When the financial crisis of 2008 hit, businesses, regulators, stakeholders and industry in general were forced to sit up and take notice because everybody felt the pain. Glaring deficiencies in the way things were done, became obvious. What also became obvious was that the way things were was not ideal, and an overhaul was necessary. The financial crisis also turned the spotlight on risk management practices. Organisations became aware that while internal controls needed to be tightened, boards needed to be up to the mark in providing much-needed oversight as part of the control system. Ensuring that risk responses were functioning as intended, became part of board oversight.
Governance is generally seen as the way the organisation is directed and managed; the direction is set by the board and management implements strategies accordingly. But part of the board’s role is also to create, sustain or increase the value of the organisation. In carrying out its duties, the board’s oversight of the organisation’s controls puts it in a position to also determine many aspects related to the firm’s risks, such as the limits of its risk appetite and tolerance. Corporate boards and risk management are intertwined to a greater degree than they may realise because the decisions boards make could be based on information derived through ERM-based processes and procedures.
In fact, analysts and observers often point to board decision-making as one of the main areas where critical risks may arise. The board needs to understand the key risks confronting the organisation and make an assessment of the firm’s abilities to manage these risks before setting organisational strategies and objectives. This sort of strategic decision-making is essentially the roadmap for the organisation and the basis of setting its risk strategy. While developing the firm’s risk appetite is the responsibility of management, the board’s support and approval is needed. The risk appetite should be tailored to the requirements of the organisation, and be set only after careful consideration.
Other than agreement and support, the board also needs to provide oversight over the processes and procedures related to adherence to the firm’s risk appetite. These processes and procedures may need fine-tuning; this is where the board, with its expertise and authority, may advise adjustments after scrutiny. It is worth noting that organisations can expect to not get things right the first time, but they will get progressively better as they go along, as understanding of their priorities, core issues and challenges grows. Established standards such as ISO 31000 are good benchmarks to apply, when trying to set in place viable frameworks. As this grows, so too will accountability and transparency.
One of the issues that may emerge is the lack of cooperation or collaboration between the organisation’s individual departments, units or subsidiaries. It is not unusual to find that operating in siloes is the norm, especially in large concerns like multinationals. Because of this isolation, staff may not be able to align performance with the company vision and objectives, and run the risk of not being as engaged with their jobs as expected.
Corporate boards and risk management have to be viewed through the same lens because how a firm’s risk is managed dictates how much value will be added to or subtracted from it in the long term. Moreover, applying ERM frameworks which are structured and clearly laid out, makes it easier for boards to perform their tasks in an open, transparent and accountable way. In light of the growing demand for accountability by various stakeholder groups, boards cannot afford to ignore this aspect of governance. They need to be seen to be proactive about increasing stakeholder confidence levels.
Boards need to know that the discussions about corporate governance standards and risk are ongoing, globally. They need to realise that the dynamics of the business environment have made this necessary because changes are happening faster; businesses can hardly keep up – yet they cannot afford to fall behind. Even risk-taking is evolving. Where it was viewed as a threat before, organisations may well see it as an opportunity to leverage on, to maintain competitiveness. This may substantially change the firm’s risk landscape and expose it to more or different kinds of risk that it may not be equipped to deal with.
Because of ERM’s holistic approach, boards are able to view their organisations’ risks from a big-picture perspective, which is imperative where long-term planning – and strategising – is concerned. What this indicates to stakeholders is that the necessary planning, and therefore oversight, is in place. The board, which essentially helms the enterprise, is doing all it can to make the right, correctly-informed decisions that will ensure the business is sustained in the best way possible. Putting all this into practice is challenging but the end result will be a more efficient, cost-conscious, cost-effective organisation that will hold its own, and add to its value, in an increasingly competitive, disrupted and uncertain environment.