Risk intelligence
Traditionally, board of directors and management have focused on understanding a company's financial reporting and the related risk management programs. Board of directors and management, today, have broadened their horizon to include an understanding of the broader risks affecting the company, as well as the company’s overall risk management program.
These risks may be related to the organisation’s strategy, operations, and compliance with environmental, health, safety, legal, and regulatory requirements. Therefore, board of directors and management should develop a thorough understanding of the company's overall risk management processes across the enterprise.
There are a growing number of tools available for companies to use to support their management of enterprise risks, including risks associated with financial reporting; to assess the potential impact of risks and the degree of vulnerability; and to link risks to specific management areas and activities in the organisation.
When considering both effectiveness and efficiency of the company’s process for enterprise risk management, board of directors and management might ask the following questions:
- What is the company's policy and process for assessing and managing major risk exposures on an integrated, enterprise-wide basis?
- What are the key risks and vulnerabilities and the plans to address them?
- What is the company's appetite for risk and how much risk has it assumed?
- How capable is the company of preparing for, responding to, and recovering from major financial risk exposures?
To keep the company's risk profile aligned with changes in the business, enterprise risk should be assessed by management at least once a year. Also, any significant business events (e.g., acquisitions, mergers, or divestitures) should result in the re-evaluation of the company's risk profile and its implications for financial reporting. Although management has the primary responsibility for assessing enterprise risk, the board of directors may have an active role in overseeing the process and in understanding management's response to the identified risks.
In assessing enterprise risk, management should:
- determine the specific risks that might arise as a consequence of the organisation's business model, strategy, and operations, thereby identifying and prioritising risks in the context of the company's unique characteristics and operating environment
- assess the potential impact of each identified risk on the integrity of financial reporting, as well as on the company's strategy, operations, and compliance activities
- align each risk with the company's objectives for creating and preserving value, including specific business processes or functional areas in which that risk may occur
assign responsibility for monitoring, responding to, and controlling each risk, or set of risks, to the appropriate individuals - monitor and report on changing risk conditions
- establish formal communication and escalation protocols regarding risk response, control performance, and changes to the organisation's risk profile.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/cn/en/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
