Topical news items such as the H1N1 pandemic, financial scandals, the recession and the Copenhagen summit on climate change were all in fact pre-existing risks that suddenly materialized.
Risk management is a growing topic of discussion both in regulatory circles and at Board meetings.
In fact, in the aftermath of the financial scandals of the 2000s, regulators have been focusing on compliance and disclosure requirements, thus placing the responsibility on the audit committee.
With the recent economic crisis that reverberated around the world, regulators have shifted the emphasis from compliance to risk management. Indeed, many felt that some situations were foreseeable and could have been avoided or at least tempered.
To help the Boards and their directors better manage risks, we will discuss (i) the objectives of risk management, (ii) how to identify risks, and (iii) how to better manage risk.
Today’s Boards are being held increasingly accountable for participating in the development of their organization’s strategic direction, approving it and ensuring that appropriate processes and controls are in place to identify, manage and monitor the business risks that follow from their organization’s business strategy.1
The objective of risk management is to find a balance between the inherent risks and business opportunities facing the organization.
The first step in the risk management process is to identify the risks facing the organization. It is important to identify (i) external risks as well as (ii) internal risks. To this end, the Board must know and understand their organization well. Examples of external risks include the economy, applicable regulations and the competitive landscape and can take the form of new market conditions, changing environmental issues, crises, new political and regulatory contexts or technological developments. Internal risks include product and service quality, business strategy, the organization’s strength and ethics.
To identify these risks, the Board must meet at least once a year to develop a strategic plan. To this end, it must have an in-depth knowledge of the risks that could have an impact on the organization’s ability to meet its strategic objectives.
During this strategic planning meeting, the Board and management must identify and monitor the organization’s principal risks, plan a risk management process and, above all, put in place internal controls to manage these risks.
Four possible strategies
There are four types of risk management strategy:
- Avoid risk by choosing not to undertake certain types of activity;
- Transfer risk to third parties through insurance, hedging and outsourcing;
- Mitigate risk through preventive and detective control measures;
- Accept risk, recognizing that the benefits of doing so outweigh the costs of transfer or mitigation.2
In the strategic planning process, the organization must take into account its appetite and capacity for risk and use techniques such as risk and sensitivity analysis to determine its exposure to risk. To facilitate this exercise, the organization should develop policies and procedures for strategic planning that include definitions and categorization of risks. These policies must then be communicated to everyone in the organization.
Monitoring is key
While identifying risk and implementing policies and procedures to manage it is extremely important, monitoring performance against key targets is an essential business practice. Boards need assurance that management at all levels does this and should understand in general terms what procedures are in place. Moreover, managers throughout the organization must be involved and receive regular reports on performance and provide explanations of variances and planned corrective action.
In conclusion, directors are ultimately responsible for accurately identifying the risks confronting the organization and to manage them effectively by implementing the necessary internal controls and policies while at the same time allowing the organization to capitalize on business opportunities. To this end, some Boards will decide to form a risk management committee. In our opinion, what is most important is to carefully analyze the company’s business model and size and to put in place policies developed and implemented by senior management, because in the end, even if the task of risk management is assigned to a committee, the Board is still accountable.