Ten Principles for Risk Oversight
While risk oversight has always been an important part of the board’s agenda, the disruptive financial crisis taught everyone a lesson about just how important it is. The risk oversight playbook has evolved over recent years, during which many boards took a hard look at their membership, how they operate, and whether their operations and the information to which they have access are conducive to effective risk oversight.
In addition, regulators have taken an active interest in the board’s oversight of risk. For example, the U.S. Securities and Exchange Commission requires that proxy disclosures shine a spotlight on the board’s role in overseeing the company’s risk management process, the directors’ qualifications to understand the entity’s risks, and the board’s compensation committee’s evaluation of the entity’s various compensation arrangements to ensure that they are not encouraging the undertaking of excessive, unacceptable risks.
In 2009, the National Association of Corporate Directors (NACD) published its Report of the NACD Blue Ribbon Commission on Risk Governance: Balancing Risk and Reward. This report recommends 10 principles to assist boards in strengthening their oversight of the company’s risk management. According to the report, “these principles provide a foundation that boards can use to build a more comprehensive risk oversight system tailored to the specific needs of their respective companies.” Further, these principles provide an outstanding framework for a board to use when evaluating its current risk oversight process. Directors should use these 10 timeless principles to assess their board’s process and ascertain whether the process needs refreshment or redirection.
1. Understand the company’s key drivers of success. Understanding the business and industry, what drives value creation, how the business model works, and the critical issues affecting the company lays a vital foundation to an effective risk oversight process. Accordingly, directors must remain abreast of these matters and there must be processes in place to help them in this regard.
2. Assess the risks in the company’s strategy. This principle and the one before it are interrelated as they both focus on understanding the corporate strategy and the risks inherent in the strategy. This understanding provides a context for separating out the everyday, ongoing risks of managing the business to identify the risks that truly matter: the critical enterprise risks that threaten the execution of the company’s strategy and business model.
It is vital that directors understand the risks inherent in the business model, including the key assumptions underlying the continued viability of the business model, and agree with executive management on the company’s risk appetite in the pursuit of enterprise value creation.
3. Define the role of the full board and its standing committees with regard to risk oversight. This principle is important for directors to focus on as they collaborate in clarifying risk oversight responsibilities for the full board and the various standing committees. The NACD Blue Ribbon Commission (BRC) asserts that, “as a general rule, the full board should have primary responsibility for risk oversight, with the board’s standing committees supporting the risks inherent in their respective areas of oversight.”
At Protiviti, our experience is that the vast majority of directors agree with this general rule, as it mirrors the full board’s responsibility for strategy. It also recognizes that there are always outliers due to unique circumstances. Finally, the BRC points to the importance of distinguishing management’s responsibilities from the board’s.
4. Consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources. Risk is often an afterthought to strategy, and risk management is an appendage or “side activity” to performance management. This principle addresses such issues as positioning the chief risk officer or an equivalent executive to effectively support the board’s oversight efforts. It looks beyond mere risk identification to consider the adequacy of other dimensions of managing risk, including sourcing, measuring, mitigating and monitoring risk through appropriate policies, processes, people, reporting, methodologies, and systems and data.
5. Work with management to understand and agree on the types of risk information the board requires. This principle remains a common issue for many boards. At Protiviti, we often hear directors complaining of being overwhelmed with reports or too many agenda topics while being underwhelmed with insightful information for decision-making. Directors suffering from information overload require sharper focus on actionable information. Whether or not there is reliance on quantitative models, reporting should provide different perspectives on a given risk.
- To focus the risk oversight dialogue, the NACD BRC introduces five categories of risks facing each board
- Governance risks
- Critical enterprise risks (as discussed above)
- Board-approval risks
- Business management risks (i.e., the normal ongoing risks)
- Emerging risks and nontraditional risks (e.g., climate change, slowdown in foreign markets, disruptive technological innovation)
These categories are useful, as the critical enterprise risks and emerging risks should capture most of the board’s attention, whereas the business management risks should be addressed through periodic status reporting and escalation of significant issues.
6. Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions. This principle addresses the need for constructive engagement between boards and management on risk matters. The principle’s reference to challenging assumptions is especially important in light of the financial crisis, after which many have questioned whether boards really understood the key variables driving an institution’s success and exposing it to failure, as well as the sensitivity of those variables to changes in the market. When an organization is making a lot of money, directors need to understand the risks undertaken to achieve success, rather than simply applauding as management breaks out the champagne.
7. Closely monitor the potential risks to the company’s culture and its incentive structure. This principle also points to another lesson of the financial crisis: a company’s culture and incentive compensation structure can potentially impact behaviors, decisions, and attitudes toward taking and managing risk.
Culture and incentives form the glue that binds all elements of the risk management infrastructure together, because they reflect the shared values, goals, practices and reinforcement mechanisms that embed risk into an organization’s decision-making processes and risk management into its operating processes. In effect, they represent a look into the soul of an organization to ascertain whether risk-reward trade-offs really matter to its leaders.
One of the significant lessons of the financial crisis is the danger of “heads I win, tails you lose” compensation structures for executives whose behaviors can expose the organization to significant risks well beyond the level of risk the board might consider acceptable.
8. Monitor critical alignments of strategy, risk, controls, compliance, incentives and people. This principle speaks to the importance of aligning critical elements to get everyone and everything—people, processes and the organization—on the same page. Without alignment, there is likely to be a disconnect between a company’s strategy and its execution, and a disconnect can be costly as well as risky. Nevertheless, alignment is hard for management to achieve—and even more challenging for directors to oversee.
9. Consider emerging and interrelated risks: What’s around the next corner? Emerging risks deal with issues that are not on management’s radar currently. They require an anticipatory and forward-looking focus. The worst kind of uncertainty is being unaware of what we don’t know; while senior managers have knowledge from internal and external sources, do they really understand what they don’t know?
The fundamental question raised by this principle is an inquiry as to whether management looks out far enough, is monitoring what matters in the external environment and devotes sufficient time to “connecting the dots.” Sooner or later, something fundamental in the organization’s business will change. And when disruptive change occurs, a company’s risk profile is likely to be altered in significant ways. Therefore, directors need to know that management devotes sufficient time to thinking about the unthinkable and response readiness preparation, as both are key to a world-class reaction.
10. Periodically assess the board’s risk oversight processes: Do they enable the board to achieve its risk oversight objectives? The last principle advocates applying the best practice of periodic board self-evaluations to the risk oversight process.
Questions for Boards
The following are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
- Has the board articulated its risk oversight objectives? Are those objectives incorporated into the board’s charter?
- Has the board evaluated the effectiveness of its processes in achieving its risk oversight objectives? If so, has the board considered the NACD BRC’s 10 principles of effective risk oversight in evaluating its risk oversight processes?
- Is the board proactively taking steps to address any gaps that impede its risk oversight effectiveness?
Jim DeLoach is a managing director with Protiviti, a global consulting firm.