Tag Archive: risk appetite

Help Your Company to Face Its Future Confidently

Published by
Jim DeLoach

Jim DeLoach

The uncertainty of looking to the future presses boards to consider how confident their senior executives and supporting teams are in executing strategy. How can the board help the companies they oversee to face the future with a greater sense of confidence?

Confidence is neither a cliché nor an assertion of mere optimism. Rather, it is a quality that drives leaders and their companies forward. The Oxford English Dictionary defines confidence as “the state of feeling certain about the truth of something” and “a feeling of self-assurance arising from one’s appreciation of one’s own abilities or qualities.” This definition focuses on the board and management’s appreciation of the collective capabilities of the enterprise, including the ability to carry out a company’s vision. It raises three fundamental questions:

  • Do we know where we’re going directionally and why? Are our people committed to achieving a common vision that is clearly articulated, meaningful, and aspirational?
  • Are we prepared for the journey? Does our staff have the capabilities to execute our strategy? Do we have a great team, a strong roadmap, and the required processes, systems and alliances, and sufficient resources to sustain our journey?
  • Do we possess the ability, will, and discipline to cope with change along the way, no matter what happens? Does our board have the mental toughness to stay on course? Is our management team agile and adaptive enough to recognize market opportunities and emerging risks, and capitalize on, endure, or overcome them by making timely adjustments to strategy and capabilities?

Definitive, positive responses to these questions from the board will enable confidence across the organization.

Looking back on experiences working with successful companies, seven attributes were identified that organizations must have when facing the uncertainty of future markets.

How to Build the Foundation for Confidence

  1. Confident organizations share commitment to a vision. Commitment to a vision provides a shared “future pull” that is both inspiring and motivating. This perspective fuels enterprise-wide focus and energy to learn, which encourages participation and altruistic camaraderie. An effective vision crafted by the board and executive team leads people at all levels of a company to recognize that the enterprise’s success and their personal success are inextricably linked.
  2. Confident organizations have a heightened awareness of the environment. A confident organization constantly reality tests its market understanding by facilitating effective listening to customers, suppliers, employees, and other stakeholders. Boards should encourage companies to generate sources of new learning, encouraging systemic thinking in distilling and acting on the environment feedback received, with the objective of driving continuous improvement. The confident organization fosters a culture of sharing and supports formal and informal continuous feedback loops to flatten the organization, get closer to the customer, and promote a preparedness mindset.
  3. Confident organizations align their required capabilities. It is a never-ending priority of the board to ensure that the right talent and capabilities are in place to achieve differentiation in the marketplace and execute strategies successfully. Capabilities include an enterprise’s superior know-how, innovative processes, proprietary systems, distinctive brands, collaborative cultures, and a unique set of supplier and customer relationships.

How to Sustain Confidence

Achieving a foundation of confidence is necessary, but alone is not enough without concerted efforts to sustain confidence. Astute directors and executives know that the ability, will, and discipline to cope with change are also needed to sustain their journey. Those winning traits are enabled by the attributes below.

  1. Confident organizations are risk-savvy. The confident organization is secure in the knowledge that it has considered all plausible risk scenarios, knows its breakpoint in the event of extreme scenarios, and has effective response plans in place (including plans to exit the strategy if circumstances warrant). Most importantly, the confident organization should have an effective early-warning capability in place to alert decision-makers of changes in the marketplace that affect the validity of critical strategic assumptions. In a truly confident organization, no idea or person is above challenge and contrarian views are welcomed.
  2. Confident organizations learn aggressively. Confident organizations improve their learning by: creating centers of excellence; embracing cutting-edge technology to drive the vision forward; fostering an open, transparent environment of ongoing knowledge sharing, networking, collaboration, and team learning; perceiving admission of errors as a strength and requiring learning from the missteps; and converting lessons learned into process improvements. Aggressive learning stimulates the collective genius of the entire enterprise.
  3. Confident organizations place a premium on creativity. Innovation should be an integral part of the corporate DNA of the confident company, and should be evidenced by setting accountability for results with innovation-focused metrics at the organizational, process, and individual levels to encourage and reward creativity. Companies committed to innovation have the creative capacity to take advantage of market opportunities and respond to emerging risks. When innovation is a strategic imperative, companies empower and reward their employees to take the appropriate risks to realize new ideas without encumbering them with the fear of repercussions if they aren’t successful.
  4. Confident organizations are resilient. Confident organizations have adaptive processes supported by disciplined decision-making, and are committed to adapt early to continuous and disruptive change. They have the will to stay the course when the going gets tough, and are prepared to act decisively to revise strategic plans in response to changing market realities. They do not allow competitors to gain advantage by building large capital reserves, having great relationships with their lenders, and by cultivating trusting relationships with their customers, vendors and shareholders. The strategies that their boards approve include triggers for contingency plans that directors and management will implement if certain predetermined events occur or conditions arise.

