6 minute read
Three Risk Factors to Present to Your Board
Three Risk Factors To Present to Your Board
By Michael D. Cohn, CPA, CISA, CGEIT, WolfPAC Solutions Group
The COVID-19 pandemic drastically altered how we work, how we shop, and how we interact with people in all facets of our daily lives. We won’t return to the world as we remember it in December 2019, and new models for banking, healthcare and education remain a work in progress.
In its wake, this global pandemic brought a wave of unprecedented fiscal and operational risks to many financial organizations. Recognizing the radical change in threats seen during the pandemic, risk managers and the Chief Risk Officer (CRO) should now analyze, alter and enhance their risk presentation and evaluation strategies to continue to effectively communicate to the executive team and Board. To evolve with these trying times, there are three foundational elements that risk managers should be reporting right now—risk appetite statements, enterprise risk assessments (ERA), and key risk indicators (KRI).
Risk Appetite Statement
In a strategic, top-down enterprise risk management (ERM) program, a risk appetite statement is a translator. It lets organizations take the enterprise-level strategy and turn it into a business unit playbook—clearly defining the risks they’re willing and unwilling to take. The organization can use this catalogue of potential threats to develop metrics that inform current performance verses expectations.
There are normally two generations of risk appetite statement maturity:
Generation 1
In Generation 1, the organization takes the enterprise strategy and develops qualitative statements around it. This provides the ‘risk takers’ the business-level direction so they know what risks can be taken and which would be worth taking.
Generation 2
A Generation 2 risk appetite statement provides Boards insight on exactly how much risk the organization is taking.
For example, when we talk about metrics, we often think of limits by default. We have unexpected loss due to fraud or error, and the limit shouldn’t go over a certain amount. Although this information doesn’t provide boundaries, it provides a frame of reference for the magnitude of impact. But having a limit doesn't necessarily give us beneficial insight. This is where we can start to perform a session to identify not just the standard limit, but also the high end of our limit, as well as the low and moderate risk thresholds. And these metrics should be trended to show where we have been and where the future metric may be. This will allow the Board to quickly understand where (and if) things are operating as they should. It also quickly highlights where an organization needs to pay more attention in their ERM program.
How You Can Upgrade to Generation 2
Organizations already have many of the risk metrics and monitoring activities required of a Generation 2 risk appetite statement. So chances are, looking at the important packages and various subcommittee packages will offer those metrics. Organizations can then evaluate whether those are the key indicators they want to use as the qualitative metrics. Organizations also need to advance from key performance indicators (KPI) to key risk indicators (KRI). It’s difficult to link emerging risks with forwardindicating risk indicators, but through committing to try and adjusting over time, organizations can begin to learn what works and what doesn’t.
Enterprise Risk Assessment
The risk appetite statement told an organization where they’re willing and unwilling to take risks. The ERA takes a different approach and reports the risks that an organization is actually taking. An ERA is one of the key reports that should be presented to a Board outlining inherent risk based on the risk assessment process. There is a need for Residual Risk reporting but that leads us to internal control strength, not emerging threats.
Theoretically, the ERA results should align with the Risk Appetite statement. But if they differ (and the first time we try to align them they will), it reveals that an organization must take another look at their program and make sure there are no errors. Whether errors are found by a risk appetite statement or an ERA (or no errors are found), all areas related to the deviation should be investigated, because this indicates that an organization is either taking too much risk in a particular area, more risk than they’re comfortable with, or not enough risk (exposing potential opportunities).
Creating an ERA
The development of an ERA is a first line of defense activity. The foundation for this assessment is also the foundation for what comes next—developing a second line of defense risk monitoring program. Once the high risk threats are revealed, monitoring programs can be developed.
When organizations overlay monitoring activities with KPIs from the ERA results, they’re able to witness opportunities for improvement, what they’re focusing too much on, and what they’re not focusing on enough. It also helps shine a light on potential errors in the analysis. Just as you compare the risk appetite statement to the ERA, you can compare an ERA to monitoring activities and Risk Appetite. Consider the relationship as three points of a triangle, with each analysis congruent with the other two.
What factors Should Be Communicated to the C-Suite and the Board?
The risk assessment results provide a lot of good data on the current risk profile of the organization, but there's additional valuable information within the assessment that the Board is also interested in seeing. While completing the assessments, an organization is identifying and evaluating the control environments against various threats. Giving these to a Board will showcase the top hazards to the organization and their potential impacts. The top threats identified here are likely the threats that can put a halt to your operations. Strong controls are expected in these areas with a resulting Residual Risk of Moderate or lower. A high residual risk requires discussion and potentially control adjustment because making no changes is a kin to self-insuring.
Key Risk Indicators
Many people ask how many KPI and KRI metrics should typically be presented to the Board. Generally, less is more when taking a look at metrics. Organizations should boil down hard KPIs and KRIs to provide an early warning and communication system.
Indicators often overlap. If one is triggered, chances are three or four of them are also going to be triggered. But you don't need all three or four in your presentation. Instead of having all indicators presented, you only need to display the one that’s always going to trip in that situation to alert you to look deeper into these risks.
Financial and operational risk metrics provide the greatest level of insight for your organization. It's not just financial concerns that are going to steer the direction of your enterprise and determine your success. Being able to analyze operational, strategic, and reputational metrics is also imperative to an organization.
Conclusion
Just as the risks and challenges faced by organizations evolved amid the pandemic, the way organizations report risk must also evolve. Foundational ERM program elements must mature quickly, or new economic trends and emerging risks will initially be missed. To stay on top of the progressing threats introduced by COVID-19—and adequately prepare for the future—risk managers need to present risk appetite statements, ERAs, KPIs and KRIs to their Boards. Focusing on these three analyses will help your organization link your ERM framework to your overall business strategy, goals and capital.
About the author: Mike Cohn is a Principal and the Director of the WolfPAC Solutions Group, where he's responsible for leading the strategic direction of the group. With over 25 years in the banking and technology industries, he has extensive knowledge in strategic planning, technology strategy and management issues, ERM programs, and corporate governance design. He can be reached at mcohn@wolfandco.com. IBA Associate Member
