September 16, 2021
September 16, 2021
Improving risk oversight has been a top-three area of focus for most boards over the past decade, alongside improving risk information that management provides to the board. Effective risk oversight is only possible when the board has comprehensive, clear visibility on risks the organization is facing and taking, as well as its steps to mitigate and manage them.
Organizations have made efforts to improve their boards’ risk information, with 60 percent of directors in a 2020 survey agreeing that the quality of risk information had improved over the years. Yet, perennial challenges and frustrations remain. Directors are looking for risk-reporting improvements in terms of ease of interpretation and drawing conclusions; highlighting vulnerabilities, common risk drivers, and cumulative impacts on the organization; and capturing a forward-looking view.
Directors often face huge volumes of material—500 pages or more—to review, with metrics on organizational performance but limited clear information to guide decision-making and provide insights into the organization’s future. In addition, board agendas often do not allow enough time for dialogue or for exploring the implications of evolving risks and potential impacts.
Faced with these challenges, and drawing on lessons learned from pandemic-related events, many boards are looking to improve risk information, as highlighted in the Global Network of Director Institutes 2020-2021 Survey Report. These efforts are a step in the right direction and align with recommendations set out in recent NACD Blue Ribbon Commission reports, including Fit for the Future: An Urgent Imperative for Board Leadership and Adaptive Governance: Board Oversight of Disruptive Risk.
But for these initiatives to result in improved risk oversight, organizations must add one other critical factor: courage.
Boards must actively foster courage within senior leadership teams and their supporting risk functions. This will enable them to adopt new forms of risk analysis, bring forward issues in spite of incomplete data, and facilitate exploratory dialogue on issues for which there may not yet be a consensus. Courage is particularly necessary in the face of emerging, complex, and transformative risks that are seldom effectively captured in a risk dashboard, an annual risk register, or operational risk taxonomies. For such risks, teams may need to develop effective new risk indicators and metrics—for example, evolving metrics around an organization’s current and future environmental, social, and governance performance.
Courage must also extend to the boardroom. Directors must be willing to ask questions, challenge assumptions, and share dissenting views, even at the risk of disrupting a collegial atmosphere or displaying their lack of knowledge on a complex technical risk topic. In addition, boards must continue to expand the company’s range of sources for risk insights, including among management teams and different levels in the organization. Reflecting on evolutions in risk information, one director interviewed for the development of this article observed, “What has changed, more so than just the information, is how much more engaged you are with various people in the organization.”
Ultimately, the degree of courage in decision-making and discussions will reflect the organization’s culture, including the culture in the boardroom and among the management team. “The quality of the risk conversation at the board level will reflect the quality of the supporting risk processes,” noted one director.
There are four types of courage directors can actively support.
The quest for perfection frequently hinders agility and slows the development of decision-making information. Significant time and resources are often dedicated to perfecting analyses and forecasts. However, in many instances, estimates based on the partial data at hand (with assumptions to fill in the gaps) would be more helpful for decision-making.
This approach may require a major cultural shift for many management teams, especially when materials presented to the board and technical risk management teams focus on high-quality quantitative analysis. However, in a complex and ambiguous environment, perfect data or analysis is unlikely.
Boards can support the “right” level of analysis by asking for the best estimate and the level of confidence in the estimate. Often, analysis that is “good enough” enables decisions to be made sooner rather than waiting for perfect numbers. Further, discussing the assumptions behind an estimate can yield insights into risk drivers and a deeper understanding of the potential risk impacts across the organization.
As the old saying goes: “Great minds think alike, though fools seldom differ.” Leaders must assess how the management team and those reporting to it approach problems and support each other through constructive challenge and debate. One director Marsh McLennan spoke to for this article stressed, “Boards need to understand optionality and decision points and better understand how management came to their conclusions and which options were not selected.” However, when operating under pressure in complex, challenging times, people won’t always speak up and contradict their peers, never mind their leaders.
For this reason, it is critical to create an environment of psychological safety to avoid “groupthink” and give permission for disagreement and constructive dissent as part of a healthy risk culture. Boards should encourage mechanisms to challenge critical assumptions, underlying forecasts, or emerging risk assessments. These can include using war game exercises to test the strength of a new policy or decision or using red and blue teams to create and test alternative propositions.
Another mechanism is encouraging management teams and board members to appoint someone to play devil’s advocate and intentionally confront or question the assumptions of other group members (regardless of their own opinion). Boards can then explore with management where and why there were areas of disagreement and spark more productive dialogue on critical matters.
Stress, environmental complexity, and heavy workloads all drain management’s ability to innovate or think of the big picture. But paradoxically, when stakes are high and time is limited, it is vital to pause to broaden perspectives by reflecting and thinking. As one director advised, “Risk processes are important, but don’t suspend peripheral vision, intuitive thinking, and a deeper inquiry from a different angle.”
Boards and management teams need to consider the board agenda and leave time for reflective thinking and brainstorming. They must formally schedule time to probe and consider, for example: What has been missed? What might go wrong? What new risks might arise? What have we not thought of?
As one director said, “You want a degree of inefficiency with risk discussions to allow time for worst-case evaluations.”
Mistakes follow (and can generate) new processes and innovation. Sometimes, the fear of making mistakes can lead to overly conservative behaviors or a reluctance to innovate or experiment. This is particularly evident in heavily regulated industries (such as financial services or health care) with strict risk and compliance standards and reporting requirements. Instilling and supporting a culture of learning and the courage to constantly improve is vital to robust risk dialogues.
Boards and senior leadership teams need to emphasize learning over finger-pointing. When people inevitably make honest mistakes, boards should encourage risk teams to review, explore, and learn from the mistakes to identify opportunities for improvement. How can the team better challenge underlying assumptions on the trajectory of risk drivers? How can the organization better detect risk warning signs?
If the events of 2020 and 2021 are a sign of the decade ahead, the risk environment will remain complex and challenging, and effective boardroom risk dialogue will be more vital than ever.
Directors must work with management teams to continue improving risk data and dashboards. More importantly, boards must actively build a corporate culture of courage that supports robust analysis and risk information.
Michelle Daisley is a partner in Oliver Wyman’s Organizational Effectiveness practice, with a focus on corporate governance and risk organization. Lucy Nottingham is a research director with Marsh McLennan, concentrating on risk governance and enterprise risk management.
Marsh McLennan and NACD thank the following NACD members for sharing their insights for the development of this article: Anthony Anderson, Sam Di Piazza, Roy Dunbar, Cynthia Jamison, Shelley Leibowitz, Sara Mathew, Jan Tighe, and Suzanne Vautrinot.
NACD: Tools and resources to help guide you in unpredictable times.