Posts Tagged ‘Risk Oversight’

Identifying Black Swans: The Many Facets of Risk Oversight

January 28th, 2015 | By

The Metropolitan Corporate Counsel recently interviewed NACD President Peter R. Gleason on how boards are recalibrating their approach to risk oversight and strategy development.  The original interview can be found here

MCC: Risk oversight is a key responsibility for corporate boards. What are the major areas of risk?

Gleason: It’s interesting. When you think about it, everything falls into the risk category. Where we used to have discussions around financial reporting or compensation, the conversation has evolved to financial reporting risk or compensation risk (or the risks in these areas). And traditional categories are still on the agenda, such as competitive, economic and reputational risk.

We see geopolitical risk, which is closely linked to cyber risk, at the forefront. Take, for instance, the falling price of oil, which benefits U.S. consumers but has complex global implications for companies or countries that are suppliers of oil. How do falling prices affect the countries’ economies? How does it affect the companies’ financial situations relative to competitors or their geographic environment?

MCC: Given this complexity, how does the board identify and prioritize the potential risks facing a company?

Gleason: While the board will use a variety of approaches to identify risk, these all rely on board engagement with the management team around strategy. Last October, NACD released a Blue Ribbon Commission report on strategy development that discussed how board members have to move away from the traditional review-and-approve approach to management’s strategy and, instead, engage in earlier-stage dialogue about the various options management is considering during the process.

For example, traditionally, the management team may discuss three or four options and then choose “strategy A” for presentation to the board. As part of this deeper engagement, directors should ask “but what other strategies were on the table? Why did they choose A over B? What were the assumptions underlying that strategy that we should discuss as a board?”

This level of dialogue allows boards to identify risks to the business and to the execution of a particular strategy. The engaged dialogue within the process helps identify risks within the strategy itself, within the industry, and then within the economic purview of the company as it relates to the global economy. With this level of knowledge, directors can quickly change course, as needed, if the company’s strategy is later disrupted by a previously unidentified risk or by a geopolitical event.

MCC: These are dynamic issues. What is the right approach to this world of emerging or unidentified risks?

Gleason: This topic is under constant discussion in our Advisory Councils: how do we know what we don’t know? Or as our CEO Ken Daly phrases it, “how do we make the completely unknown merely uncertain?” There is no way of knowing; by definition you can’t predict the proverbial black swan. There is, however, the idea of gathering different perspectives and more information, engaging in more dialogue, and establishing ongoing discussion with management that helps identify issues, or even realms of issues, that are not yet on the radar screen.

This idea of “constructive dialogue” is tied directly into the Blue Ribbon Commission’s focus on continuously reviewing and testing the assumptions that underlie management’s strategic plan. For example, in the context of geopolitical events, let’s say, as a company, that we get all of our “chemical AAB” from a country in Eastern Europe, but that chemical is no longer available because of terrorism activity. Where can we get the chemical now, and how does that change affect our supply chain, costs and pricing?

While this individual situation may seem minimal in the big scheme of the company’s strategy, those discussions are essential because they identify risks that the company may face more broadly.

Frankly, board engagement provides focus. Take the financial crisis, as another example, which arose from strategies that created incentives in the mortgage industry to drive volume, but not necessarily quality. This generated huge portfolios of poor-quality loans and major economic disruption. In hindsight, better oversight was needed to ask, fundamentally, about the risk within this strategy, and to identify and discuss the possible consequences before adopting it.

MCC: Which groups within the board should be responsible for risk oversight?

Gleason: The board’s job is to oversee the enterprise risk management process, to make sure measures are in place to identify risks, to get the right reporting, to bring insight from the directors’ own experiences, and to participate in dialogue with management about strategies to address the issues.

In terms of who should have the primary responsibility, we look at risk oversight as a full-board function. Risk is too big for any one committee. Traditionally it has been the purview of the audit committee; however, adding oversight for the entire organization’s risk profile would overwhelm the committee’s already heavy agenda. Although we still see a number of companies placing risk oversight squarely on the audit committee, interestingly enough, NACD’s annual public company governance survey reflects that a significant portion of respondents from those companies believe that risk oversight really ought to be a full-board activity.

