The US Securities and Exchange Commission (SEC) recently approved “new rules to enhance the information provided to shareholders so they are better able to evaluate the leadership of public companies.” Their focus is on corporate governance, compensation, and risk. While the SEC has made progress creating transparency for governance and compensation, they are still struggling to properly reveal a company’s risk management profile.
The SEC is striving to make corporate leaders act in an ethical, accountable manner. They are effective at legislating corporate transparency, disclosure, and exposing conflicts of interest. However, regulating a company to disclose how it manages risk is trickier. Highly effective risk management identifies and manages risks that can prevent an organization from achieving its key objectives. Therefore disclosing your key risks will also disclose your strategic secrets. Publishing your detailed corporate objectives would be tantamount to competitive suicide, hence the SEC’s challenge.
The SEC’s approach as a result remains limited to revealing the board's role in the risk oversight of the company. It’s an arm’s length view of the company’s risk profile. Understanding the Board’s role in risk oversight is a long way from understanding how much risk a company is adopting or how it is addressing its risks. The SEC is now distinguishing between good ethics, and sound strategic risk management. The former is appropriately disclosable, the latter is not.
The SEC is only one oversight body who is trying to increase risk management in companies. For example, Standard and Poor’s is beginning to apply high level risk management analysis to the companies it covers. But ultimately, risk management is about ensuring corporate performance, and maintaining stakeholder confidence in your company. Don’t rely on third parties to manage public expectations about your company’s risk management program. Use your website and other corporate communications to instill confidence that you are effectively managing risk.
[Rich]
richard.m.wilson@ca.pwc.com
Monday, May 10, 2010
Sunday, May 2, 2010
How to identify your hidden catastrophic risks
I was talking to a client recently about the bigger risks that could seriously harm their company. He cited a recent example where a newly acquired small entity almost caused the parent company to be delisted from their exchange. The acquired company refused to share some of their financial information with the parent and as a result they weren't able to file quarterly reports until the subsidiary was sold. They came within a inch of being delisted.
Every company has hidden liabilities such as this. Some are obvious such as having too much reliance on a single customer for revenue, or too much reliance on a single supplier for goods or services. In other cases the problem is equally risky but not as obvious. An effective way to get visibility on ALL of these major risks is to combine business continuity planning (BCP) with risk management.
Risk management tries to determine the likelihood of uncertain events occurring, while BCP assumes these uncertain events occur and plans alternate routes and recoveries. During your risk identification process you will inquire about events that may prevent your company from achieving its objectives. Try reverse engineering this process to say, "assume that this objective fails - what events could cause this to happen?". The answers you receive will include catastrophic risks that no one assumes will happen.
For example, asking about risks related to loosing a big revenue stream may result in a limited list of risks due to optimism about how the company is operating. However, assuming that the big revenue stream just disappeared, and asking for potential causes, will uncover new potential risks. The optimism that blinds you to potential risk will be replaced by creative thinking about previously unconsidered risks.
A case in point is the recent volcanic eruption in Iceland that grounded entire fleets of planes. If you asked what risks would ground an entire fleet, volcanoes may not have been identified. But assuming the entire fleet has just been grounded, and asking for potential reasons why, will prompt potentially uncreative people to think more broadly.
[Rich]
richard.m.wilson@ca.pwc.com
Every company has hidden liabilities such as this. Some are obvious such as having too much reliance on a single customer for revenue, or too much reliance on a single supplier for goods or services. In other cases the problem is equally risky but not as obvious. An effective way to get visibility on ALL of these major risks is to combine business continuity planning (BCP) with risk management.
Risk management tries to determine the likelihood of uncertain events occurring, while BCP assumes these uncertain events occur and plans alternate routes and recoveries. During your risk identification process you will inquire about events that may prevent your company from achieving its objectives. Try reverse engineering this process to say, "assume that this objective fails - what events could cause this to happen?". The answers you receive will include catastrophic risks that no one assumes will happen.
For example, asking about risks related to loosing a big revenue stream may result in a limited list of risks due to optimism about how the company is operating. However, assuming that the big revenue stream just disappeared, and asking for potential causes, will uncover new potential risks. The optimism that blinds you to potential risk will be replaced by creative thinking about previously unconsidered risks.
A case in point is the recent volcanic eruption in Iceland that grounded entire fleets of planes. If you asked what risks would ground an entire fleet, volcanoes may not have been identified. But assuming the entire fleet has just been grounded, and asking for potential reasons why, will prompt potentially uncreative people to think more broadly.
[Rich]
richard.m.wilson@ca.pwc.com
Saturday, May 1, 2010
Why "What keeps you up at night?" is the wrong question
When identifying risks, the question often asked is "What keeps you up at night?". Let me explain why this is a, well... risky question to ask.
Consider that the principle goal of risk management is to ensure that an organization performs as expected. In other words, it achieves its objectives. Therefore the risks that you identify need to be directly related to your organizations objectives. Risks not related to the achievement of corporate goals are off strategy - a distraction.
"What keeps you up at night?" is a disembodied question that will result in both relevant and irrelevant risks. Here is the question to ask...
"Considering the objective to... (describe a key objective), what events may prevent the organization from achieving this objective?".
The result will be risk events that are well aligned with management's goals. Feel free to present your interviewee with a list of potential risk internal and external risk categories to refer to when answering the question. For example, economic, competitive, strategic, HR, financial, technology, information, and corporate integrity are some of the major categories. There are up to 100 subcategories that fall under these major categories as well (business is complex!).
This objectives-focused question will ensure that your risk management process is strategic and focused on corporate performance.
[Rich]
richard.m.wilson@ca.pwc.com
Consider that the principle goal of risk management is to ensure that an organization performs as expected. In other words, it achieves its objectives. Therefore the risks that you identify need to be directly related to your organizations objectives. Risks not related to the achievement of corporate goals are off strategy - a distraction.
"What keeps you up at night?" is a disembodied question that will result in both relevant and irrelevant risks. Here is the question to ask...
"Considering the objective to... (describe a key objective), what events may prevent the organization from achieving this objective?".
The result will be risk events that are well aligned with management's goals. Feel free to present your interviewee with a list of potential risk internal and external risk categories to refer to when answering the question. For example, economic, competitive, strategic, HR, financial, technology, information, and corporate integrity are some of the major categories. There are up to 100 subcategories that fall under these major categories as well (business is complex!).
This objectives-focused question will ensure that your risk management process is strategic and focused on corporate performance.
[Rich]
richard.m.wilson@ca.pwc.com
Subscribe to:
Posts (Atom)
About The Author
- Richard Wilson
- Richard is a Director in PwC's Risk Advisory practice with clients in both Canada and the United States.
He is an experienced senior executive with 15 years in a CEO or COO role (publically traded and private firms). Richard has been leading risk management implementations for more than a decade incl. 60 C-level risk assessments, and has led online risk assessments for 30,000 people in 25 countries.
He has advised the largest company in the US on risk management, and he has facilitated a risk assessment for the United Nations. Richard has been published in Compliance Week, Canadian Business, and the Globe & Mail and has been a keynote speaker on the topic of risk at many conferences in both Canada and the US since 2004.