Enterprise risk management (ERM) demands an entitywide strategy—one that comes from the top and encompasses the entire organization. For executives, even those whose main job is to oversee risk management, it can be difficult to have a full view of the risk landscape, especially in larger organizations with far-flung divisions.
To better understand the risks a company faces, experts recommend risk interviews that, when done correctly, improve the ERM process one answer at a time.
The process is fairly straightforward: Facilitators interview employees across the organization to glean valuable insight that can help uncover major risks or developments surrounding known risks.
Once risk interviews are completed, organizations can use the information to better educate employees, executives, and board members; can revamp strategy based on risks identified in interviews; and can better integrate risk discussion into other company functions, such as budget approval and internal audit.
"I've been amazed over the years at how candid people are about what they feel about risk," said David Hughes, CPA, assistant vice president of ERM and business continuity planning at HCA Holdings, a Nashville, Tenn.-based operator of health care facilities.
Hughes oversees one-on-one risk conversations for the company, which has more than 230,000 employees and records $40 billion in annual revenue from hospitals, surgery centers, and other medical facilities it owns and operates in 20 U.S. states and in England.
Initially, HCA's risk interviews were part of the internal audit function; there wasn't a formal ERM program until 15 years ago. The number of interviews conducted was small at first. The talks were limited to about 15 members of the executive team.
Last year, the ERM program included more than 100 interviews, either face to face or by phone—a process that takes a couple of months to complete. Another month is spent analyzing the interviews for information that will influence the company's ERM strategy and preparing a report to share with executives and the company's board of directors.
With a broader number of voices, Hughes said, there is better perspective, and there are more early warning signs about emerging risks.
WHY THE RISK INTERVIEW?
There are plenty of other ways for an organization to quickly seek information from numerous employees. But solutions such as suggestion boxes and hotlines rely on employees to volunteer information, and anonymity can be a barrier to getting to the root of the problem. Online surveys, another tactic, can also be tricky. Not everyone reads every email, and not everyone who reads the email completes the survey.
While some surveys can be used effectively—and they are at HCA, according to Hughes—they also have limitations and should not be the company's exclusive source of information. HCA uses information from the risk interviews in addition to data from hundreds of employees who take an annual online survey, to get a more accurate, multilevel picture of company risks. Follow-up questions in surveys are difficult, and it can be hard for someone reading a typed answer to get a full sense of the respondent's tone.
The in-person interview solves these problems. Facilitators have the advantage of being able to read nonverbal cues and body language. Interviewees are more likely to open up in a conversation, especially when they are assured that their names will not be attached to their comments.
"You're getting a sense of materiality or concern about the risk or the topic, more than you would get reading the text of a survey," said James Rose, CPA, payer sector compliance practice leader for consulting firm Navigant's health care practice. "You can type out, 'That's a risk.' Or you can say, 'Wow! That's a risk!' The facilitator's ears are going to perk up, and they're going to ask for more on why. You get a better sense of what the concern is." (See the sidebar, "The Traits of an Effective Risk Interview," for tips on conducting a risk interview.)
WHAT ARE THE QUESTIONS?
The questions in a risk interview can be simple; they are designed to be conversation starters. The first one is generally along the lines of "What are the top risks?" At HCA, the risk interviews include three planned questions:
- What are the top three business risks, in priority order, the company faces over the next two years that could have a significant adverse effect on the company's ability to achieve its strategic and/or financial objectives?
- What are some of the things the company is doing to help manage or mitigate each of these three risks?
- In your opinion, are these risk mitigation strategies effective? And if not, what else should we be doing?
WHO IS INTERVIEWED?
At HCA, 101 risk interviews were conducted in the fall of 2015 by Hughes; Joe Steakley, CPA, senior vice president of internal audit and enterprise risk services; and Phil Billington, CPA, vice president of internal audit. The company's 61 corporate executives were interviewed, along with 30 division executives and 10 of the company's board members.
Each year, Hughes circulates his interview list with corporate and division executives to see whether more people should be interviewed. If a new executive is hired or someone has been assigned to head up a new major initiative, that person's insight should be included. Each person is asked the same set of questions, but the answers are different based on their perspective. The chart "A Ranking of Top Risks" highlights the different perspectives as well as the alignment of management's views on the company's risks.
