Board risk reporting is a subject of debate within many organizations as directors often consider reports to be too detailed or not actionable. Simply stated, risk reporting should enable the board and its respective committees to understand and govern the organization’s risks. To that end, here are six interrelated “board risk reporting principles” intended to foster reporting that focuses directors on the risks that matter and enables them to bring to bear their knowledge and expertise in ways that add and preserve enterprise value:
Focus on critical enterprise risks and emerging risks. The critical enterprise risks represent the top risks that can threaten the company’s strategy, business model or viability and consequently warrant the most attention from the board’s risk oversight process. The board also needs to be mindful of emerging risks triggered by unanticipated and potentially disruptive events of varying velocity, ranging from catastrophic events—for example, a pandemic or hurricane—to existing risks accelerated by external and/or internal factors in unexpected ways, such as the impact of deteriorating underwriting standards or the demand for an endless supply of mortgage-backed securities on the subprime market that led up to the 2008 financial crisis.
Address ongoing business management risks on an outlier basis. Every business has myriad operational, financial and compliance risks. For those risks that are not critical enterprise risks, risk reporting should be integrated with periodic status reports on line-of-business, product, geographic, functional, or program performance. Reports on these risks should also be triggered by the escalation of unusual matters that immediate board attention, such as exceptions against established limits (i.e., limit breaches). The point is that reporting on the day-to-day risks should not be as frequent as the critical enterprise and emerging risks.
Ensure risk reporting is linked to key business objectives. Realistic and measurable objectives support the organization’s overall strategy and business plan. Risks related to those objectives may impact the organization’s ability to achieve those objectives and execute the strategy and plan. The relevancy of risk reporting is more firmly established with directors when it is closely tied to strategic business plans and the critical objectives and initiatives management has communicated to them.
Use risk reporting to advance dialogues around risk appetite. A winning strategy exploits the areas in which the organization excels relative to its competitors. The risk appetite statement serves as a guidepost for when a new market opportunity or significant risk emerges. Although dialogue around risk appetite has advanced at the board level over recent years, there is still plenty of room for improvement. Once executive management and the board agree on the drivers of—and strategic, operational, and financial parameters around—opportunity-seeking behavior, the resulting risk appetite statement is a reminder of the core risk strategy arising from the strategy-setting process. Risk reporting should call attention to the level of risk the organization is undertaking in the pursuit of value creation and disclose when conditions change and the agreed-upon parameters are approached or breached.
Integrate risk reporting with performance reporting. When stakeholders (e.g., owners of corporate, line-of-business, product, geographic, functional or program performance goals) report on performance to the board, they should also disclose the related key risks. Linking opportunity seeking behavior and the related risks is important as it enables each stakeholder reporting to the board to engage in a dialogue with directors on: the underlying risks and assumptions inherent in executing the strategy and achieving performance targets; the “hard spots” (i.e., the aspects of the plan that are well within reach to be achieved) and “soft spots,” (i.e., the riskier parts of the plan) inherent in the performance plan; the implications of changes in the business environment on the core assumptions and desired risk levels underlying the strategy; and the effectiveness of risk management capabilities. The effectiveness with which risk reporting is integrated with performance reporting is a powerful indicator of the enterprise’s risk culture. If risk reporting is an appendage to performance reporting, risk is more likely to receive limited board agenda time.
Report on whether changes in the external environment affect the critical assumptions underlying the strategy. Risk reporting should provide insights as to whether executive management’s assumptions about markets, customers, competition, technology, regulations, commodity prices and other external factors remain valid. Reporting should focus on whether changes in these environmental factors have occurred, which could alter the fundamentals underlying the business model. Boards place high value on “early warning” capability.
The above principles are not intended to prescribe specific reporting practices, but rather offer sound direction for the board and management to pursue in improving the substance and content of the reporting.
Questions for Boards
The following are suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
Does the board periodically evaluate the nature and frequency of management’s risk reporting?
Do directors work with management to agree on risk information the board and its committees require?
Is the board satisfied that both full board and board committee agendas allocate sufficient time to risk?
Do directors think they receive sufficient information on changing risks to avoid surprises?
Jim DeLoach is a managing director with Protiviti, a global consulting firm.