There has been a trend in recent years of establishing mandated risk committees ­– for example on the boards of financial institutions – and we may see similar changes in other industries going forward. At NACD, we don’t necessarily see a risk committee as the panacea. The bigger question is how does it execute? Every board takes a different approach to identifying and overseeing risk, and that’s okay because boards have to adapt their structure, style and processes to the company.

MCC: Expand a bit on how boards work effectively with the executive team to ensure that directors are asking the right questions and management is providing the right information.

Gleason: A prevalent challenge for every board is asymmetric information risk. This risk is inherent in directorship, given that management will – and should – have vastly more knowledge about the company’s business than the board ever will. A balancing act exists in that management needs to provide the board with the right information – not all the information – to enable a productive discussion of risk. Further, today’s directors own at least one device that provides access to any and all information about the company. So the question becomes, to what extent should board members rely, so to speak, on their own detective work to get information beyond what management reports? That balance is so critical because, in turn, directors can overwhelm management with one-off requests for information.

In sum, boards have to ask constructive questions about whether they are getting the relevant information, such as outside opinions from financial experts or reports from whistleblower hotlines, so they can make decisions about the company’s ongoing performance and sustainability.

MCC: Do outside perspectives vary as to assigning accountability for effective risk management? NACD’s Advisory Council on Risk Oversight has noted that “the general pattern is that investors are more tuned in, while regulators will blame the board.”

Gleason: Right now, we are looking at how shareholders themselves can present a risk to the organization. Look at what’s happening at DuPont with Trian Partners. Here’s a company that has outperformed the market and its peers for the last five years but is still facing an activist investor. Companies are wondering which of them will be the next to face challenges to management or board structures and corporate strategies; the number of activist engagements has doubled in the last couple of years, and the funding behind new activist initiatives is growing.

I think companies are facing unparalleled levels of pressure not only from investors but also from regulators. Large shareholders generally understand what boards face, but they have a responsibility to deliver a return on their portfolios. The regulators are proving to be a wildcard, of sorts. With the unfolding of Dodd-Frank they are putting pressure on boards to perform at a certain level in response to situations.

MCC: What is the general counsel’s role in optimizing the interaction between board and management?

Gleason: The GC or the corporate secretary is the gatekeeper, with information generally flowing through them from the management team to the board. Their job is to see that specific information is produced at the appropriate time and as aligned with the agendas of the standing committees. GCs and their teams also keep the board apprised of the company’s legal risks. So the legal team is in the middle of the dialogue between directors and shareholders, especially for large public corporations. For instance, in response to activist issues, GCs will play a central role in assessing the risks and addressing the legal requirements related to the production of disclosure documents.

MCC: Tell us about NACD’s Advisory Councils more generally. On what issues do they focus, and who participates?

Gleason: Our Advisory Councils are made up of committee chairs on Fortune 500 boards, as well as regulators and shareholders, and they all engage in a multi-stakeholder dialogue. We originally created three councils for the key committees – audit, compensation and nominating/governance – and then we added a fourth on risk. This Advisory Council on Risk Oversight is a bit of a hybrid because not many companies have a standing risk committee.

At council meetings, we invite speakers to talk about issues that the council has identified as top-of-mind priorities. We bring in large institutional shareholders like Vanguard and T. Rowe Price as well as regulators like the Financial Accounting Standards Board (FASB) or the SEC. Representatives from Institutional Shareholder Services (ISS) have joined us to talk about their perspective. So the councils are designed to get different perspectives around issues and, as you mentioned earlier, start to identify the unknown issues.

All of our councils function on a similar basis, and we keep it fresh, relevant and topical. For example, council meetings aren’t always standard roundtable discussions. Recently, the Advisory Council on Risk Oversight staged a mock cyber crisis in which everyone had an assigned role to play, including the role of the CFO, the GC, the risk committee and the advisory council itself. The idea was to play out the scene, identify the issues and decide how to approach the crisis. Interestingly, during this scenario disclosures became a primary concern. In a cyber breach, while you know you have regulators to satisfy, law enforcement may be telling you to wait, essentially to allow them time to catch the perpetrator in the act. So the question debated in the meeting was: what do you do when the SEC says you need to disclose to your investors right now, but the FBI is saying you can’t?

