Category: Risk Management

Focusing the Board’s Risk Oversight

Published by
Jim DeLoach

Jim DeLoach

Many companies have adopted a risk language to facilitate an ongoing dialogue regarding their risks. With respect to board risk oversight, the question arises as to whether directors should adopt their own risk language to ensure they are covering the bases and focusing the oversight process. While each board must decide for itself whether such a language is useful given the nature of the enterprise’s operations, there are several risk categories directors may want to consider.

At Protiviti, we often hear concerns from directors and executives alike about the risk oversight process being an unfocused activity. If the board is mired in the minutiae of risk management, the oversight process lacks the necessary focus to be effective. We also receive questions about how to ensure that the board’s risk oversight addresses the right issues. This question is important for several reasons:

  1. If the board’s oversight is focused on the risks that really matter, directors are positioned to add value to senior executives.
  2. A focused risk oversight process is one that can be aligned more effectively with the rhythm of how senior executives manage and run the business.
  3. If the board is providing input on the right issues at the right time, it is easier to delineate between the responsibilities of the board and those of management.

How, then, is focus achieved?

Key Considerations

The five broad risk categories recommended by NACD apply to every company, regardless of its industry, organizational strategy, and unique risks.

  1. Governance risks. These risks are related to directors’ decisions regarding board leadership, composition and structure, director and CEO selection, and other governance matters. Periodically, boards must consider CEO selection and compensation, board leadership and composition, board structure, and other governance issues critical to the enterprise’s success. These decisions often require directors to weigh the risks and rewards associated with alternative courses of action. While boards can benchmark their processes for evaluating these issues by considering best practices employed by other boards, they often must rely on their collective knowledge and business judgment.
  2. Critical enterprise risks. These are the top five to 10 risks that can threaten the company’s strategy, business model, or viability and should command the board’s risk oversight agenda. The criticality of these risks—such as credit risk in a financial institution or supply chain risk in a manufacturing business—requires full board engagement, as well as an ongoing process to identify and monitor such risks. While management is responsible for addressing these risks, the board should consider its own information requirements for understanding them. For example, the board might require management to report on the impact and likelihood of the risks to key strategic goals as compared to other enterprise risks, as well as the velocity and persistence of such risks. The board also might want to understand the status of risk mitigation efforts with input from the executives responsible for managing the risks.Other examples of relevant information might include: the effects of technological obsolescence on the business model; changes in the overall assessment of risk over time; the effect of changes in the external environment on the core assumptions underlying the company’s strategy; and interrelationships with other enterprise risks.Critical enterprise risks should be a topic on the agenda when the board provides input on the strategy-setting process. The board should be updated on these risks periodically.
  3. Board approval risks. These risks are related to decisions the board must make with respect to important policy areas, such as major strategic initiatives, acquisitions or divestitures, major investments, and entry into new markets. Through careful consideration and timely due diligence, directors must satisfy themselves that management’s recommendations regarding strategic initiatives and other policy matters are appropriate to the enterprise before approving them. Therefore, such matters may prompt the board to ask questions about the associated risks and rewards before approving management’s recommended actions.
  4. Business management risks. These risks are associated with normal, day-to-day business operations. Every business has myriad operational, financial, and compliance risks embedded within its day-to-day operations. Because the board simply does not have sufficient time to consider every risk individually, it should identify specific categories of business risks that pose the greatest threats and determine whether to oversee each category at the board level or delegate oversight responsibility to an appropriate committee. For example, the audit committee traditionally oversees financial reporting risks, and the finance committee might oversee risks related to strategic opportunities, mergers and acquisitions, financial exposures, and capital availability. And there are other business risks to consider, such as: operational risks associated with internal processes, information technology, intellectual property, customer service, obsolescence, manufacturing activities and the environment; financial risks, such as excessive leveraging of the balance sheet; compliance risks, such as noncompliance with a new complex law; and reputational risks, such as those that threaten the company’s brand image.If a significant issue arises for other business risks that are not considered critical enterprise risks, they may be escalated to senior management and the board on an exception basis. In addition, the board may request periodic briefings from the primary owners of specific business risk areas.
  5. Emerging risks. These are the external risks outside the scope of the previous four categories. While management is responsible for addressing those external environment risks outside of the scope of the risks noted above, directors need to understand them. The effects of demographic shifts, climate change, catastrophic events and new security threats are examples of emerging risks.Disruptive change is a business reality. Adapting to disruption is a game every organization must play to survive  and thrive in a rapidly changing business environment. Properly focused, the board’s risk oversight process can assist management in adapting the organization successfully to market forces—and identifying emerging risks is a key aspect of the adaptation process.

These risk categories provide a useful context for boards to ensure the risk oversight process is focused and sufficiently comprehensive. Board approval risks require directors and management to agree on the matters the board approves in advance and the timeliness of board involvement with such matters. With respect to the other three risk categories, the lion’s share of the board’s risk oversight is directed to critical enterprise risks and emerging risks.

The board should satisfy itself that the organization has effective processes in place to identify emerging risks so that the company can position itself as an early mover in terms of addressing those risks. Finally, with respect to business management risks, the board should expect escalation of significant issues on a timely basis and periodic briefings in specific areas.

