Archive for the ‘Enterprise Risk’ Category

General Motors, risk management and lessons from the unfortunate ignition swith event.

September 16, 2014 Leave a comment

I would like to bring forward the case of firms that, when managing risks, deal with the most valuable human asset, life. The case of the automobile industry, the airlines and so many other sectors.

When we analyse the dramatic events these companies are forced to face, we may simply think of these tragedies as accidents; but they generally offer a number of lessons that help other managers, boards and companies to avoid any other future similar circumstances. This is the case of General Motors and the defects in some of their vehicles that have apparently caused several life losses in a long period of time without the company noticing it at the top nor doing anything effective to stop the casualties. In particular, risk oversight and management systems in the company have been put into question. Read more…


Boards determine a company`s approach to risk, but…how?

One of many areas to which boards are currently dedicating more time is risk oversight. It goes with a director`s “duty of care and skill” that they, and a board as a collective team, are responsible for the risk oversight.

One of the responsibilities involved with Risk Oversight involves establishing the company`s approach to risk. But, what does that mean as an actual board task? Let`s see some different approaches:

First, the board may seek to define a global or aggregate risk appetite for the company as a whole. This may seem difficult, for several reasons: a) some of the risks are difficult to quantify; b) some of them are difficult to mitigate; c) sometimes, groups with very diverse activities find it tough to draft a coherent global risk map; d) risk cost and appetite can vary with time.

Second, some companies think all they can do is having a good understanding of the company`s risks, and of the way each of them varies with changes in strategy, operations and environment.

Third, some boards would only accept to be able to determine appetite or tolerance for individual risks. So probably a map of acceptable risks and those that should be avoided could be their risk indication tool.

What is usual in companies is directors thinking they have a clear and common view on risk appetite on the board, although they might not have a formal framework. Nevertheless, when directors dive into the details, they realize they don`t have the same view of the company`s risk approach.

Moreover, there are many examples in very diverse sectors, where boards and even C-suites were not even aware of risks, and exposed their firms to legal claims, environmental disasters and reputation events, kidnappings,  and so on.

How to address the issue?

A path to define the risk appetite of a firm could be drafted as follows:

First, an input is needed on the company`s ambitions.

Second, stakeholders can be asked for the level of exposure acceptable to them for a certain risk, given its likelihood and effects. So, a matrix of “Tolerate”, “Terminate”, “Treat”, (to reduce likelihood or effects), and “Transfer” can be built.

Putting together this matrix may be a starting point.

There are several methodologies companies and advisors use, such as COSO or ISO 31000, but sometimes it is an ad-hoc or based on experience system.

Categories: Enterprise Risk Tags:

The risk oversight function of the Board

December 9, 2012 Leave a comment

The number of yearly bankruptcies (generally low), shows that management-led enterprise risk models are not always effective, if they exist at all. But in many other cases, underperformance and loss of shareholder value are the consequences of that failure.


Traditional Corporate Governance models establish that “the board cannot and should not be involved in actual day-to-day risk management. Directors should instead, through their risk oversight role, satisfy themselves that the risk management policies and procedures designed and implemented by the company’s senior executives and risk managers are consistent with the company’s strategy and risk appetite, that these policies and procedures are functioning as directed, and that necessary steps are taken to foster a culture of risk-aware and risk-adjusted decision-making throughout the organization”.


What is the objective of the Risk oversight role of the Board:


We can identify the following two:


  • Preserving the viability: the bankruptcy case, even if it needs to be considered, is not generally in the path of most companies.
  • Improving shareholder value, is what really should bother directors. This is the main risk oversight role of directors.


Where does the oversight risk role of the board come from?


This board`s task comes basically from regulations on the role of directors:


a)      Directors`fiduciary duties: directors comply with their obligations by assuring the risk management oversight adequate systems are in place. Provided this is in place, the level of risk-aversion adopted by a company, is covered by the business judgement rule, which means directors are not responsible for the effects of risk, but only for a “sustained or systemic failure” to exercise oversight.

b)      Other: Other laws, listing requirements, sector-specific regulations.


What is the role of a board? Is that role the same, whatever the risk?


It is generally agreed that Boards are responsible for:


  • Determining the company`s approach to risk, the risk appetite or tolerance, and its relationship with expected rewards for the company, and for managers.
  • Setting the right culture throughout the organisation,
  • Assuring the material risks the company faces are identified, (dynamically) reviewing the risk categories and their interrelationships.
  • Assuring the company has risk strategies tailored to the company`s risk profile, strategy, and the kind of material risks confronted.
  • Reviewing with managers: the independence of the risk management function, the risk policies in place and their implementation, and all external reports, as necessary for the risk function.
  • Assuring risk is integrated into business decision-making throughout the organisation, and the adequate information flow systems are in place.
  • Transferring relevant information on risks to managers and committees.


Nevertheless, there are certain areas where a deeper role is recommended. In particular, where managers cannot be relied on to do a good job, for different reasons, as in the case of risks associated with leadership and strategy, for instance.


Strategic Risk: it can be defined as that risk that may most severely affect shareholder value, prevent the company from reaching its objectives, and even from surviving. Thus, directors need to challenge managers about the risk to the proposed strategy, particularly coming from external factors. The first step is a continual strategic risk assessment. There are several steps to properly deliver it, (understanding strategy, obtaining data, prepare risk profile, develop strategic risk management action plan, communicate both, and implementing the second), and it should be embedded in the management team. The second step is integrating risk management in strategy setting and measurement processes, (following Kaplan and Norton`s “The Execution Premium” could help).

Leadership: it is understood the board is responsible for assessing the performance and leadership capabilities of managers and particularly the Ceo.


How should the Board execute its oversight function?


Many boards delegate the function to the Audit Committee. Separate Risk Committees are not common out of the financial industry. Sometimes, several committees are responsible for the risk oversight role, (when different relevant risks are present), which requires some kind of coordination. In any case, the board should engage annually in a review of the risk management system, probably with external help.


Flow of information


The board needs to assure there is enough information flow about risk and risk management procedures, and gather this information from managers directly, if necessary.