MCC: And of course this is all done for the benefit of NACD’s members.

Gleason: Yes it is. At Advisory Council meetings, it is NACD’s job to capture and distribute the key discussion points so our members can learn from them. Our membership ranges by ownership structure – from public and private, to nonprofits – and by size, from the smallest to the biggest global players. They all appreciate our ability to convene different perspectives around critical issues, facilitate group discussion and then deliver insights in exceptional reporting and educational programs.

The largest companies out there are participating in our Advisory Councils and education programs, and our in-boardroom programs also help us surface the important issues. We have peer exchanges on a regular basis where we put a topic on a table, let a group of seven to ten directors discuss it and then report out.

That is a goal of NACD’s 2020 initiative, now in its third year, which ties together the key components of effective board leadership with emerging risk oversight in programs we offer nationwide. Through this initiative, directors can learn about how various boards have approached disruptive forces and then look forward to how boards will operate in 2020. Our goal is to keep the directors informed and help them do their jobs better.

It is important to remember that all boards are struggling with risk to some degree, and managing it is a balancing act. One commissioner from our Blue Ribbon Commission on Risk Governance said it well: “A car in neutral goes nowhere.” If you’re not driving the business, you’re not going to face any risks, and you’re not going to enjoy any rewards.

Please email the interviewee at with questions about this interview.

NACD BLC 2014 Breakout Session – Going Beyond: Stories of Pushing Past Personal Limits

October 28th, 2014 | By

It should go without saying that governance in today’s complex business environment is no walk in the park. But are there lessons to be learned from a run in the Sahara? At the recent 2014 NACD Board Leadership Conference, documentary filmmaker Jennifer Steinman aimed to provide the answer to that question in a session titled “Going Beyond: Stories of Pushing Past Personal Limits.”

In the session, Steinman told the story of the creation of her latest film, “Desert Runners,” which follows people who take on the formidable challenge of competing in the 4 Deserts Race Series (4 Deserts). 4 Deserts includes a series of four ultra-marathons: races involving distances greater than the 26.2 miles that compose a typical marathon. The races take place in some of the most inhospitable environments on earth, including the Sahara, Gobi, and Atacama deserts, and Antarctica.

Steinman began the film project with a series of questions, including “what are these perceived limitations that we put on ourselves?” and “are these crazy people?” She arrived at the first race expecting to find a group of elite, superhuman athletes, and was surprised to find that, for the most part, the runners were what you might call “everyday” people; people with day jobs, mortgages, and families. Steinman’s film follows four people who decided to take on this challenge. In the course of the conference session, attendees were introduced—through video clips—to three of them: a student named Samantha, age 25; an American consultant named Ricky, age 33; and Dave, a 56-year-old marketing director and friend of Steinman’s who introduced her to the competition. Dave was one of 13 runners attempting to complete all four grueling races of 4 Deserts in one year, a feat known as the “Grand Slam.”

Steinman shared a series of her favorite clips from the documentary, and as might be imagined, Samantha, Ricky, and Dave confronted a wide variety of physical challenges, including dehydration, illness, exhaustion, and a great deal of pain.

So how did all of that tie into directorship? The challenges and struggles of the runners echoed many of the themes emphasized elsewhere at conference.

An injury suffered by Ricky provides an example. Given the long distances and extreme conditions involved in the races of 4 Deserts, some degree of pain is unavoidable. However, as Steinman pointed out, racers must constantly ask themselves, “is this real pain, pain I need to deal with, pain that can do real damage?” If the answer is “yes” to those questions, as it was in Ricky’s case, a runner needs to recognize this and give it the attention it requires. However, if the answer is “no,” any runner who intends to finish the race must recognize this, and avoid attaching more meaning to the pain than is merited.

