Risk Intelligence: A Board Imperative

The introduction of the Dodd-Frank Act and new SEC proxy disclosure rules has changed the way businesses view traditional enterprise risk management. Now, more than ever, boards are seeking greater transparency and better mechanisms to carry out their risk oversight responsibilities.

Tune into this episode of Deloitte Insights to learn more about why Risk Intelligence should be an imperative for every executive board.

Speaker

Henry Ristuccia, partner, Deloitte & Touche LLP and Global Leader Governance, Risk and Compliance

Maureen Errity, director, Deloitte Center for Corporate Governance

Transcript 

Sean O’Grady, Host, Deloitte Insights: Today’s topic is Risk Intelligence and how it should be handled by your company’s board. With us today, in New York, to talk about this topic is Henry Ristuccia, partner, Deloitte & Touche LLP and Global Leader, Governance, Risk and Compliance Services. Here also is Maureen Errity, a Director in Deloitte LLP’s Center for Corporate Governance. Folks, thank you so much for joining us. Tell me a little bit about why you feel Risk Intelligence should be a board imperative. Henry?

Henry Ristuccia: Well, Risk Intelligence is Deloitte's perspective on traditional enterprise risk management. What we found as a result of the lessons learned from the economic crisis and the credit crisis is that major stakeholders feel that traditional risk management has failed or had shortcomings. When you talk to legislators and regulators (and we see this with Dodd-Frank and with some of the new SEC regulations around proxy disclosure), you see a real focus on improving corporate governance and the risk management activities in organizations. When you turn that to independent directors and boards, clearly, independent directors are looking for greater transparency and better mechanisms to manage risks at a very high level in the organization. Generally speaking, the real critical risks are what we call the “value killer” risks.

Sean: And Maureen, you agree?

Maureen Errity: I definitely agree with that. I think the regulatory landscape and marketplace has changed. Boards are looked at differently now as playing a significant role in this whole risk discussion, risk management program. I think what we have seen from the new regulations is that there is new disclosure around, specifically, the board’s role in risk oversight, and investors and shareholders care about this. I think boards now, from our experiences working with boards and audit committees, see that risk is at the top of their agenda. They want to know what the leading practices are and how you really oversee risks effectively. With their role being around strategy (and one of the key roles of the board being around strategy and advising and informing on that), you need to tie your strategy to the risks and your risk appetite and the level of risk you want to take in the market. They kind of go hand in hand, so tying it to their role is just common sense. So, I do think the landscape has changed and it is definitely a board imperative. It creates opportunities, and obviously creates value for the organization.

Sean: Speaking of the board, you have a model that you would like to use when describing how a company should structure itself, how a board should structure itself around risk. Can you explain that model to us?

Maureen: Sure. Henry alluded to a Risk Intelligent Enterprise™. We have created a framework (and you probably see this triangle on the screen right now) and it really encompasses the three levels in the organization. At the bottom level, you have the business unit owners who are very important in this process because they own and identify the risks in the organization. They are continually assessing those risks. At the middle level, you have the executive management team, your C-Suite, and either a chief risk officer or CFO. Obviously, the CEO is owning risk management, but they are putting in place the infrastructure that the employees will follow, the policies and procedures and kind of the framework of the organization around risk management. At the top level, you have the board of directors who are setting the tone for risk being a priority in the organization, making sure that management is actually putting those programs and policies in place, and challenging them for making sure it is the most effective. So, it is critical that the three parties are working together. While it’s a triangle, I would not say it is bottom-up or top-down. You have the tone being set from the top but the business unit owners are really identifying those risks that then ultimately filter up to the board. The board is discussing those most material, significant risks, where the organization is most vulnerable. So, it is kind of very much of a team effort with the three parties involved.

Sean: And how about you Henry? What is your take on this?

