Enterprise Risks: How should Boards Create Value?

Executive Summary

Organisations today, operate in a constantly evolving and dynamic landscape. Businesses are exposed to a wide spectrum of risks. Whether it is a large enterprise or an MSME, no business is devoid of risk. Risks do not always have a bad connotation because growth cannot happen without risks. So, there are good risks and there are bad risks. But there is no one-size-fits-all because every organisation's risk appetite is different. The impact of any risk is also different for every organisation. The impact of the same risk is also different for the same organisation in different situations. So, risk management is a strategic, customized, and continual process. We have several instances in corporate history where inadequate risk management resulted in the corporate collapse of entities that were once market leaders. Frauds, operational lapses, and the inability to envision innovative disruptions coming are just some reasons that have been responsible for the collapse. Today, several new-age risks extend beyond traditional risks, resulting from global interconnectedness, technological advancements, and environmental agendas. Automation and Gen AI are posing serious questions on the impact on the workforce. Cyber security and data privacy risks put a brand's reputation at stake if not well managed. Climate risk tops it all on every board's agenda today. Cyber risks to geo-political risks, economic risks to regulatory risks, automation risks to climate risks, the diverse array when compounded, makes the impact on businesses even more severe. Efficient risk management therefore becomes a strategic imperative for sustainability. Posing the right questions in board meetings, can create persuasive influence and provoke positive actions from management. This article explores various risk types and how boards can create value in enterprise risk management even as businesses navigate a maze of interdisciplinary risks.

Risk management is not a stand-alone function but a collaborative effort to ensure the enterprise is risk-mature and resilient.

Black swans, white swans, and grey rhinos in the landscape of risks

Risk management frameworks should comprehensively capture different types of risk represented metaphorically as black swans, white swans, and grey rhinos. The origin of the terms "black swan" and "white swan" in the context of risk management can be traced back to Nassim Nicholas Taleb, a Lebanese-American author, who introduced these concepts in his book 'The Black Swan: The Impact of the Highly Improbable,' published in 2007.

A black swan is characterized by difficulty in prediction based on past events but leaves a lasting and profound impact. The pandemic in 2020 caused by the novel coronavirus is a classic example in the global context. The sudden lockdowns resulting in the breakdown of human interactions and disruptions in supply chains had far reaching effects socially and economically and threw the entire healthcare ecosystem into an unprecedented challenge. In the Indian context, the Bhopal gas tragedy at the Union Carbide pesticide plant that occurred in 1984 is another example of a black swan event that left long-term ramifications on health and the environment.

White swan events on the other hand represent predictable and expected occurrences. They do not necessarily lead to major surprises. Some examples of white swan events include the country's general elections, federal budgets, and recurring events such as national festivals. White swans are events that are easier to anticipate and incorporate into risk management strategies. Financial modeling is one such strategy that leverages AI to predict future outcomes using historical data and expected trends.

Boards should transcend the negative connotation of the word 'risk'. Rather, they should bring foresight in creating a competitive edge and stakeholder value even while safeguarding the business from risk exposures.

Grey Rhinos are risks that are highly probable with high impact. They are very visible and known and yet may not receive adequate attention or mitigation efforts due to complacency or difficulty in articulating the impact. Examples that can likely fall into this bracket are largely macro-level risks such as geopolitical events, climate impact, and now the risk of Gen AI. Overcoming Grey Rhinos demands a sense of agility and adaptability.

I articulate five questions that Boards should seek answers for, as part of their oversight on Risk management. The interactions that will follow can trigger a robust and ongoing risk management process.

What is the tone at the top towards enterprise risk management culture?

The tone of the top should drive risk-aware cultures. Top management should ensure that strategies, business models, and processes are looked at collectively through the lens of risk management and that buy-in is accomplished across all levels. For this to happen, the one thing that organisations should consciously avoid is people working in silos. Risk management is not a standalone function but a collaborative effort to ensure the enterprise is risk-mature and resilient. Well-thought-out training programs with case studies of success and failures should be showcased for the entire team to understand risk exposures and impact. Training should be an ongoing process because what worked well historically may not continue to be relevant in the dynamic business environments that we are in. Adaptability and agility are key transformative cultures to be ensured by top management. While strategies and processes flow from the top, the bottom-up feedback loop is equally important to understand the practical aspects at the trenches of processes.

How prepared is the organisation for geopolitical risks?

Geo-political risks are only increasing by the day, with businesses becoming global. Pertinent questions to address here would be about how diversified the business is, in terms of market segment and procurement strategies. Are supply chains resilient enough to counter geo-political uncertainties? Is there a culture of research and development within the organisation to indigenously produce critical raw materials and reduce global dependencies? The board's involvement in these aspects would provoke positive informed decision-making before strategies are put in place.

Does the organisation have a shared risk register in place?

A risk register is a crucial tool in risk management, capturing and analyzing potential threats to a project or organisation. It systematically documents identified risks, their impacts, likelihoods, and mitigation strategies. This dynamic document should also capture the risk incidents that occur within the organisation, the root cause analysis, and the mitigation strategies that were implemented. Today, we are in a digital era that enables collaboration platforms to record and share with counterparts in real time. Global organisations having multiple facilities can share this with risk owners of all entities across the globe on an online platform. This will act as a reference for entities to learn from other businesses within the group and take proactive measures to ensure similar risks do not materialize elsewhere again.

Is the organisation's risk management framework innovation-friendly?

In their role, boards should transcend the negative connotation of the word risk. Rather, they should bring foresight in creating a competitive edge and stakeholder value even while safeguarding the business from risk exposures. Innovation is an important growth driver to stay ahead of the curve but no innovation happens without an element of risk. ERMs should not become a barrier to innovation. A sandbox approach to innovation and risk management is generally recommended. A sandbox provides a secure space where innovators test new systems without risking damage to the existing systems. This controlled setting helps identify vulnerabilities, assess functionality, and ensure that software operates as intended before deployment in larger settings.

Is the organisation leveraging technology enough to make risk frameworks robust and futuristic?

Data analytics for processing AI algorithms to identify potential risk indicators, machine learning for predictive analytics, automated monitoring systems to track realtime data in emerging risks, simulation software to conduct scenario analysis of various risks, collaboration platforms, and automated business intelligence dashboards are just some of the tools that technology offers. When effectively leveraged, the process of drawing up a risk assessment framework gets streamlined. It also enhances the agility of responsiveness to risk incidents thereby ensuring business continuity.

Conclusion

To summarize, the need to have a holistic approach to enterprise risk management cannot be overemphasized. Risk factors should be embedded right at the beginning of a strategy decision, across business models and business processes, and continuously monitored. A risk management framework that is conducive to innovation, fostering a proactive risk culture, and leveraging technology for real-time monitoring are key nonnegotiables. Top management involvement, shared best practices and free flow of information will ensure that risk management does not become a mere checkbox activity. By addressing these practical elements, organisations not only navigate uncertainties effectively but also position themselves to seize opportunities. The goal is not just to survive, but thrive in the ever-evolving business landscape.