Surveys are also sent to officers of the individual hospitals. HCA owns about 170 hospitals, and the executives at approximately 50 hospitals receive a survey each year, meaning each executive is sent a survey every three or four years.
HOW ARE THE ANSWERS USED?
The interview and survey answers go into a database, and HCA uses a program to produce visualized reports. Since all risks are not equal, the company prioritizes them by assigning point totals to each respondent's risk ranking: 5 points for the top risk, 3 for the second, and 2 for the third. By the end of the calendar year, Hughes has all the data, and the information is presented to executives and to the board in January.
The compilation can show which risks may have bubbled to the top and can help influence strategic plans. These top risks are added to the agenda of the full board and board committees, and risk owners present updates on how risks are being managed and how they may affect the company's strategic objectives.
HCA also finds value in tracking the risk rankings over time and their relationship to one another. The chart "Risk Summary by Year" is an example of a report shown to the board. It also shows how certain external factors such as the economy or changes in the regulatory environment affect the risks.
The interviews themselves serve another purpose: They get different parts of an organization thinking more about risks outside their own. When people in operations start thinking about legal, financial, and regulatory risks, for example, they think more like a CEO and less like a division manager. "If communication is good up and down the ranks, the right risks get focused on before they become big problems," Hughes said.
The traits of an effective risk interview
Risk interviews involve more than going down a list of questions and recording answers. Here are four tips for an effective risk interview:
Prepare the interviewees. Sending a calendar invitation with the title "Discussion about top risks" is not as valuable as providing light preparatory work in advance for those to be interviewed. Larry Baker, CPA, senior leader of ERM at Devon Energy in Oklahoma City, said risk interviews are more valuable when the interviewees are given a simple, one-page template to use for their preparatory notes and a high-level inventory of risk categories so that they think more holistically about an organization's risks. The following is one example of a preparatory statement: "We want to discuss with you the top three risks to the successful execution of your strategic plan."
Ask open-ended questions. An interviewee is more likely to talk if an interview has fewer questions, and includes ones that are conversation starters, according to David Hughes, CPA, assistant vice president of ERM and business continuity planning at health care organization HCA Holdings. If someone hears, "OK, here are 30 questions we're going to ask you," that person tends to make answers shorter so he or she can get through the interview faster. Interviews at HCA basically consist of three open-ended questions.
Ask appropriate follow-up questions. Sometimes, this involves reading people, who may give nonverbal cues that they're holding information back. Other times, the follow-up question is as simple as "Why is that?" For example, if a division executive says a risk mitigation strategy is ineffective, it's worth asking why. That person likely knows more about the particular risk, and mitigation strategies, than the interviewer does. Simple questions can elicit valuable information.
Take good notes, and compare notes. Hughes said two interviewers take part in each risk interview, and both take notes. After the interview is over, the interviewers compare notes to make sure information is not misinterpreted. Sometimes, they send the notes to those interviewed to make sure they accurately captured the person's thoughts. Baker also recommends having two interviewers, one to type answers in real time while the facilitator asks questions and listens for needed follow-ups.
About the author
Neil Amato is a JofA senior editor. To comment on this article or to suggest an idea for another article, contact him at email@example.com or 919-402-2187.
- "The Gaps That Remain in Risk Initiatives," JofA, April 13, 2016
- "How to Conduct a Risk Workshop," JofA, Dec. 2013
- Case Studies on Enterprise Risk Management Implementation (#PCG1202E, ebook)
- COSO Enterprise Risk Management—Integrated Framework (#990015, paperback; #990015PDF, online access)
- Enterprise Risk Management: Guidance for Practical Implementation and Assessment (#APAERM14P, paperback; #APAERM14E, ebook; #APAERMO, online access)
- Risk Assessment for Mid-Sized Organisations: COSO Tools for a Tailored Approach, 2nd Edition (#PCG1307P, paperback; #PCG1307E, ebook)
- Enterprise Risk Management & Internal Control Track, Modules 1—6 (#165346, online access)
For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.