Many companies have adopted a risk language to facilitate an ongoing dialogue regarding their risks. With respect to board risk oversight, the question arises as to whether directors should adopt their own risk language to ensure they are covering the bases and focusing the oversight process. While each board must decide for itself whether such a language is useful given the nature of the enterprise’s operations, there are several risk categories directors may want to consider.
At Protiviti, we often hear concerns from directors and executives alike about the risk oversight process being an unfocused activity. If the board is mired in the minutiae of risk management, the oversight process lacks the necessary focus to be effective. We also receive questions about how to ensure that the board’s risk oversight addresses the right issues. This question is important for several reasons:
- If the board’s oversight is focused on the risks that really matter, directors are positioned to add value to senior executives.
- A focused risk oversight process is one that can be aligned more effectively with the rhythm of how senior executives manage and run the business.
- If the board is providing input on the right issues at the right time, it is easier to delineate between the responsibilities of the board and those of management.
How, then, is focus achieved?
The five broad risk categories recommended by NACD apply to every company, regardless of its industry, organizational strategy, and unique risks.
- Governance risks. These risks are related to directors’ decisions regarding board leadership, composition and structure, director and CEO selection, and other governance matters. Periodically, boards must consider CEO selection and compensation, board leadership and composition, board structure, and other governance issues critical to the enterprise’s success. These decisions often require directors to weigh the risks and rewards associated with alternative courses of action. While boards can benchmark their processes for evaluating these issues by considering best practices employed by other boards, they often must rely on their collective knowledge and business judgment.
- Critical enterprise risks. These are the top five to 10 risks that can threaten the company’s strategy, business model, or viability and should command the board’s risk oversight agenda. The criticality of these risks—such as credit risk in a financial institution or supply chain risk in a manufacturing business—requires full board engagement, as well as an ongoing process to identify and monitor such risks. While management is responsible for addressing these risks, the board should consider its own information requirements for understanding them. For example, the board might require management to report on the impact and likelihood of the risks to key strategic goals as compared to other enterprise risks, as well as the velocity and persistence of such risks. The board also might want to understand the status of risk mitigation efforts with input from the executives responsible for managing the risks.Other examples of relevant information might include: the effects of technological obsolescence on the business model; changes in the overall assessment of risk over time; the effect of changes in the external environment on the core assumptions underlying the company’s strategy; and interrelationships with other enterprise risks.Critical enterprise risks should be a topic on the agenda when the board provides input on the strategy-setting process. The board should be updated on these risks periodically.
- Board approval risks. These risks are related to decisions the board must make with respect to important policy areas, such as major strategic initiatives, acquisitions or divestitures, major investments, and entry into new markets. Through careful consideration and timely due diligence, directors must satisfy themselves that management’s recommendations regarding strategic initiatives and other policy matters are appropriate to the enterprise before approving them. Therefore, such matters may prompt the board to ask questions about the associated risks and rewards before approving management’s recommended actions.
- Business management risks. These risks are associated with normal, day-to-day business operations. Every business has myriad operational, financial, and compliance risks embedded within its day-to-day operations. Because the board simply does not have sufficient time to consider every risk individually, it should identify specific categories of business risks that pose the greatest threats and determine whether to oversee each category at the board level or delegate oversight responsibility to an appropriate committee. For example, the audit committee traditionally oversees financial reporting risks, and the finance committee might oversee risks related to strategic opportunities, mergers and acquisitions, financial exposures, and capital availability. And there are other business risks to consider, such as: operational risks associated with internal processes, information technology, intellectual property, customer service, obsolescence, manufacturing activities and the environment; financial risks, such as excessive leveraging of the balance sheet; compliance risks, such as noncompliance with a new complex law; and reputational risks, such as those that threaten the company’s brand image.If a significant issue arises for other business risks that are not considered critical enterprise risks, they may be escalated to senior management and the board on an exception basis. In addition, the board may request periodic briefings from the primary owners of specific business risk areas.
- Emerging risks. These are the external risks outside the scope of the previous four categories. While management is responsible for addressing those external environment risks outside of the scope of the risks noted above, directors need to understand them. The effects of demographic shifts, climate change, catastrophic events and new security threats are examples of emerging risks.Disruptive change is a business reality. Adapting to disruption is a game every organization must play to survive and thrive in a rapidly changing business environment. Properly focused, the board’s risk oversight process can assist management in adapting the organization successfully to market forces—and identifying emerging risks is a key aspect of the adaptation process.
These risk categories provide a useful context for boards to ensure the risk oversight process is focused and sufficiently comprehensive. Board approval risks require directors and management to agree on the matters the board approves in advance and the timeliness of board involvement with such matters. With respect to the other three risk categories, the lion’s share of the board’s risk oversight is directed to critical enterprise risks and emerging risks.
The board should satisfy itself that the organization has effective processes in place to identify emerging risks so that the company can position itself as an early mover in terms of addressing those risks. Finally, with respect to business management risks, the board should expect escalation of significant issues on a timely basis and periodic briefings in specific areas.
Questions for Boards
- Is there a process to identify the organization’s critical enterprise risks? Are these risks reported to the board or its designated committee(s) to prioritize the board’s risk oversight focus?
- Is the board approving major strategic and policy issues on a before-the-fact basis?
- Is there a process in place for identifying and communicating emerging risks to enable management and the board to be proactive in responding to them?
- Are significant, unexpected risk issues escalated to executive management and the board on a timely basis?
Jim DeLoach is a managing director with Protiviti and works closely with companies to improve their board risk oversight, including the communications between management and the board. He is a member of Protiviti’s Executive Council to the CEO and was named to NACD Directorship’s 2012 list of the 100 most influential people in corporate governance. Protiviti is a global consulting firm that assists board members, and the companies on which they serve, in protecting and enhancing their enterprise value by solving critical business problems in the areas of finance, technology, operations, risk and internal audit.