“We can’t afford the cost of harmony!” declared Bruce Dayton, former CEO of the Dayton Company. He was referring to the way Dayton’s family-only board made decisions through a time-consuming process to achieve consensus. He sensed that the accelerating pace of the retail business required a change in the company’s governance model. The year was 1950, and the five Dayton brothers had not yet grown the single department store—inherited from their father—into what would eventually grow to become Dayton Hudson Corporation and later the retail giant Target Corp. “There is a new phenomenon coming called the mall. At present we don’t have the distribution, financing, and real estate know-how to go there. But the longer we wait the harder it will be to get in. And if we don’t go, we will become five brothers owning a smaller and smaller business together.”
The Dayton brothers’ way out of that dilemma, which was courageous at the time, was to compensate for their lack of know-how and clear strategy by bringing in outside expertise onto their board, while making a personal commitment to become students and proponents of excellent corporate governance. They recruited independent directors who could help the company select real estate, raise capital, and set up a multi-store distribution system. They saw reshaping the board as a key first step in developing the strategy and capability needed to pursue an opportunity for exponential growth.
Bruce Dayton provided these insights in an interview with me a few years ago, and his story is included in the newest addition to the NACD Director’s Handbook Series, TheFamily Business Board, Volume 2: Governance for Agility and Growth, published this month (March 2016). Dayton was ahead of his time. His strategic use of the board is becoming more common among family-owned companies today, as evidenced in the 2015–2016 NACD Private Company Governance Survey: Family Business Boards. The survey showed many points of comparison between the boards of family businesses and public companies, and also revealed that family business boards have their own governance style oriented to the long term. The proliferation of family-business education programs and peer networks for directors of large family-controlled companies, including NACD’s upcoming Advanced Director Professionalism, is empowering more owners to create sophisticated, tailored governance structures that include independent director expertise while also cultivating the family’s continuing contribution to the value of the business.
Family business board development requires a champion and a plan.
The Dayton brothers’ story illustrates important steps on a path to more effective family business governance. Because there may be many obstacles (sometimes political and emotional) to be overcome in advancing the capability and composition of a family business board, the best leaders of board change are usually well-prepared insiders—who have both strong credibility within the company and high levels of trust among the owning family members. NACD’s new handbook is designed for these “board champions” who want to spark development and expand the capability of an existing board to help the business meet new challenges. The handbook suggests strategies for addressing common sources of resistance to board change in family business and describes the following fundamental steps of board-development planning:
Identify and communicate reasons to advance the board, such as new realities on the business horizon, that compel a strategic response.
Assess board capability and effectiveness gaps.
Bring on independent directors while building owner confidence.
Facilitate constructive contributions from both independent and family directors.
Because every family business is different, these basic steps should be customized and implemented in a manner that is acceptable to senior management and leading shareholders. These stakeholders must have confidence that the board changes are the best way to move the company forward. But before that confidence can be built, acts of courage are required. A “champion” has to raise the issue of board readiness and articulate compelling reasons for advancing the board, while charting a board development plan that brings others along.
The risks are higher when family relationships are at stake.
The Dayton brothers reshaped their board as a first step in achieving a series of advances: building the first indoor mall in the United States, becoming developers of mall anchor stores, and later, buying a competing public retail chain before selling their interest in that business to focus on a new quality discount store concept, Target.
For the Daytons, as for many family business owners, recruiting outside, independent directors required the support of informed and educated family members. In their case the speed of change in the business environment required action before an informed family consensus could be achieved. “We recognized that success might require that each of us would eventually have to give up our current management job to someone who could do it better, and even sacrifice our good salaries in the short term for the goal of higher profits and greater long-term returns,” said Dayton. “We knew that sacrifice might be hard for our [families] to understand, but board discussions boosted our confidence that profits would rise, and shared profit would eventually smooth any hard feelings.”
The brothers’ gutsy steps toward better governance not only produced a more powerful company, but also they established precedents that inspired generations of creative family contributions in entrepreneurial business, philanthropy, and public service. The potential to be a part of that kind of long-term generativity is a reason why many of the best independent directors want to work with great family business boards.
Allen Bettis is the author of NACD’s latest handbook for family business boards and is a leader of the NACD Minnesota Chapter. Allen will be facilitating a discussion with directors from the featured case study in the newly released handbook at Advanced Director Professionalism in June. If you are interested in attending, click here.
Hackers are hard at work trying to steal your information. That is a fact of modern life, whether you are an individual making purchases with your personal credit card or a Fortune 500 company managing many millions of customer records. Indeed, a company that maintains it has not been hacked probably doesn’t realize the full extent of the attacks it faces or how successful hackers may have been already. Moreover, the fallout from successful cybersecurity breaches is not limited to lost information. From 2014 through the second quarter of 2015, companies reported over 2,429 data breaches containing more than 1.25 billion records of personal information, according to a study published by data security firm Gemalto. IBM recently reported that in 2015 the average corporate cost of data breaches reached $154 per record and more than $3.75 million per incident.
Regulators and plaintiff lawyers alike pay increasing attention to data breaches in an environment where the technology and the legal obligations change rapidly. Keeping ahead of both the threats and the evolving laws and regulations is challenging. In the United States alone, the list of interested regulators is expansive and includes the Securities and Exchange Commission, the Federal Trade Commission, the Consumer Financial Protection Bureau, the Federal Communications Commission, and fifty State Attorneys General, each with potentially distinct requirements and agendas. Security breaches reviewed by these authorities have led to a variety of adverse actions against well-established corporations and their directors, including Facebook, Home Depot, and Target. Reasonable safeguards and notice requirements also vary significantly by industry, particularly in healthcare and financial services, as well as by the kind of Personally Identifiable Information (or PII) involved. For companies with a global presence, especially those with European customers, the compliance challenges multiply, as do the accompanying uncertainties.
Despite the highly technical and complex nature of the problem, these issues should be discussed and addressed at the board level. As former Securities Exchange Commissioner Louis A. Aguilar observed at a recent Cyber Risks and the Boardroom Conference: “[E]nsuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.… [B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” Because the applicable rules and standards typically require the company to “evaluate and adjust” the security program over time, safeguards that may be state-of-the-art today can become an alleged basis for liability in a changed environment.
Recent rulings and a settlement in FTC v. Wyndham Worldwide Corporation relating to claims for allegedly sloppy security practices demonstrate the growing challenge boards face with cyber risk oversight. In that case, the extended fallout from several relatively small attacks from 2008 to 2010 (affecting approximately 500,000 customer credit cards) has taken more than five years and many millions of dollars in legal fees to resolve. Unsuccessful claims asserted against the company’s directors also demonstrate the real possibility that if directors do not react swiftly and assertively (as the Wyndham directors did), they may face the prospect of personal responsibility for their failures.
In a world where hackers are constantly refining their attacks and reassessing the different vulnerabilities that can be exploited, there simply is no “one size fits all” approach. Nevertheless, the list below identifies issues that directors should consider, as well as some proactive steps to consider:
Add cybersecurity to the list of risks evaluated by the committee of the board that evaluates enterprise risks;
Develop company procedures and a communication plan (sometimes known as a security incident response plan) to be implemented in the event of a data breach;
Add cybersecurity expertise to the board in the form of an experienced director or outside advisors (including experienced counsel);
Create reporting lines from the company’s most senior IT executives, CISO, and in-house counsel responsible for cybersecurity to the company’s directors;
Establish a “tone at the top” that instills a company-wide awareness of security risks;
Consider and explore purchasing cyber insurance to mitigate exposure to risks;
Regularly consult with third-party technical, legal, and training specialists on cyber security and related compliance issues; and
Act promptly if cyberattacks or intrusions occur. Many states have their own prompt notice provisions that must be observed.
While the nature and extent of future attacks is unforeseeable, it is certain that hackers are focused on attacking most companies. All directors therefore must be persistently vigilant in this evolving technical and legal environment.
David R. Owen and Bradley J. Bondi are partners at Cahill Gordon & Reindel LLP. They advise global corporations and financial institutions, boards of directors, audit committees, and officers and directors in significant matters, including those involving cybersecurity, data protection, and regulatory investigations. Travis Scheft, an associate at Cahill, assisted with this article.