The Risk Conversation in the Boardroom Part Two
Exploring Risk Appetite and Tolerance in Practice
Strategic rRisks can be challenging to identify and manage for boards of directors. In Ppart Oone of our two-part article about Risk in the Boardroom, we discussed the differences between Risk Tolerance and Risk Appetite to set a foundation for the Risk Conversation as it pertains to the Boardroom. With that knowledge in hand, part two will delve into how risk management can affect board decisions and processes.
Risk-Based Decision Making
Vidya Phalke, CTO at MetricStream, says, “Stakeholders are increasingly holding corporate leadership to a higher standard when it comes to managing risks of all kinds — systemic risk, geopolitical risk, credit risk, cyber risk, macroeconomic risk, technology risk, and more.” The decisions boards of directors make, and their relationship with an organization’s risk tolerance is under a microscope. Thus, these decisions must factor in complying with all applicable laws, regulations, and contracts. Everyone within the organization must be within the risk threshold, from the low-level employees up to the C-Suite.
Corporate Compliance Insight shares the following examples of risk management in action. “[R]isk appetite and tolerance can be found in the area of customer service. The Boards of Directors in many companies routinely make decisions on how many angry and dissatisfied customers they are willing to accept and tolerate. Similarly, in the environmental and sustainability area, many companies and their Boards must decide what their appetite and tolerance are towards polluting the environment through their operations.”
Risk Management Audits
Many risk management programs employed by enterprises focus on identifying, measuring, and reporting the company’s top risks. It is the internal audit department’s role to develop and complete “risk-based” audit plans and report subjective opinions on an organization’s overall risk. Outside of the purvue of defined risk management programs and audit boards is the percentage of risk that is passed on to the board of directors. In discussing the role of internal audit departments, The Harvard Law School article on Board Oversight lists the following as generally accepted risk assessment methods: contractual risk-sharing, insurance, and risk avoidance. Audit done internally will provide the board of directors with information regarding which of their objectives may pose the most significant amount of risk. All of this enables the board to make safe, educated decisions about the direction of their organization.
Audit Committees are created within boards of directors to provide financial oversight and reporting during the audit process. Cybersecurity and risk management are a top concern for audit committees. “Financial reporting, compliance, and risk management are subject to a number of hazards, especially when the company is a large organization with thousands of personnel and reporting systems stretching across the globe,” says Investopedia. “Exogenous threats such as cyber hacking are under the purview of an audit committee, making its job even more challenging.” One way that audit committees can mitigate risk when reporting on financial matters is to implement a secure board portal, like BoardBookit.
This Wall Street Journal article argues that building a Risk Framework can help “companies understand which risks provide opportunities for long-term value creation and which to protect against. To optimize value on a risk-weighted basis, companies should first make sure to have a strong enterprise risk management program as the foundation upon which to build. This would include having a risk governance and reporting cadence, and standardizing and deploying enterprise-wide risk management processes with regard to operational, financial and compliance risks, developing risk responses and mitigation plans.”
In a Q&A with The Wall Street Journal, Andrew Blau, managing director of Deloitte & Touche LLP’s Strategic Risk Solutions practice, shares “Simply providing executives and boards with more data to wade through is not the solution, and the subject of risk by itself can put people in a defensive posture. An effort should be made to not just present information but present it in ways consistent with people’s ability to manage and navigate it, and in ways that help break down built-in institutional challenges or biases to getting and acting on the information.”
Ready to get started?
Schedule a live demo and discover the BoardBookit Difference.
Interested in Learning More?
Read the latest board governance resources from our blog.