The case for risk roundtables: organizations can improve their response to risk by creating a forum for risk managers to share their ideas
Walter Smiechewicz
WITH THE ONGOING CHALLENGES OF navigating risk in all industries, the press has published many articles about the need for good corporate governance. Good governance begins with an organization's risk framework and governance architecture--much of this architecture should focus on the decision-making for risk mitigation. Decisions such as determining the organization's risk appetite and how to manage risk based on that appetite should be regular agenda items for an operating risk committee. As organizations formalize their governance architectures, the operating risk committee becomes the forum for ongoing oversight of their risk profile.
Many organizations supplement their operating risk committee with a risk roundtable that provides an independent assessment forum for risk managers from each of the organization's major operating divisions. A risk roundtable adds value to the governance architecture by:
* Facilitating communication among risk managers who may not be in direct contact with one another. Risk managers from individual divisions may have a view of a risk but not a view of the entire risk. The risk roundtable provides a setting where they can compare notes about potential risks to the organization. These discussions can uncover risks, previously thought to be small, that may be exposing the organization more than anticipated and deserve a higher level of attention for mitigation.
* Breaking down silos that exist to varying degrees in all organizations. A risk roundtable allows risk managers to build strong working relationships and draw from their collective experiences and expertise.
* Allowing the organization's executive management and senior risk managers to communicate consistently with the risk roundtable about developments that may affect risk management in their individual divisions.
* Allowing each risk manager to use the collective stature and influence of the risk roundtable to present their opinions clearly to the dealmakers in a business unit. Individually, risk managers may not have the stature in the organization to make risk recommendations that business-unit leaders will consider.
Internal auditors can add a valuable service to their respective organizations by recommending the creation of a risk management roundtable. Because auditors must always be careful to guard their independence, they should not chair the committee. However, the auditors' knowledge of risk and their relationship with the key risk managers throughout the company places them in a leadership role in assisting in the formation of the risk roundtable.
ESTABLISHING STRUCTURE
One basic requirement in establishing a risk roundtable is to make sure the organization has a risk officer embedded in each of its major divisions. In divisions without a risk manager, auditors will need to advise the executive to appoint someone from the division to that role. Depending on the maturity model of the overall governance architecture, risk managers may have other responsibilities within their division. As the architecture matures, they may need to commit up to 100 percent of their time to risk and governance.
A key question in setting up a risk roundtable is determining who will be its leader. This person should be a fairly senior professional with a global or enterprise view of risks, such as an executive from the organization's enterprise risk function. An executive from the compliance function may not be a good choice because the individual's views may be too narrowly focused on compliance, rather than the organization's overall risks.
Once its members and leader are selected, the risk roundtable needs to establish a charter that briefly identifies its purpose, membership, frequency of meetings, and authority. The charter should also specify practical aspects of the group's activities such as responsibility for minutes and action items. In defining the roundtable's authority, it is important for the group to maintain an assessment role, rather than a management role, in the realm of risk. The risk roundtable will review, coordinate, and advise management, but it will not manage risk or dictate to management what it should do.
ROUNDTABLE MEETINGS
Good meeting management is part art and part science. The risk roundtable meetings are no different. Some key items for a successful meeting include a well-thought-out agenda that is reviewed by key participants before the meeting, coaching all speaking participants before the meeting, and making sure that an environment is established in which all attendees feel free to speak.
REVIEW OF MINUTES AND ACTION ITEMS
Good meeting minutes will reflect robust discussions during the actual meetings, including conclusions and action items. Roundtables should avoid producing minutes that merely review the group's discussions. Minutes should include administrative items such as meeting date, start and end time, location, attendees, and individuals who are absent. They should also include a short summary of the discussion for each agenda item. The minutes should pay particular attention to action items that resulted from the group's discussions and to escalating concerns about needed risk mitigation enhancements to executive management.
DISCUSSION OF RISKS The goal of this discussion is to identify any risks that are not receiving sufficient attention. The group should review the organization's risk lexicon and the line items of its financial statements. The risk lexicon is the agreed-upon list of risk categories and definitions that will be used to catalogue risks in the organization. This list is usually determined by the chief risk officer with input from the chief audit executive. Roundtable members select several risk items from the risk lexicon, such as operational and technology risk. For example, the group's chairman may ask members; "What are our key technology risks? Do we sufficiently mitigate those risks?" Then, the group discusses several line items from the organization's financial statements (e.g., inventory) and asks, "What are the risks to our inventory account on the financial statements, and how do we sufficiently mitigate those risks?"
These discussions may start slowly, but subsequent meetings may yield noticeable results as the roundtable members begin to build on their collective insights. Results will be insights for senior managers in the organization and potential action items for the roundtable. The group should not try to cover the organization's entire risk lexicon or financials in one meeting. Instead, its target should be completing all of these categories annually.
SENIOR MANAGEMENT UPDATE At each meeting, one or two executives of the organization should update the roundtable on key aspects of strategy, market developments, and other areas that will assist the risk managers in accomplishing their job within their division. Senior management might discuss strategic items and changes that may increase risk in the organization's operations. This forum allows executives to ask the risk managers to sharpen their focus on these areas of new risk. This input and information from the corporate office can also help break down silos among divisions by enabling them to work on common risk goals.
BEST PRACTICE UPDATES Risk managers in certain divisions will undoubtedly design practices that could be implemented in other divisions. This part of the meeting allows risk managers to share practices that have been effective in their division with other members. For example, a risk manager might describe how his or her division performs compliance testing more efficiently and explain how it escalates exception results to management for resolution. Other best practices may include use of technology and working with a reduced staff.
DELIVERABLES Although the risk round-table must maintain meeting minutes for general documentation purposes, the minutes may not be sufficient for delivering the outcome of the roundtable's discussion of risks to senior management. Instead, a tailored flash memo to appropriate executives--including bullet points detailing suggested action items or concerns for risk management--may have more impact. The flash memo normally includes items of risk that the members of the risk roundtable agree are creating exposure to the organization but may not be receiving sufficient attention by senior executives.
A VALUABLE RESOURCE
A well-structured risk roundtable can assist risk managers within their respective business units in several ways. It allows them to share and adopt best practices in the areas of governance, risk, and controls. Secondly, the roundtable builds teamwork and collective strength among risk managers as they work together to discuss and address enterprise risks. Most importantly, the roundtable provides a necessary forum to identify and mitigate risks that the organization may be overlooking.
WALTER SMIECHEWICZ, CPA, has been a chief audit and risk executive and is based in Thousand Oaks, Calif.
To comment on this article, e-mail the author at walter.smiechewicz@theiia.org.
To share emerging risk issues and best practices from your own audit experiences, or to request coverage of a particular risk, e-mail jamesroth@audittrends.com.
EDITED BY JAMES ROTH AND DONALD ESPERSEN
COPYRIGHT 2008 Institute of Internal Auditors, Inc.
COPYRIGHT 2008 Gale, Cengage Learning
No comments:
Post a Comment