8 Risk Oversight Practices to Master in 2017

Boards and executive teams are challenged by a fast-changing, highly interdependent, and often ambiguous external environment that continually creates unforeseen opportunities and risks. Volatility is the new normal. Not surprisingly, according to the National Association of Corporate Directors’ (NACD) most recent public company governance survey, global economic uncertainty ranks as the top trend corporate directors believe will impact their company in 2017. In yet another NACD poll conducted during a recent webinar, 49 percent of directors did not feel that management was providing them with a reliable view of the future.

The recent election of Donald J. Trump as President of the United States is likely to contribute to this growing sense of uncertainty, with the corporate director community evenly divided about the potential impact, according to the NACD webinar poll. Forty-two percent of directors report that his administration will be good for business, while 42 percent are unsure about the impact, and still another 16 percent believe that a Trump presidency will not be good for business.

In this complex, uncertain environment, what can boards do to gain more comfort from management that risks are accurately identified and well-controlled?

The International Standards Organization in ISO 31000 defines risk as “the effect of uncertainty on objectives,” which can be a negative or positive deviation from what is expected. More specific to business, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is currently defining risk as “The possibility that events will occur and affect the achievement of strategy and business objectives.” Each of these definitions of risk exposes a company to potential loss—indeed, yet another definition of risk authored by insurance professionals highlights risk as the possibility of loss. Yet when viewed as part of an active business dynamic, risk, as daunting as its manifestations may be, is far more than the chance of loss. Rather, risk is a level of uncertainty that can create economic opportunity.

The recently released Director Essentials: Strengthening Risk Oversight identifies eight leading risk oversight actions that directors can take to seize opportunities and avoid the loss possibilities inherent to risk. A brief outline of each action and a key question boards should consider asking follows.

1.) Clarify the Roles of the Board, Committees, and Management. The board, all board committees, and all members of senior management need to know their unique roles in risk oversight. Without clarity on ownership of specific responsibilities, redundancies and lapses can occur.

The practice of role definition helps establish a clear mandate for risk oversight by the board and offers management a blueprint for the execution of risk management.

• Is there a common understanding among management, the board, and board committees about their respective roles, responsibilities, and accountabilities on strategy?

2.) Understand the Company’s Risk Profile. Especially in light of the new environment, all board members should be aware of the company’s key risk exposures, which collectively are referred to as the company’s risk profile. Oversight of any business requires understanding the major risks that it faces now and in the future, and making decisions accordingly. Although the universe of risks that a company faces may be almost limitless, a company’s risk profile is the composite (and analysis) of the most pressing risks that impact strategy and reputation.

• What are the strategic assets we must protect at any cost? Are they at greater risk now?

3.) Define the Company’s Risk Appetite. Companies take risks in order to grow and compete in the marketplace, yet they need parameters for how much risk they are willing to accept. The board plays a critical role in defining the boundaries of risk for the company.

• Given our risk profile, strategy, and the uncertainty surrounding the current business environment, what risk appetite should our company have? Have we clearly cascaded our risk appetite into decision-making processes at the level of operations?

4.) Integrate Strategy, Risk, and Performance Discussions. All too often, risk and business performance assessments are divorced from the strategy process in the organization. These silos increase the likelihood of poor, costly decisions.

• When we discuss strategy in this evolving environment, how do we consider both risks to the strategy and the risks inherent in our chosen strategy?

5.) Ensure Transparent and Dynamic Risk Reporting. Risk reporting must reach the right people with the right information. Reports should not be limited to the metrics mandated by external disclosure rules—they should include all the information the board needs to assess the company’s risk exposure. Similarly, reporting should be dynamic, taking into consideration the velocity by which existing risks change or new risks emerge.

• What is the threshold for risk-related reporting to the board (e.g., categories of risk, specific issues or incidents)? What situations may call for greater board engagement (e.g., perceived management failure to disclose or address a critical risk)? Do we have a protocol that defines these situations? 

6.) Reinforce Clear Accountability for Risk. The management of risk in today’s often-extended enterprise is complex, with executive teams typically transferring ownership of risks to specialist functions. But examination of recent risk disasters reveals that diffuse accountability for risk management is a major problem.

• As we reward our executives, do we take into account their ability to anticipate and manage risk? Are accountability for and performance in managing risks effectively embedded in incentive structures at all levels of the organization? How far down the reporting chain do our incentives for risk management excellence go?

7.) Verify That Mitigation Reduces Risk Exposure. The success or failure of risk mitigation is often underreported, leaving boards with a limited understanding of whether or not risks are effectively minimized over time.

• Do we clearly differentiate between risks that can and cannot be mitigated? Are our mitigation plans realistic? Do we understand that mitigation does not mean elimination? Have we clearly communicated our expectations for reporting on risk mitigation?

8.) Assess Risk Culture. Culture is often described as how work really gets done when no one is looking, and it is critical to ensuring a successful and sustainable strategy. More specifically, risk culture is a critical subset of overall corporate culture defined as the behavioral norms inside a company that drive both individual and collective risk decisions. A well-balanced risk culture can unleash innovation, and deter fraud and abuse.

• Do we have a culture in which staff at all levels know what risks to take and what risks to avoid? How willing are employees to speak up about problems that can cause significant risk to the organization?

By adopting the above eight practices, directors can help their companies prepare for risks in 2017 and beyond.

For more NACD insight and support on board risk oversight, please visit our Risk Oversight Resource Center.