Reporting on risk

Recent studies have demonstrated that compliance with corporate governance recommendations and regulations is the main driver behind the implementation of risk management systems. This comes as no surprise, given government initiatives such as the Sarbanes-Oxley Act in the US, the Turnbull/Combined Code for corporate governance in the UK and increased London Stock Exchange and SEC mandates for risk management responsibility at board director level.

As a result, many companies are producing central risk management policies and annual risk assessments, detailing their top risks and, in the better cases, providing an overview of what actions have been assigned to the risk committee. While this appears to satisfy the reporting accountants during the annual review, is it going far enough in terms of meeting the interests of good business management and maintaining shareholder value?

Corporate compliance is not enough for business growth

Organisations appear to have identified the fact that if they are found to be non-compliant with corporate governance requirements, shareholders will start to ask uncomfortable questions. If not answered positively, such questions could lead to serious impact on the organisation, with the possible consequences of loss in share value or an increased regulatory reporting regime.

In looking to provide this positive response publicly, a listed organisation requires a management strategy with a high level risk management framework and corporate reporting structure to ensure that it does not fall foul of the new and ever increasing requirements.

This should be encouraging news, as an organisation that is able to demonstrate talent and foresight when dealing with this type of risk through its internal controls and processes, will also be able to deal with all the other risks that an uncertain world throws at the business. Or will it?

History, as well as audits of corporate risk registers of compliant companies in both the public and the private sector indicate otherwise. Problems in dealing with corporate risks seem to stem from a lack of correlation between the corporate risk register and detailed risk profiles related to underlying business units, assets, functions and programmes.
The top risks identified at board level tend to be highly generic and show no evidence of either being cascaded down to the rest of the business or of having been established following escalation or aggregation of emerging risks within the business. The impression given is that, when confronted with the compliance issue, senior managers gather to brainstorm a set of risks without making reference to the risks the business has already identified.

This same pattern permeates through the exposure assessments against the top risks. In some assessments, risks are scored using a crude qualitative scheme, resulting in an analysis that reveals little more than that the company has some 'red' risks which will soon turn to 'amber' or 'green'.

In other circumstances, detailed quantitative analysis tools are used inappropriately, resulting in Monte Carlo analyses, stating how the company's risk exposure has, for example, been reduced from £213.45m and mitigated down to £98.34m at a 90% confidence level, against a contingency budget of £120m. Such analyses are often based on estimates for individual risks which are rounded to the nearest £10m. This illusory accuracy may provide comfort to the board, but ultimately cannot be relied upon.
In both cases, it is extremely difficult to be assured that the potential impact on the business and the achievement of its corporate objectives is well understood at board level. If the board does not truly understand the problems, how can it be expected to solve them?

Audits have also shown that risk executive committee meetings tend to revolve around a superficial review of the generic top risks without much attempt to drill down into the potential problem areas.

These issues are symptomatic of a number of things. Firstly, that an organisation is struggling to communicate its risks between the tiers of management hierarchy. Secondly, and perhaps as a result, the board is struggling to understand the consequences of the risks and how they will impact upon the objectives of the organisation. Therefore, it would appear that a compliance-driven approach led purely from the board room can result in the attitude that an organisation is healthy so long as the appropriate boxes are ticked.

This implies that there needs to be a change in approach at board level.

Rather than relying solely on their own knowledge to make judgements about impending risks, senior managers need to be aware of risks that are rising up within their organisation.

Risk transparency
To be effective, risk information needs to be transparent from executive level, through to the management and operational levels of an organisation (and back up the ladder). It also needs to be open to scrutiny and challenge, as it is only through the transparent communication of risk that the decision-making process can be supported, as it should be, by the risk management process.

This is not to say that the board should be micro-managing risks across the organisation. The board's role is to ensure that the organisation as a whole is managing its risks effectively and to judge when an emerging risk, highlighted for attention by managers within the organisation, has major implications for key business objectives. When managers have identified and prioritised this information for the board, the board must then take this knowledge and use it to develop a risk-informed business strategy to control risk.

Communicating risk

The days when risk management could be effectively carried out in a business independently, in silos, are gone. It is not sufficient to identify a set of risks and file them on the risk register. The key to effective risk management is communication and mitigation.

The culture of the business should support the need (and ease) for every manager to take responsibility, not only for identifying and managing the risks in their own area, but also for understanding the implications of the risk in the wider context of the business. Having the right people know when a risk needs to be escalated and having the process and the tools to do so is essential to good corporate risk management.

In modern businesses, risk information needs to be transparent and available when people require it. It needs to be easily communicated both up through the management hierarchy and across the business. Using a central data repository for risk information including quantified assessments, mitigation plans and responses allows the instant communication of vital information across the enterprise. Ideally, in addition to an escalation process, a drill-down capability should be available, so that someone reviewing the corporate risk register should be able to access the information underlying and supporting these top risks. Categorisation of risks can help identify where connected risks contribute to a large corporate risk. This sort of analysis is essential in providing the data from the business and communicating it to the board. Members of the board are unlikely to trawl through thousands of risks to understand the threat to a single high level objective, so it is important to be able to filter and search the data for relevant information.

A powerful filtering and prioritisation mechanism, to provide an effective tool for slicing and dicing the data is essential. Using established risk categorisation breakdown structures within the recording and search functions will allow common risk themes to be identified across the organisation.
These themes (or pools of common risks) can then be linked to an existing strategic or corporate risk and at the same time improve the definition and understanding of the key causes and consequences of the risk.

