Topics: Risk Management
Topics: Risk Management
July 25, 2018
July 25, 2018
What keeps you up at night? If you’re a corporate director, the answer to that question could be related to the risks your company faces—either the risks you’re aware of, those buried deep in a board book that haven’t emerged as major threats, or the risks that the board is totally unaware of.
Getting the right risk information at the right time is important, but only 29 percent of respondents to the 2017–2018 NACD Public Company Governance Survey indicated that their boards reviewed the effectiveness of their company’s risk information flow. How this information makes its way to the board is only part of the risk oversight picture, however. (Learn more about the role of general counsel in risk oversight and board oversight of a company’s risk culture.)
Just as important as the flow of risk information is the generation of insights relating to that information. To address this issue, the NACD, PwC, and global law firm Sidley Austin cohosted a meeting of the NACD Advisory Council on Risk Oversight—comprising Fortune 500 company risk or audit committee chairs—on April 25, 2018, in Washington, D.C. The meeting was held using a modified version of the Chatham House Rule, under which participants’ quotes (italicized below) are not attributed to those individuals or their organizations, with the exception of cohosts. A list of attendees’ names are available online.
Several key takeaways emerged from the meeting:
Directors should demand open, frequent communications—not surprises.
“You never want to be surprised,” one director said. “I ask management, ‘what are the issues you’re worried about, and what do we need to do about it?’ Constant communication is critical.”
In fact, when public company directors responding to NACD’s Public Company Governance Survey were asked which risk oversight practices their boards had performed during the previous 12 months, 79 percent cited communicating with management about the types of risk information the board requires.
Participants at the council meeting observed that although it is important for the board and management to establish protocols about what information is escalated to the board and when, directors must emphasize that judgment is often more important than process.
“Risks always exist, but they can develop quickly, and not necessarily according to the board’s meeting schedule,” one director said. “I find comfort when management makes decisions about escalation that err on the side of earlier communication when things are in a gray zone.” Another director said, “We’ve experienced one or two issues that should have been brought to the board’s attention earlier. That’s caused us to revisit our escalation processes. These days, reputation and brand concerns might outweigh financial materiality thresholds.”
Practices shared by council members include:
Management should be specific about risks; tailoring risk reporting to the business can uncover important insights, especially when opinions differ.
Delegates agreed that the directors should challenge management that the risk information reported to the board be specific.
“If the risks aren’t very specific and are things that would apply to any company, I don’t think that’s very effective,” one director said. “We have to set expectations that the board doesn’t want to see boilerplate risk lists; we want insights about risks in the context of our business and our company’s circumstances.”
Challenging the management team to get specific about risks can expose differences in perception that generate valuable information. Paula Loop, leader of PwC’s Governance Insights Center, shared a helpful practice for understanding how various groups within a company perceive business risks. “Ask members of the board, the senior executive team, and members of middle management to rank the organization’s top risks. Often, there will be fairly strong alignment between directors and senior management, but middle management may have a different view that can be eye-opening.”
Such exercises can raise questions and open up avenues for discussion about not only the risks themselves but also processes and culture: a meeting participant noted that if middle management has an understanding about a different risk, and that risk is not getting communicated up the chain of command, that can be problematic.
At one director’s company, “bringing different groups together to discuss risk issues was very powerful. We conducted surveys that asked people where they were from, and they voted anonymously [on perceived risks]. The U.S. employees thought they were fine, but that the global parts of the company were in trouble, and staff in global offices thought the real risk was in the U.S.”
Tone at the top matters when it comes to board-management interaction around risk oversight.
Insightful risk-related conversations between the board and management are undergirded by a healthy tone at the top—starting in the boardroom. “Directors need to be receptive to bad news and not punish the messenger,” one director said. For more in-depth recommendations on boardroom culture, see The Report of the NACD Blue Ribbon Commission on Culture as a Corporate Asset.
Meeting participants agreed that the board should set the expectation that the CEO and senior leadership are equally open to hearing about potential problems or emerging risk issues. They also emphasized the importance of intellectual curiosity as a characteristic of leaders who are able to successfully navigate risky and often volatile business environments: “We just went through a CEO succession plan, and we looked for someone who is able to stay up to date in a fast-moving environment,” one director said. “Our [candidate] questions have changed; they’re not only focused on experience and background. We want to know about how the individuals reacted in difficult situations and their personal approach to self-education and continuous learning.”
Boards should consider how their companies can take advantage of technology to gain more insight from risk information.
A council member pointed out, “Our entire conversation about risk is much more meaningful if we have reliable, quantitative data. Otherwise, it’s just qualitative information and directional [indicators]. How can we push management to be more specific [about risks]?” New technologies are assisting management teams and boards with the task of turning risk information into insight. But taking advantage of analytics tools and artificial intelligence, among other technologies, also can increase a company’s exposure to risk.
Seth D. Rosensweig, partner at PwC, said that companies’ use of data science should help directors think outside the box when it comes to risk. Rosensweig said he’s seeing more companies employ five key technologies: data analytics, robotic process automation, the cloud, blockchain, and artificial intelligence/machine learning. (Learn more about blockchain in the boardroom.)
He added, however, that there are challenges with using technology to enhance risk insight, particularly if a company implements a given technology but does not yet have the processes or controls in place to mitigate the risks associated with the technology, as well as the new data that may result from the analysis.
Questions directors can ask management include:
For Further Reading
Translating Risk Information Into Boardroom Insights