Global menu

Our global pages

Print Friendly and PDF

Best–in–class risk oversight means continual improvement

There is no one–size–fits–all approach to effective risk oversight. Our survey respondents and interviewees detailed many ways their companies manage risk. In fact, many boards, taking no chances, re–evaluate their approaches on a regular basis. The chairman of the board of a UK–based media and communications company says that because her industry is in constant flux, almost every conversation the board has is about risk. “Living, breathing risk is what we do, because of the activity of the company,” she says. This is echoed by the chairman of a financial services company, who says, “In our business risk issues are completely interwoven in everything we do. Some people make carpets, we manage risk.”

Risk management tools such as risk registers or risk appetite schedules, which are designed to ensure that nothing slips through the cracks in the continuous compliance and risk monitoring process, can help. Our interviewees suggest that these tools are most useful when customized. For example, some boards assign responsibility for covering the risk register to business units, which then report to a risk committee or the audit function who in turn report to the board. Others have the business units present directly to the board. Some boards assign responsibility to a chief risk officer or similar point person.

Directors stress that trying to tackle the entire register at each meeting is usually counterproductive. As one director put it: “My experience of risk registers is that they have often missed the biggest risk that comes up.” Rather, boards add value by concentrating on top risks in real time. As the general counsel of a UK financial services company says: “We used to get risk owners to attend the risk committee [meeting] by rotation. That has changed to focus on top risks rather than random rotation.”

One area where our survey revealed an evolution is the presence of a chief risk officer (CRO). Of course, in some industries, like financial services, the CRO position is mandated by regulation. However, we find that a majority (57%) of our respondent companies have a CRO (Fig. 7). By contrast, just 28% of companies reported having a CRO in 2014 1. While the earlier survey had slightly different demographics and scope, it is clear that over the past five years, the once–rare CRO role has become far more commonplace.

…My experience of risk registers is that they have often missed the biggest risk that comes up…

Fig 7: Most companies surveyed have a chief risk officer

Does your company have a chief risk officer/risk director?

Board report figure 7

However, just because a company lacks a CRO does not mean there is no point person for risk. At nonfinancial firms, the role may be performed by someone holding a different title. In some cases, according to our interviews, risk responsibility falls under the internal audit function, which may even be outsourced.

Other companies use outside consultants to help finetune risk management practices or identify potential blind spots. Just over half (52%) of survey respondents say their board brings in independent experts for help with corporate governance best practices (Fig. 4).

The CFO of a quoted UK manufacturer brought in an independent consultant when his board was looking to improve its approach to risk. “The breakthrough was getting in an external facilitator to [help us] think differently,” he says. Similarly, at the Qatar–based bank, a consultant's assessment helped the board address 69 out of 78 gaps in its practices in just three years. The chairman says the board has now moved from ‘needs improvement’ to ‘exceeding international best practices.’

That performance is impressive but not rare. Nearly three–quarters (73%) of our survey respondents say their board recommends compliance with “highest–common–denominator” regulations. Such practices do not just safeguard against risks; they also frequently enhance a company's reputation and provide a competitive advantage. This is the case when consumer products companies adhere to best practices in their supply chain, or when wealth management companies adopt fiduciary standards even when not required to do so.

The complexity of risk oversight explains some of our survey results and the fact there is no single solution. For example, only 21% of respondents say their board has a member responsible for risk. These companies may have developed their own governance structure to manage risks without assigning a board member or having a separate risk committee.

The CFO at a British consumer packaged goods maker, who serves on its board, describes his company's thorough yet individualized risk management structure: “There is a formal risk reporting cycle. It is facilitated by internal audit, headed by an independent director. They operate independently. They interview every executive board member to identify risks and review the identified risks and new ones, and mitigating actions. That flows up to the full board. Risk is discussed every six months by the full board.”

…The breakthrough was getting in an external facilitator to [help us] think differently…

Two–thirds of survey respondents say they have a dedicated risk committee (and two–thirds of those respondents say the risk committee reports to the CEO). But our interviews shed light on the wide range of reporting structures. Some risk committees report to the full board, others to the secretary/general counsel, or audit committee. An independent, non–executive director at a Chinese industrial firm reports that “risk management is tagged onto internal audit, who will directly report to the board and is not answerable to the CEO.”

Regardless of the exact structure of risk governance, one thing is clear: to succeed, organizations must have a proactive, company–wide culture of risk management. Here, too, many of our interviewees report progress in overhauling their companies' practices.

The general counsel of a UK professional services company says risk reporting was “thought to be too flat rather than dynamic and didn't take a holistic approach.” As a result, the company is overhauling its approach. Similarly, the company secretary of a UK transportation company says changes have come from the top down and are beginning to permeate the organization. “The CEO is starting to take ownership whereas he would not have done so previously,” he says.

Often, an external event requires directors to see past the immediate upheaval and help management plan for a different future. For example, Mr. Cooperman joined Molina Healthcare's board just as the US adopted the Affordable Care Act, which “turned the industry upside down,” as he puts it. However, the tumult did not daunt him. “Actually, it was a fortuitous time to join the board,” he recalls. “Because it meant a lot of the opportunities that companies had were completely changed overnight, and they had to now consider both their current operations in light of these changes, as well as future opportunities. The whole strategy shifted.” To manage the new risks and set the company on a profitable path, the Molina board had to react nimbly. “It was a matter for us of really focusing the company on its strengths, and underscoring those strengths while addressing the opportunities that were presented by these really dramatic changes in the healthcare market.”

Stepping back to consider the big strategic picture while keeping risk in sight at all times is the juggling act of effective corporate governance. Tuija Soanjarvi, who chairs the audit committee of Swedish broadcast technology provider company Edgeware and was formerly CFO at several large companies, describes it this way: “The board is not stuck with [managing] daily operations. When you are in an operations role, it sort of limits your bandwidth. It is part of a board of director's role, really, to challenge and encourage management and to bring experiences from other industries, from other organizations.”

…It is part of a board director's role, really, to challenge and encourage management and to bring experiences from other industries, from other organizations.…

  1. Aon Global Risk Management Survey 2015