Questions for Boards

  • Is there a process to identify the organization’s critical enterprise risks? Are these risks reported to the board or its designated committee(s) to prioritize the board’s risk oversight focus?
  • Is the board approving major strategic and policy issues on a before-the-fact basis?
  • Is there a process in place for identifying and communicating emerging risks to enable management and the board to be proactive in responding to them?
  • Are significant, unexpected risk issues escalated to executive management and the board on a timely basis?

Jim DeLoach is a managing director with Protiviti and works closely with companies to improve their board risk oversight, including the communications between management and the board. He is a member of Protiviti’s Executive Council to the CEO and was named to NACD Directorship’s 2012 list of the 100 most influential people in corporate governance. Protiviti is a global consulting firm that assists board members, and the companies on which they serve, in protecting and enhancing their enterprise value by solving critical business problems in the areas of finance, technology, operations, risk and internal audit.

Skepticism Lessons Learned

Published by

I’ve always been a trusting soul. One of my earliest lessons involved me diligently removing debris from a stream for someone in exchange for the official deed to the stream. The problem was, he didn’t own it.

I did not possess the skill of skepticism—defined in Audit Standard (AU) 316 as “an attitude that includes a questioning mind and a critical assessment of … evidence.” If I had, I would have observed that the shiny gold seal I was given was the kind you can buy at Woolworth’s 5 &10, and that the stream ran not only behind the deedor’s property but contiguous ones as well.

Yet there’s hope for us all. On October 1, NACD launched a unique new webinar series on Skepticism as part of an ongoing Anti-Fraud Collaboration with the Center for Audit Quality (CAQ), Financial Executives International (FEI), and The Institute for Internal Auditors (IIA). Along with many at NACD, I was involved in this exciting project, and had a chance to review the upcoming episodes.

“Skepticism” relates to a search for the truth. The term comes from the Greek skeptikos used some 2,300 years ago by disciples of the philosopher Pyrrhos. The verb skeptesthai means “to reflect, look, view.” The earliest self-declared skeptics emphasized the importance of the senses in confirming reality. Over time, the word’s meaning expanded to include the notion of reasonable doubt. Today, the “skeptic” is perceived as a doubter—someone who may trust, but must always verify.

It’s an attitude we all need. And perhaps no one knows this better than series moderator Michele J. Hooper, president and CEO of The Directors’ Council, and board member of NACD and CAQ’s governing board. Through questions and comments based on her considerable experience on a variety of public company boards she brings out the best in the six-part series, outlined as follows:

  1. A brief introduction.
  2. The Etiquette and Ethics of Skepticism with Mary M. Mitchell, president, The Mitchell Group, and Bill White, professor at Northwestern University and experienced director.
  3. Professional Skepticism and the External Auditor with Cindy Fornelli, executive director, CAQ; and Greg Weaver, CEO and chairman, Deloitte & Touche.
  4. Skepticism and the Audit Committee with Marty Coyne, lead director and audit committee member, Akamai Technologies; and Ken Daly, president and CEO, NACD.
  5. Skepticism and the Financial Executive with Marie Hollein, president and CEO, FEI; and Greg Kabureck, chief accounting officer, Xerox Corporation.
  6. Skepticism and the Internal Auditor with Richard Chambers, president and CEO, The IIA; and Paul Sobel, vice president and chief audit executive, Georgia Pacific.

In addition to these webinars, NACD will release a white paper with in-depth background and additional resources on skepticism in December.

Why skepticism? It’s a great way to break the fraud triangle—composed of incentive, opportunity, and rationalization—which can cost businesses so dearly. Financial reporting fraud, the focus of this series, is responsible for a significant percentage of the $3.5 trillion that businesses lose to fraud every year, according to a recent study by the Association for Certified Fraud Examiners.

The value of the labor I devoted to cleaning out that stream for a fake deed may not be worth much in dollars, but whenever trust is violated the cost is too high.

Fraud is unfortunately a fact of life; therefore skepticism is a skill we all need.

The M&A Litmus Test: Part 1

Published by

How effective is your board? M&A can be your litmus test. If you are making a buy/sell/merge decision, the experience will reveal your board’s capabilities in myriad areas, especially these:

  1. M&A “IQ”
  2. Fiduciary Duties
  3. Strategy
  4. Information Flow, and last, but not least
  5. Good Business Sense





Today is Day One of your M&A Litmus Test, so we’ll start by testing your board’s…


… M&A IQ.


Does your board know why M&A matters?  The wise board won’t leave mergers and acquisitions to external advisors—or wait until the last minute to bring them in. The decision to buy or sell a company of significant size is clearly a matter meriting board attention. On the sell side, time may not be on your side.

Directors serving on public company boards understand that any public company, by definition, is vulnerable to a hostile takeover (since any person with enough funding can buy their shares on the open market through a tender offer and gain control). In 2010, so far there have been nearly 20,000 announced deals worth more than $1 trillion. Some 7 percent of all announced deals worldwide—nearly 1,400 transactions—were unsolicited (hostile) bids.

Directors serving on private company boards need to understand that sometimes M&A is the company’s only exit strategy when the founder wants to retire and there is no next generation of family and/or employees to continue the legacy.

Next, you’ll be tested on fiduciary duties in the sale of a company.  See you in class!

Shout Out to Sources