Sharpen Your Board’s Risk Oversight Process

A 2018 joint report prepared by NACD, Protiviti, and NC State’s Enterprise Risk Management (ERM) Initiative advanced the view that boards may not be overseeing the appropriate risks and outlined a road map for strengthening the board’s risk oversight in today’s complex and unpredictable marketplace.

As the business environment changes, so must the board’s risk oversight. As the pace of change quickens and the stakes for “getting it right” increase, a question arises: Is our board risk oversight process still fit for purpose?

Below is a refresher of four points from the report’s road map that continue to apply today.

1. Revisit the board’s risk governance model and director skill sets. Depending on the nature of the enterprise’s risks and the extent of the expected change in its risk profile over time, the board should assess whether it has access to the requisite expertise and experience needed to provide appropriate oversight—either on the board itself or among its external advisers. For example, with digital disruption affecting many businesses, do directors have sufficient understanding of digital business models, digital ecosystems, and the potential that hyperscaling digital platforms has to facilitate rapid growth and reinvent the company’s business model? These are trends that bring both opportunity and risk to the business, and understanding them is essential to sound oversight. In addition, the board should rethink how it organizes itself for risk oversight, including the delineation of responsibilities among its various committees and the full board.

2. Make culture an enterprise asset as well as an oversight priority. Culture is almost always the source of reputation and financial performance outcomes, as it is a potent source of strength or weakness for an organization. A strong culture is a critical asset for any brand. It is of vital importance to both a differentiating strategy and superior performance. Accordingly, the board should expect management to understand the culture at lower levels of the organization, and whether the mood in the middle and the tone at the top are aligned. Concerns that this topic may be “too soft” for objective assessment should not distract the board’s focus on the real question:

Does the CEO really want to know the unvarnished truth about people’s perceptions across the entity, and is he or she prepared to act on that knowledge?

A “speak up” culture that encourages transparency and sharing of contrarian data and bad news entails convincing employees that they can indeed speak up without fear of repercussions to their careers or compensation. Anonymous and confidential surveys are an example of how executive management can learn what they need to know. Metrics addressing such things as mission and values alignment, innovation, resiliency (speed), collaboration, and employee satisfaction also offer insights regarding culture. Candid, open, and constructive board and management interactions should prioritize the tough questions on directors’ minds.

3. Focus on the quality of the risk management process. Given the pace of change experienced in the industry and the nature and relative riskiness of the organization’s operations, does the board understand the quality of the process informing its risk oversight? For example, how much manual effort is required by management and various board-reporting departments to generate the reports used in board meetings? How actionable is the entity’s risk information for decision-making? These and other questions focus on how mature and robust the risk management process is and whether it is effective in:

• Delineating the critical enterprise risks from the day-to-day risks of managing the business;
• Establishing accountability for results;
• Fostering an open dialogue to identify and evaluate opportunities and risks; and
• Informing key decision-making processes with current, reliable information.

4. Ensure management integrates risk considerations into strategy, performance, and decision-making. The unique aspect regarding exposure to disruptive change is that it presents a choice: On which side of the change curve do organizations want to be? Organizations must make a conscious decision about whether they are going to be the disrupter and try to lead as a transformer of the industry, or whether they are going to play a waiting game, monitor the competitive landscape, and react appropriately and in a timely manneras an agile follower to defend their market share.

These market realities strongly suggest that the board should ground its risk oversight with a solid understanding of the enterprise’s key strategic drivers and management’s significant assumptions underlying the strategy and risk appetite. Directors need to ensure that risk oversight and management are not appendages to strategy-setting, performance management, and decision-making, but contribute information and insights relevant to the success of these core processes.

We encourage everyone to read the joint report from 2018. Boards should take a fresh look at how they are approaching risk oversight, including how the company’s ERM is informing that oversight. With risk management practices for many industries largely rooted in the prior century, the big question is:

Are we prepared to improve our risk management and risk oversight, or do we face the challenges of the next 10 years in the digital age with what we’ve been doing over the past 10 years?

The nature, velocity, and persistence of risks have changed. Consequently, it’s time for boards to revisit their governance model and skill sets and refresh the focus of their risk oversight.

Jim DeLoach is managing director of Protiviti.