In today's economic climate the role of a board of directors is as dynamic as it is demanding. Boards are now forced to take on expanded roles to better guide their organizations through uncertain economic times. In addition, directors are expected to be proactive in understanding and managing risk, and capitalizing on the opportunities they present.
In a recent report, Boards and Internal Audit: Working Together (the EY study), EY addresses this issue of risk management and its growing importance to a board's success. The study found that while 97% of organizations surveyed have made progress in linking their risk management objectives to their business objectives, only 16% of those 97% consider them closely linked. This indicates that while boards are taking risk management seriously, they may need to better understand the connection between their risk and business objectives.
Effective risk management creates opportunities. As the EY study concluded, "organizations that manage risk well are better positioned to capitalize on the upside of risk potential." However, not all risks are created equal. Organizations tend to categorize risks according to their impact as follows:
Strategic risks that must be accepted because they offer benefits. Examples include risks related to user adoption, return on assets, market penetration, and talent management.
Preventable risks that should be avoided or mitigated because they would have a negative impact. Examples include employee fraud and risks related to information security, financial integration, and regulatory compliance.
External risks that the organization cannot control. These can have positive or negative effects. Examples include competitive shifts, geopolitical risks, and natural disasters.
However, categorization is only the first step in effective risk management. Boards must also have in place protocols to help their organization identify, understand and link risks to strategic objectives. One of the most popular of these systems is the "three lines of defence model". This model makes risk management a priority and places the onus on everyone in the organization. The lines are:
First line (operations and business units): This group comprises the line management directly responsible for identifying and managing risks. This group must consider risk management as a crucial element of its everyday job. This line would report to the second line, typically senior management.
Second line (management assurance): This group is responsible for ongoing monitoring of the system and operation of controls in the first line, as well advising and facilitating risk management activities. This group takes on more of a guiding role, establishing the policies for the first line to enforce.
Third line (independent assurance): This group is responsible for independent assurance over managing of risks. Internal Audit (IA) plays the leading role. This third line should be independent of the first two. It would report directly to the Board or a risk management committee. Building IA into the third line helps ensure impartiality, but also gives a new perspective which is difficult to get if only using in house personnel.
Planning to manage risk is never exciting, but it is necessary. Effective planning can save time and money, and better position organizations to excel in tough economic times. A Harvard Business Review study illustrates the need for better risk planning. It found that in the last decade 86% of significant losses in market value were the result of strategic risk, but less than 6% of auditors' time was spent dealing with these types of risk. If organizations plan more effectively and turn their minds to strategic risks, they would be better positioned to deal with the harsh economic climate.
Now more than ever, boards are required to focus on risks that matter to the organization. Useful tools like the three lines of defence model, or similar models, which can help boards identify, manage and create opportunities out of the risks are becoming a necessity. As the economy continues on its uncertain path and shareholders continue to take on proactive roles, even the smallest of boards will need to make risk management an absolute priority.
The author would like to thank Andrew Bigioni, articling student, for his assistance in preparing this legal update.
Norton Rose Fulbright Canada LLP
Norton Rose Fulbright is a global legal practice. We provide the world's pre-eminent corporations and financial institutions with a full business law service. We have more than 3800 lawyers based in over 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.
Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.
Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.
Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP, each of which is a separate legal entity, are members ('the Norton Rose Fulbright members') of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the activities of the Norton Rose Fulbright members but does not itself provide legal services to clients.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.