Home > Enterprise Risk > Boards determine a company`s approach to risk, but…how?

Boards determine a company`s approach to risk, but…how?

One of many areas to which boards are currently dedicating more time is risk oversight. It goes with a director`s “duty of care and skill” that they, and a board as a collective team, are responsible for the risk oversight.

One of the responsibilities involved with Risk Oversight involves establishing the company`s approach to risk. But, what does that mean as an actual board task? Let`s see some different approaches:

First, the board may seek to define a global or aggregate risk appetite for the company as a whole. This may seem difficult, for several reasons: a) some of the risks are difficult to quantify; b) some of them are difficult to mitigate; c) sometimes, groups with very diverse activities find it tough to draft a coherent global risk map; d) risk cost and appetite can vary with time.

Second, some companies think all they can do is having a good understanding of the company`s risks, and of the way each of them varies with changes in strategy, operations and environment.

Third, some boards would only accept to be able to determine appetite or tolerance for individual risks. So probably a map of acceptable risks and those that should be avoided could be their risk indication tool.

What is usual in companies is directors thinking they have a clear and common view on risk appetite on the board, although they might not have a formal framework. Nevertheless, when directors dive into the details, they realize they don`t have the same view of the company`s risk approach.

Moreover, there are many examples in very diverse sectors, where boards and even C-suites were not even aware of risks, and exposed their firms to legal claims, environmental disasters and reputation events, kidnappings,  and so on.

How to address the issue?

A path to define the risk appetite of a firm could be drafted as follows:

First, an input is needed on the company`s ambitions.

Second, stakeholders can be asked for the level of exposure acceptable to them for a certain risk, given its likelihood and effects. So, a matrix of “Tolerate”, “Terminate”, “Treat”, (to reduce likelihood or effects), and “Transfer” can be built.

Putting together this matrix may be a starting point.

There are several methodologies companies and advisors use, such as COSO or ISO 31000, but sometimes it is an ad-hoc or based on experience system.

Advertisements
Categories: Enterprise Risk Tags:
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: