Strategy, Corporate Governance and Enterprise Risk Management: What is the connection?

By Bonnie V. Hancock

On March 30, the final day of the executive education workshop, Strengthening Your Enterprise’s Risk Oversight for Strategic Benefit, co-hosted by the AICPA and NC State's ERM initiative, the discussion turned its focus on the issue of corporate governance.  With the spotlight shining brightly on risk management practices as a result of the fallout from the financial crisis, most acknowledge the need for the board to exercise effective oversight over the organization’s risk management practices, but not all see the connection of risk management and strategy.

A board’s role is one of providing oversight of not only conformance with applicable laws, regulations, and standards of ethical conduct, but also oversight of performance to create long term value.  While most put risk management in the conformance category, and there certainly are risks to be managed in this area, the most critical risks to the organization generally arise in the context of the strategic decisions that management makes with board oversight.  In order to effectively oversee strategic planning a board needs to first understand the key risks the organization currently faces and the organization’s capabilities for managing risk.  In addition, before objectives are set and strategies are developed, the board and management should have a shared understanding of the appropriate risk appetite for the organization.  

Risk appetite should serve as a guidepost in the strategic planning process, providing direction as to the amount of risk the organization is willing to take on which in turn will guide how ambitious the organization should be in setting its goals for growth and returns.  The responsibility for developing risk appetite falls on management; however, it is essential that the board concur with the risk appetite.  While it is easy to agree in concept that having an objective statement of risk appetite around key business risks would improve both strategic planning and execution, most organizations have not actually adopted a risk appetite.  Like many aspects of effective enterprise risk management, there is no one right way or “cookie cutter” approach to developing a risk appetite.  It should be tailored to the organization and described in a way that will be useful in planning and execution.  The important thing is to get started sketching out what the organization would and would not be willing to do in the pursuit of value.

A COSO-sponsored survey of finance and risk professionals in the US found that most respondents were dissatisfied with their risk oversight process which indicates that we have room for improvement in this important element of corporate governance.    Effective risk management processes can’t be found on tick sheets or simple checklists.  What is important is the substance of the consideration of risks in the context of the board’s role in oversight of conformance and performance.  Organizations needn’t expect their processes to be perfect immediately, but they need to meet the challenge of tailoring processes that work for their organization and recognize that those processes, including the development of risk appetite must evolve over time.

There are a number of resources available through the CGMA website and through NC State’s ERM Initiative web site.  The report, Governing for Performance:  New Directions in Corporate Governance, and tool, How to improve your board’s effectiveness, both available on, delve more deeply into governance issues and offer specific suggestions for improving board governance.