Alignment of Risk and Strategy Tops Boards' Concerns

By Patricia Van Arnum - DCAT Editorial Director

February 10, 2016

A recent executive study puts risk management as a key component of overall corporate strategy. So where are companies focusing their attention? DCAT Value Chain Insights (VCI) takes an inside look.

The study by KPMG found that more than three in four US board members were concerned that management used outdated assumptions in setting strategy and that boards are taking steps to better link risk and strategy. A separate KPMG analysis identified seven key strategic, operational, and external risk areas that should be on the top of companies' agendas. DCAT Value Chain Insights looks at what should be on companies' risk agendas.

Board members' concerns  
One in three US board members and executives are "very concerned" that the climate of uncertainty and volatility may pose a significant threat to their corporate strategy, and more than three in four worry that management tends to use outdated assumptions in setting strategy, according to a survey by the Board Leadership Center of KPMG LLP, the audit, tax and advisory firm.

KPMG's latest Roundtable Series gathered over 1,200 corporate directors and senior executives across 17 cities to share their views on the board's role in calibrating strategy. Thirty-two percent of those surveyed said they are "very concerned" that management tends to use "more of the same" assumptions regarding key factors and uncertainties in setting strategy, and another 46% said they are "somewhat concerned."

Survey respondents ranked economic uncertainty (61%), technology and innovation (58%), and government regulation (57%) as having the most significant impact on the company's strategy or the assumptions underlying it.

"Amid this unprecedented mix of volatility and uncertainty, boards will need to closely monitor changes in the business landscape to understand the impact on the company's strategy and risk profile, and help the company recalibrate as needed," said Dennis T. Whalen, leader of the KPMG Board Leadership Center. "We're clearly seeing a shift in the board's role in strategy away from an ‘annual review and concur with periodic involvement' toward an ongoing dialogue with management."

Forty percent of those polled said that management does not create probability scenarios that focus on the critical assumptions at the core of the company's strategy, and only 37% said they are "satisfied" that management has an effective process to scan and monitor changes in the external environment regularly in order to test the continuing validity of strategy assumptions.

Focus on risk management  
The survey results show that boards are taking steps to better link risk and strategy in boardroom discussions. Some 63% of those polled reported that their board is devoting more time to discussion of strategic risks, uncertainties, and opportunities. Other actions reported include improving information flow to the board regarding strategic risks, uncertainties, and opportunities (58%); reviewing/approving risk appetite (40%); and hearing more third-party views (28%). In addition, 65% said their board has discussed its composition and succession planning based on the skill sets that will be most relevant to the company's strategy in three to five years, and another 15 % plan to do so.

Roundtable discussions in the study's research highlighted the board's evolving role in evaluating strategy options and challenging fundamental assumptions, monitoring execution, and engaging with management on an ongoing basis, and helping to connect strategy, risk, and long-term value creation.

Top issues in risk management  
In a separate analysis, KPMG LLP identified seven key strategic, operational and external risk areas that should top chief risk officers' (CROs) risk management agendas in 2016.

1. Technology Risk Management. The study points out that the increase in technology risk has caused many information technology (IT) organizations to establish information technology risk management functions (ITRM). ITRM functions manage and monitor technology risks so that companies can anticipate and avoid problems rather than react to them. CROs who maintain a strong ITRM function and establish a strong connection with this function can proactively manage technology risks rather than reacting to audits, new regulations, new business strategies, and other disruptions.

2. Third Party Risk Management. .As the role of third parties in companies' interaction with governments has grown and supply chains become more stretched, companies' monitoring of their third parties has become critically important. The study found that companies are challenged to identify which of these numerous third parties are putting them at risk. The study noted that CROs should help to vet third parties and help identify those which should be placed under further review, not only during the onboarding process, but on a continuous basis. They should also help to determine how technology and the effective use of data analytics can help, rather than hinder, the process.

3. Fraud and Misconduct. The study pointed out that companies should continue to monitor the activities of employees, vendors, and third parties to detect and, wherever possible, prevent financial fraud or employee misconduct, that can result in financial losses and damaged reputations. It noted that CROs should be especially wary of frauds that indicate collusive behavior. "Collusive behavior is on the rise due to the emphasis companies have placed on improving their financial controls environment to comply with Sarbanes-Oxley and other regulations," said the KPMG analysis. "These controls make it more difficult for individuals to perpetrate frauds. Co-conspirators can enable fraudulent schemes to bypass certain control structures."

4. Crisis Management. The study pointed out that CROs should ensure that their companies place a strong emphasis on scenario planning by holding workshops and developing documented plans to prepare for and respond to potential crises such as cyber intrusions, regulatory scrutiny or investigations, compliance challenges, litigation, or workplace violence. "Since a crisis strikes without warning and requires a swift response, CROs need to take steps to ensure that on-call arrangements are in place," noted the KPMG analysis. "Lawyers, IT, and forensic accounting professionals, and other consultants should be vetted, contracted with, and know the business beforehand to be ready to take action at a moment's notice."

5. Data Security. "Diminishing security perimeters have been discussed for some time, but it is now fully acknowledged that corporate security perimeters no longer exist," said the study. "Data and critical processes cross many organizational boundaries, including customer self-service, strategic sourcing, supply-chain integration, business partnerships, and technology enhancement. Being able to understand risk, not just at the technology infrastructure or data levels, but also at the business process level, is critical." The study pointed out that since companies are more connected to more organizations. CROs need to monitor those connections if they are to better understand how trusted third parties are using and protecting company information. It is also important for CROs to provide their trusted business partners with greater insight into their own control and security environments.

6. Achieving Compliance Program Effectiveness. The study points out that growing number of regulations affect every facet of a company's operations and are implemented and enforced by an array of agencies worldwide. In this environment, companies need to anticipate regulations before they are implemented and plan for them under the leadership of the CRO and the chief compliance officer. "Companies should have a mechanism in place to capture an updated inventory of global regulations; employ a methodology to help prioritize regulatory obligations and manage regulatory change; evaluate compliance program effectiveness with regard to monitoring, testing and reporting; and ensure that they have an enterprise-wide view of regulatory risk and are able to collaborate internally to present a comprehensive report to the board," recommends the study.

7. Improving Risk Data Aggregation and Reporting. As regulatory requirements become more stringent, and the demand for risk data aggregation and improved data quality increases, the study says that it is essential that CROs concentrate on improving risk reporting. Such improvement involves enhanced report content and the automation of real-time information collection. "The ability to identify risk exposure across entire organizations and geographies and the capacity to understand its concentration risk and counterparty risk from a business perspective is imperative," concludes the study.