Building the information for corporate risks based on greater detail available within the operational levels of business, means better informed business decisions can be made and effective mitigation strategies can be put in place, which not only deal with the corporate risk, but address the many connected risks around the business. Under a 'silo' compliance approach, where there is no transparency, these opportunities for shared mitigation plans are often overlooked.

Although the approach described above will improve the definition of high level risks and allow effective mitigation plans to be developed, this alone will still not provide an effective corporate view. It is also essential when assessing corporate risks to consider what exactly will be impacted by the risk. In the case of corporate risks it will be the key objectives of the organisation that are impacted.

To achieve an effective approach, the model needs to be extended to support a relationship between the corporate risk register and higher level objectives (HLOs), related key strategic initiatives and key performance indicators (KPIs) of the business. This will firmly connect the corporate risks to the business plan, which should detail these objectives and indicators. Such a relationship is detailed in the diagram.

Turning data into information

The alignment of good quality, well defined corporate risks to key corporate objectives and performance indicators forms the foundation for a risk-based approach to strategic business planning and aligns corporate risk reporting with the business performance reports.

With this information available, reports can be designed to ensure that executives deal with the real threats and opportunities to the success of the business and when a decision is required, it is supported by clear, concise and accessible information.

Monitoring

Once an initial framework has been set up, risks have been identified, assessed, and plans have been put in place, it falls to the corporate risk report to do two things:

- monitor performance against the planned mitigations

- monitor the performance of the planned mitigations.

The first process translates into the question 'Did we do what we said we would?' - it is vital that mitigation plans are not allowed to slip, because to delay mitigation leaves the company exposed.

The second process is highly important in the context of corporate governance.

It is effectively asking the question, 'Did the controls we put in place work as planned?'

The stewardship of this information, in terms of highlighting which key risks have ineffective controls and strategies, will start to focus attention and form the basis of a proactive process of drilling down and getting a real understanding of the key drivers and the effectiveness of the strategies in place. This in turn will facilitate the definition of more cost effective strategies using real and financial options.

In essence, the risk executive committee agenda should comprise a drill-down process on one or two key risks that will provide confidence to the executive body that the framework in place is achieving results in terms of avoiding surprises and adding to shareholder value.

Reporting is key

In summary, corporate risk management reporting, as the communication tool between the wider risk process and the board, needs to play a key role in supporting both the risk process and the strategic planning process.

The reports need to communicate, simply, clearly and concisely, in the language of the business, the true nature and magnitude of the threats and opportunities affecting the business objectives, how these affect the company's position overall and what is being done about it.

Alongside this, reports need to assure the board that the risk management process which underpins this information is working effectively by escalating serious issues, actively managing the risks that are not escalated and can provide any necessary further information needed to assist the business decision-making process.

To be effective, the corporate reporting process must be supported by a data repository, with the right tools to support risk management (and the different user communities) throughout the enterprise.

When corporate risk reporting works well, the board will make the right decisions, when it does not, they will be taking a step into the dark.
Smart businesses are going beyond the regulatory requirements such as Turnbull and Sarbanes-Oxley and are now seeking to derive real value from true enterprise risk management reporting.

Keiran Betteley is a senior consultant within the enterprise risk management division of Strategic Thought Group, Tel: 020 8410 4000, www.strategicthought.com

ERM SYSTEMS

More than a decade ago, the 'balanced scorecard' represented an advance in the field of measuring corporate performance, providing a framework for companies to evaluate both financial and non-financial measures, such as quality, customer and employee satisfaction. Subsequently, The Conference Board developed its 'dashboard' concept to take the balanced scorecard from a two-dimensional to a three-dimensional view of corporate performance measures.

The Conference Board has now adopted a new approach to developing an enterprise risk management (ERM) system. This goes beyond both the scorecard and dashboard concepts to not only identify strategic success measures, but also to link them to risk factors. This system allows companies to assess where earnings may be vulnerable and to prioritise risk mitigation strategies.

The Conference Board's research report, Enterprise Risk Management Systems: Beyond the Balanced Scorecard, published last year describes this approach.
The report, which is written by Carolyn Kay Brancato is available at www.conference-board.org/publications/describe.cfm?id=971
The price is $295.00 ($75.00 to associates).

IATA CONFERENCE

Enterprise risk management (ERM) is the subject of one of the half-day workshops to be held at the IATA Airline Insurance & Risk Management Conference 2006: Are We There Yet?

The workshop on practical ERM techniques and tools will cover:

- internal environment, objective setting, risk tolerance

- risk identification and assessment techniques (quantitative benchmarking, qualitative)

- risk responses (policies, procedures, etc)

- control

- reporting and communication

- monitoring

- roles and responsibilities

ERM also features in two additional sessions

- 'Enterprise risk management - benchmarking standards', Julia Graham, chief risk officer, DLA Piper Rudnick Gray Cary UK LLP, will discuss the development of risk management standards by the British Standards Institution.
The committee developing the standards, chaired by this speaker, will contribute its work to the Geneva-based International Organisation for Standardisation.

- 'Compliance, management of risk or both? Has your organisation truly embraced the concept of ERM and put it into practice?' will look at whether ERM has been embedded into the corporate culture or whether it is simply a question of corporate governance and compliance.

The conference will be held on 4-5 April. Further details are available at www.iata.org/NR/rdonlyres/E98697B5-57DD-4825-A12C-F2D8CAB52F47/0/AIR06_BRO_WEB.pdf.