In my last blog I asked whether risk oversight was possible without first firmly implementing risk management. A lot of evidence shows risk management isn’t being practiced well if at all. I’ll leave the question of what precisely to disclose to others. The SEC encourages additional disclosure. My purpose here is to suggest what directors should ask for and expect to see if risk management is, in fact in place.
Building the Risk Universe
The Enhanced Compensation Disclosure begins with a discussion of what I will call risk “context”. Specifically the rules identify specific organization attributes where compensation risk should be discussed. (… a business unit carrying a significant portion of the company’s risk profile, one where compensation is significantly different etc. ) The rules are good. I just don’t think they are complete. Compensation and other risks need to be assessed in a single context. I would add to the list of contexts identified here. I’d like to include strategically important organizations identified and I’d also like to see material business areas where loss events have been or are expected to be frequent or large. I’d also like to see poorly performing businesses described. I’d like these largely organizational contexts to be linked to geographic regions and legal entities. Going beyond that I’d like to see a discussion of risk based on the company’s business model. It’s important to know the context risk exists in. It’s also important to know the impact of risk on how the company makes money, how value is created and how things are connected. Directors should be able to ask for and management should be able to provide a “heat map” of the business broken into organizational and business process contexts and they should have a rational and consistent basis for assessing the “riskiness” of the contexts. I’d look for a single “universe” of risk context based on organization and business process attributes. It should be the basis of all risk reporting. If management needs to reconstruct the “universe” every year, I’d argue they are not practicing risk management. They are certainly not squeezing efficiencies out of their GRC service providers.
Building the Risk Profile
To me the risk profile is an aggregation of the types of risks faced by the organization. Risk types would be derived from a consistent taxonomy (e.g. 3rd Party Risks, Financial Risks, Data security Risks etc.) Standard & Poor’s published some good sample risk types a couple of years ago when they were first proposing to incorporate ERM into the credit rating process. The risk profile would associate the risk types with the business risk contexts described above. Where can risk occur? What kind of risk should we watch for in the future? What risk exists now? How is it impacting business performance?
Comments and questions are always welcome
Tags
Categories
Archives
Blogroll
