Topics:   Audit and Risk,Board Evaluations,Risk Management,Strategy

Topics:   Audit and Risk,Board Evaluations,Risk Management,Strategy

September 2, 2021

Effective Risk Oversight Demands Board Structure Evolution

September 2, 2021

The tumultuous events of 2020 and 2021—including the COVID-19 pandemic, a growing focus on environmental, social, and governance (ESG) issues, supply chain disruptions, record levels of deal-making, and evolving cyberattacks—present unique challenges and risks for organizations. Unsurprisingly, in the Global Network of Director Institutes (GNDI) 2020-2021 Survey Report, directors reported that risk management oversight is a top-four governance area impacted by the events of 2020. In many ways, the past year and a half have been a stress test for risk oversight structures and processes.  

While the core principles of effective risk oversight remain (see, for example, the 2009 Report of the NACD Blue Ribbon Commission on Risk Governance: Balancing Risk and Reward, or the US Federal Reserve’s SR 21-3/CA 21-1: Supervisory Guidance on Board of Directors’ Effectiveness), over the past few years, there have been reassessments of how boards implement these principles and whether the current structure and processes of the board and its committees are “fit for purpose” to respond to an expanding risk agenda. Indeed, 34 percent of respondents to the GNDI survey noted that their boards are planning to alter their operating models, including through changes to the committee structure.

Additional research and interviews with directors identified five ways that board structure is adapting to more effectively oversee risk. While these realities began to take shape over the past few years, recent events have expedited the shifts and increased their importance.

1. The full board must address the intersection of strategy and risk. The COVID-19 crisis and other events of the past 18 months emphasized that discussions and decisions around the intersection of strategy, risk, and opportunity are a full-board sport. These discussions cannot be delegated to a committee alone and need all directors’ wide-ranging insights and experience. This is especially true for emerging and transformative risks that may be challenging organizations, and arguably even more important when an organization is looking to create value in the current business environment marked by high merger and acquisition activity and megadeals.

The pandemic and its impacts have highlighted the benefits and limitations of current board risk-oversight structures. In general, boards do distribute risk oversight across committees. While this distributed structure enables adequate oversight of risk categories or verticals, it does not support integrated discussions that take a horizontal view across the organization, which is necessary to address strategic risks.

Discussions around strategy, options, and attendant risks must consider the interconnections of external and internal risk drivers and their potential impacts in various scenarios. These require the entire board’s input, especially as organizations face expanding risk agendas that include climate change and the corporation’s role in society.

2. Board-level risk committees have appeared but remain concentrated in highly regulated industries. Board risk oversight grew significantly following the 2008 financial crisis and the passage of the 2010 Dodd-Frank Act that required some non-bank financial companies and certain publicly traded bank holding companies to establish a board-level risk committee. This led some organizations outside of financial services to consider a board risk committee, as well. About 9 percent of organizations in the Russell 3000 now have a board risk committee.

But despite the expanding scale, pace, and scope of the risk environment, it is unlikely that there will be a significant increase in board-level risk committees as a mechanism to manage the growing board oversight role. Risk committees will remain concentrated in highly regulated industries such as financial services and health care, or capital-intensive industries such as the energy sector. In these sectors, the risk committee enables effective oversight of closely intertwined governance, risk, and compliance frameworks.

For boards with risk committees, directors interviewed by Marsh McLennan noted that the committee was essential to supporting the board in providing deep dives on specific issues, such as organizational liquidity, during the COVID-19 crisis. However, boards with a risk committee can face two challenges. In some instances, the risk committee portfolio can become full and unmanageable, with a wide array of topics construed as risk. In such cases, it can be hard to discern the most important risks to focus on. In others, the committee tends to focus on silos of specific risk, such as financial risk, and may not be able to integrate risk issues across critical strategic decisions.