Henry: Clearly, Sean, I would stress the roles and responsibilities that Maureen is talking about. The top of the triangle is where the tone at the top is set by the board. The board also helps executive management identify the most critical risks of the organization going across four general categories: Strategic risks – risks both to and of the business strategy – the mission of the organization; operational risks – the critical elements of business operations that drive the organization, ensure its continuity, and its effectiveness; financial risks – liquidity risk is a significant issue that we saw as a result of the credit and economic crisis; and then lastly, compliance. And these days, there is more and more compliance that organizations need to be sensitive to.

Sean: So, Henry, let us say a organization goes ahead and they employ this structure. How would they go about aligning risk oversight and management to the company strategy?

Henry: This is the most critical thing (and many times the most difficult) for organizations to address. It clearly is a call to action by the top of the triangle, the top of the Deloitte model for the Risk Intelligent Enterprise™. Boards need to work with senior management, and it works both ways to identify what is the strategy and what could go wrong. And what we found is that there are two dimensions to that: one is the risks to the strategy, which tie very closely to the operational risks. The other side, is which is really the challenge in thinking out of the box, is looking at the assumptions of the strategy that could go wrong. The example I would use is in the economic and credit crisis, many organizations felt that the price of housing would go up indefinitely and the underlying markets were related to that. That was a bad assumption. Challenging those types of assumptions is absolutely critical.

Sean: Maureen your thoughts here?

Maureen: I would agree with Henry. What is critical to this whole discussion is what information the board is receiving from management. To lay out those assumptions, what risks are associated with those assumptions, and what it looks like if you aggregate those risks. And then the board is probably now asking questions since the landscape has changed: “What if this fails?” Then different scenarios are laid out. So now you have a risk planning process in place that allows for different strategies and is kind of fitting to what is going to work at any point in time. I would also say that we did this research project looking at the proxy statements last year looking to see if companies were talking about risk and strategy being aligned and only about 30 percent to 35 percent of those in the S&P 500 were actually disclosing this. We would think that that is going to increase because now it is very much tied and these discussions that are happening in the boardroom.

Sean: My last question is for both of you. Maureen, we can begin you. What should boards be doing to be more Risk Intelligent?

Maureen: It is a good question. This whole idea of Risk Intelligence, I think, is pretty practical. There are probably four or five things that a board could do. First, we have talked about setting the tone at the top. The board really needs to set the tone there. Getting risk management programs right is critical and working with management around those processes and policies, so that the rest of the organization gets that message. Also, risk thinking should be embedded in the culture in the way that the board does that. Secondly, they should be focused on their own governance structure and who at the board and which committee should be involved in overseeing the risks that are being identified. Then, ultimately, the full board obviously is accountable and they should be discussing those most material risks where the company is most vulnerable. So the risk governance structure is number 2. The third thing we have talked about is the risk management infrastructure and the board talking with management around which infrastructure they are putting in place, who is going to own it at the management level, and how is it going to filter throughout the organization. So, I think the board can now add a lot of perspective and experience in that area as well. And then finally, probably the most important, is aligning risk to the strategy and making sure in those strategic discussions that the board is asking those questions and getting the right information, identifying the risks and continually monitoring of all of these things.

Henry: I would emphasize this viewpoint on risks. It includes a broad aperture of risks, which starts with strategy because that is where the real “value killers” are (or could be) and then these other categories of risks as well, operational, financial risks, and compliance. Then you must have a consistent approach that provides the board with transparency and aggregations starting with the executive management layer and then working down to the other layers connecting all the component pieces. That consistent view should be broad enough and balanced, but also provide a consistent report by management to the board.

Sean O’ Grady: So be sure to be consistent. We have been talking Risk Intelligence with Henry Ristuccia, a Partner in Deloitte & Touche LLP, and the Co-Leader of Deloitte’s Governance and Risk Management Services, and Maureen Errity, a Director in Deloitte LLP’s Center for Corporate Governance. If you would like to learn more about Henry, Maureen, or any of the topics we discussed on this broadcast, you can find them and many more on our website; that’s www.deloitte.com/us/podcasts. For all the good folks here at Insights I am Sean O’ Grady. We will see you next time.