Three Risk Factors to Present to Your Board
Author: Michael Cohn
The COVID-19 pandemic drastically altered how we work, how we shop, and how we interact with people in all facets of our daily lives. Unfortunately, we won’t return to the world as we knew it in December 2019, and new banking, healthcare, and education models remain a work in progress.
This global pandemic brought a wave of unprecedented fiscal and operational risks to many financial organizations in its wake. Recognizing the radical change in threats seen during the pandemic, risk managers and the Chief Risk Officer (CRO) should now analyze, alter, and enhance their risk presentation and evaluation strategies to continue to relay to the executive team and Board effectively.
There are three foundational ERM reporting elements that risk managers should be communicating right now to evolve with these trying times:
- Risk appetite statements,
- Enterprise risk assessments (ERA), and
- Key risk indicators (KRI).
ERM Reporting Element #1: Risk Appetite Statement
A risk appetite statement is a translator in a strategic, top-down enterprise risk management (ERM) program. It lets organizations take the enterprise-level strategy and turn it into a business unit playbook. This tool empowers the organization to clearly define the risks they’re willing and unwilling to take. Then, the organization can use this catalog of potential threats to develop metrics that inform current performance versus expectations.
There are typically two generations of risk appetite statement maturity:
In Generation 1, the organization takes the enterprise strategy and develops qualitative statements around it. This statement provides the ‘risk takers’ with the business-level direction they need to determine what risks they can take and which would be worth taking.
A Generation 2 risk appetite statement provides Boards insight into how much risk the organization is taking.
For example, we often think of limits by default when talking about metrics. We have an unexpected loss due to fraud or error, and the limit shouldn’t go over a certain amount. Although this information doesn’t provide boundaries, it provides a frame of reference for the magnitude of impact. But having a limit doesn’t necessarily give us beneficial insight. This is where we can start to perform a session to identify the standard limit and the high end of our limit, and the low and moderate risk thresholds.
These metrics should be trended to show where we have been and where the future metric may be. This will allow the Board to quickly understand where (and if) things are operating as they should. It also quickly highlights where an organization needs to pay more attention to its ERM program.
How You Can Upgrade to Generation 2
Organizations already have many of the ERM reporting risk metrics and monitoring activities required of a Generation 2 risk appetite statement. So chances are, looking at the important packages and various subcommittee packages will offer those metrics. Organizations can then evaluate whether those are the key indicators they want to use as the qualitative metrics. Organizations also need to advance from key performance indicators (KPI) to key risk indicators (KRI). It’s challenging to link emerging risks with forward-indicating risk indicators, but through committing to try and adjusting over time, organizations can begin to learn what works and what doesn’t.
ERM Reporting Element #2: Enterprise Risk Assessment
The risk appetite statement told an organization where they’re willing and unwilling to take risks. The ERA takes a different approach and reports the risks an organization is taking. An ERA is one of the key ERM reporting deliverables that you should present to a Board outlining inherent risk based on the risk assessment process. There is a need for Residual Risk reporting, but that leads us to internal control strength, not emerging threats.
Theoretically, the ERA results should align with the Risk Appetite statement. But if they differ (and the first time we try to align them, they will), it reveals that an organization must look at their program and make sure there are no errors. Whether errors are found by a risk appetite statement or an ERA (or no errors are found), all areas related to the deviation should be investigated because this indicates that an organization is either taking too much risk in a particular area, more risk than they’re comfortable with, or not enough risk (exposing potential opportunities).
Creating an ERA
The development of an ERA is a first line of defense activity. This assessment is also the foundation for what comes next—developing a second line of defense risk monitoring program. Once we identify the high-risk threats, we can create our monitoring programs. When organizations overlay monitoring activities with KPIs from the ERA results, they’re able to witness:
- Opportunities for improvement,
- What they’re focusing too much on, and
- What they’re not focusing on enough.
It also helps shine a light on potential errors in the analysis. Just as you compare the risk appetite statement to the ERA, you can compare an ERA to monitoring activities and Risk Appetite. Consider the relationship as 3 points of a triangle, with each analysis congruent with the other two.
What Factors Should You Communicate to the C-Suite and the Board?
The risk assessment results provide a lot of good data on the current risk profile of the organization. Still, the assessment has additional valuable information that the Board is also interested in seeing. While completing the assessments, an organization is identifying and evaluating the control environments against various threats. Giving these to a Board will showcase the top hazards to the organization and their potential impacts. The top threats identified here are likely the threats that can put a halt to your operations. Strong controls are expected in these areas with a resulting Residual Risk of Moderate or lower. High residual risk requires discussion and potentially control adjustment because making no changes is akin to self-insuring.
ERM Reporting Element #3: Key Risk Indicators
Many people ask how many KPI and KRI metrics they should present to the Board. Generally, less is more when taking a look at ERM reporting metrics. However, organizations should boil down hard KPIs and KRIs to provide an early warning and communication system.
Indicators often overlap. If one is triggered, chances are three or four of them are also going to be triggered. But you don’t need all three or four in your presentation. Instead of having all indicators presented, you only need to display the one that’s always going to trip in that situation to alert you to look deeper into these risks.
Financial and operational risk metrics provide the most significant level of insight for your organization. However, it’s not just financial concerns that are going to steer the direction of your enterprise and determine your success. Analyzing operational, strategic, and reputational metrics is also imperative to an organization.
Just as the risks and challenges faced by organizations evolved amid the pandemic, the way organizations report risk must also evolve. Foundational ERM program elements must mature quickly. Otherwise, we’re likely to miss new economic trends and emerging risks that can harm operations. To stay on top of the progressing threats introduced by COVID-19—and adequately prepare for the future—risk managers need to present risk appetite statements, ERAs, KPIs, and KRIs to their Boards. Focusing on these three analyses will help your organization link your ERM framework to your overall business strategy, goals, and capital.