Interviewed directors also described the key attributes of risk committee members. “On a risk committee especially, you want practical, decisive good judgment.” Cross-industry and hands-on experience of managing through a crisis is valuable, as well. Directors noted that specific industry experience is not necessary to being effective on the risk committee, apart from experience in the banking sector, where deep expertise is vital.

3. Committee specialization is essential to overseeing the expanding risk agenda. While full board input is vital to strategic risk oversight, board committees are critical to fulfilling fiduciary and expanding oversight duties and enable a necessary focus on strategy and risk. “It is increasingly vital that the committees are highly productive to allow more full board time for strategic discussions around opportunities and risks,” one director noted.

Committee specialization means that the board can divide and conquer specific issues. The audit committee, for example, focuses on an organization’s internal control and risk management approaches, whereas the compensation committee considers risks involved with executive compensation. Committee charters must be aligned to avoid redundant risk oversight activities.

An efficient committee structure allows boards to schedule more time on the full-board agenda for higher-level exploratory risk discussions.

4. New board committees are being developed to focus on evolving risks. Although few companies may adopt a board-level risk committee, a growing number of organizations are establishing committees focused on evolving or transformative issues that are closely linked to organizational strategy. Recent NACD data show that about 5.5 percent of boards have technology committees, about 2 percent have ESG committees, and 1.2 percent have cyber committees. One director observed that “a good board evaluates its committee structure every year and evaluates how it fits with the business model and whether there should be adjustments.”

New committees are established to ensure the issues receive regular and sufficient board input. In the future, we can expect to see risk oversight distributed across a broader range of board committees as boards structure themselves to reflect changing organizational needs. As one director noted, “There seems to be little consistency in committee structure and risk responsibilities across companies. My guiding principle would be ‘Do the least that buys you the most.’ This ensures the board is not hampered by processes that are not productive.”

5. The board must continuously revise committee charters to reflect evolving risks. Many organizations are also evolving the charters of existing and traditional board committees to reflect a necessary refocus of each committee’s mandate. In one case study, an organization transformed the audit committee into the audit and risk committee and codified a broader set of responsibilities, including conducting a forward-looking risk assessment, for the group. This incremental expansion of structure and responsibilities significantly impacted the board’s approach to risk oversight, shifting the discussion to be more future-focused.

Other organizations are expanding the charter of the nominating and governance committee to provide oversight of their ESG strategy and performance. Some companies are incorporating this responsibility into the compensation committee’s mandate or are refocusing existing corporate social responsibility committees as ESG committees. Meanwhile, certain compensation committees are refocusing their mandates to be compensation and human resource committees to focus on organization-wide people risks.

One director summed up their risk oversight role as this: “to create the environment that increases the intensity on risk, opportunity, and strategy.” Evolving committee structures, enhanced risk information, and board agility will be crucial for overseeing the expanding risk agenda and identifying opportunities for success.

Mark Pellerin is a partner and Americas head of energy and natural resources at Oliver Wyman, and a board member of Right To Play USA. Til Schuermann is a partner and cohead of Oliver Wyman’s finance and risk, Americas practice and a board member of Corridor Platforms and the Social Science Research Council.

Marsh McLennan and NACD thank the following NACD members for sharing their insights for the development of this article: Anthony Anderson, Sam Di Piazza, Roy Dunbar, Cynthia Jamison, Shelley Leibowitz, Sara Mathew, Jan Tighe, and Suzanne Vautrinot.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.


Nir KossovskySeptember 07, 2021

ESG is the new kid on the block of risks. It is unique in that it is largely a product of corporate promises: an own goal. Boards tacitly supported ESG pronouncements that created stakeholder expectations and a reputation premium. It is the risk of disappointment–manifesting in activism, litigation, and regulatory opprobrium—that most board find difficult to oversee. That’s because the paradigm for understanding this family of perils called reputation risk is heavily weighted towards compliance or communications. Neither are very good at discerning the full scope of stakeholder expectations of what is mission-critical to the firm. The better paradigm for overseeing ESG risk is overseeing enterprise reputation risk management.