As part of risk oversight, directors also receive an overwhelming amount of urgent information from a variety of sources, and must contextualize it on the basis of their own experience so they can ask the right questions of management. The board should ensure that the risk oversight processes in place have the capability to differentiate between a real threat and the intermittent challenges that occur in the normal course of business. When a real threat is detected, a director must not let pride get in the way of taking the appropriate actions, as the consequences could become progressively worse.

Another of Steinman’s film clips showed a series of gruesome injuries suffered by runners. Watching the clips quite naturally might cause one to wonder why anyone would willingly participate in such a competition. Steinman found that part of the answer to that stemmed from the camaraderie of being marooned in the desert with a common goal. While a small contingent of elite runners are in the race to win, the vast majority have the simple goal of finishing. Even a relatively competitive person would likely concede that running consecutive marathons across the Sahara or Antarctica is hardly your typical “participation medal,” and many runners rely on each other at times to accomplish this remarkable feat.

In a particularly poignant clip, a professional runner holds Samantha by the hand and they help each other to the next check point. Though they may be significantly different in kind, corporate directors certainly face their own challenges. The reasons directors take on the responsibilities and liabilities inherent in the role are many, but by concentrating on the reasons they are there, and augmenting their own expertise with the expertise of others around the table, each director, board, and company can reach their goals.

In Conversation with Dona Young and Carolyn Miles

October 12th, 2014 | By

The differences between nonprofit and corporate governance are few and far between when the nonprofit in question has a budget of almost $700 million and operations in more than 120 different countries. But when you are a nonprofit of this size, what should the board’s expectations of management be—and vice versa? Carolyn Miles, president and CEO of Save the Children, and Dona Young, who is a director on the Save the Children board, spoke with NACD Senior Advisor Jeffrey M. Cunningham about how directors can navigate the perils and opportunities of operating around the globe while fostering a top-notch organizational culture.

One of the problems of working in the nonprofit space is controversial topics—for example, immigration, an issue that came to a head with the recent influx of children crossing the U.S. border. For Miles, Save the Children didn’t adopt the attitude of choosing sides, but rather, they chose children. With that mindset, the organization was able to push beyond the immigration debate and focus on the issue of taking care of kids and ensuring their basic human rights. It’s a position that drew criticism but doing otherwise would have been a disservice to the company’s mission.

Both Miles and Young drove home the importance of bringing into the boardroom what’s going on in the field. Young emphasized the need of having a CEO who is continuously communicative with the board. Miles explained a practice she has used of bringing people who are working in the field to attend boardroom meetings and explain their needs to directors. Those lines of communication better inform the board and is a boon to helping the board helping the company accomplish its mission.

Miles also explained how Save the Children’s directors venture out to experience the work that their organization is doing, what she believes is a critical practice. Save the Children’s directors have been to the places that are the toughest—Afghanistan, Liberia, and Iraq. On a recent trip to Liberia, Miles was confronted with about 4,000 cases of Ebola in Liberia, which has created about 2,000 orphans. As a result, Save the Children wanted to consider sending aid, even though the issue at hand was out of the company’s traditional scope.

“We vet the issues together as a board,” Young said. “At the core of our mission, we have to assume risk.” She offered the following process of evaluating resources to ensure that the company can address a certain area of risk.

  • Identify each component of that risk.
  • Identify how each component is to be addressed.
  • Evaluate if the board has the skill sets to attack the issue at hand.

These are tactics that are as relevant for Save the Children as they are for a company such as IBM. Although the traditional scope of Save the Children’s activity did not lie within epidemic disease control, they did, however, know a lot of the pieces of how to assist (e.g., setting up hospital), and the company was able to respond to the Ebola crisis in the ways that it could and in a fashion that was true to its core mission.

Miles also discussed the importance of metrics. From her perspective, it is critical for nonprofits to focus on metrics and not just the “greater good of the cause.” If a company is able to produce palpable results, people who bankroll the organization look to their contributions not as a donation, but as an investment. Young added the importance of the board’s role as a steward of those funds, and the need for discipline and process—if that is not in place, there’s no way company is achieving its goals.