In summary, the speed of change continues to escalate, creating more uncertainty about future developments and outcomes. If there was ever a time for a board to assess an organization’s confidence, we believe it is now. It’s one thing to have a confident CEO, but if the people within the entity lack confidence, the organization itself may not have the creativity and resiliency needed to sustain a winning strategy.


Jim DeLoach is managing director with Protiviti, a global consulting firm. 

Six Principles for Improving Board Risk Reporting

Published by
Jim DeLoach

Jim DeLoach

Board risk reporting is a subject of debate within many organizations as directors often consider reports to be too detailed or not actionable. Simply stated, risk reporting should enable the board and its respective committees to understand and govern the organization’s risks. To that end, here are six interrelated “board risk reporting principles” intended to foster reporting that focuses directors on the risks that matter and enables them to bring to bear their knowledge and expertise in ways that add and preserve enterprise value:

  1. Focus on critical enterprise risks and emerging risks. The critical enterprise risks represent the top risks that can threaten the company’s strategy, business model or viability and consequently warrant the most attention from the board’s risk oversight process. The board also needs to be mindful of emerging risks triggered by unanticipated and potentially disruptive events of varying velocity, ranging from catastrophic events—for example, a pandemic or hurricane—to existing risks accelerated by external and/or internal factors in unexpected ways, such as the impact of deteriorating underwriting standards or the demand for an endless supply of mortgage-backed securities on the subprime market that led up to the 2008 financial crisis.
  2. Address ongoing business management risks on an outlier basis. Every business has myriad operational, financial and compliance risks. For those risks that are not critical enterprise risks, risk reporting should be integrated with periodic status reports on line-of-business, product, geographic, functional, or program performance. Reports on these risks should also be triggered by the escalation of unusual matters that immediate board attention, such as exceptions against established limits (i.e., limit breaches). The point is that reporting on the day-to-day risks should not be as frequent as the critical enterprise and emerging risks.
  3. Ensure risk reporting is linked to key business objectives. Realistic and measurable objectives support the organization’s overall strategy and business plan. Risks related to those objectives may impact the organization’s ability to achieve those objectives and execute the strategy and plan. The relevancy of risk reporting is more firmly established with directors when it is closely tied to strategic business plans and the critical objectives and initiatives management has communicated to them.
  4. Use risk reporting to advance dialogues around risk appetite. A winning strategy exploits the areas in which the organization excels relative to its competitors. The risk appetite statement serves as a guidepost for when a new market opportunity or significant risk emerges. Although dialogue around risk appetite has advanced at the board level over recent years, there is still plenty of room for improvement. Once executive management and the board agree on the drivers of—and strategic, operational, and financial parameters around—opportunity-seeking behavior, the resulting risk appetite statement is a reminder of the core risk strategy arising from the strategy-setting process. Risk reporting should call attention to the level of risk the organization is undertaking in the pursuit of value creation and disclose when conditions change and the agreed-upon parameters are approached or breached.
  5. Integrate risk reporting with performance reporting. When stakeholders (e.g., owners of corporate, line-of-business, product, geographic, functional or program performance goals) report on performance to the board, they should also disclose the related key risks. Linking opportunity seeking behavior and the related risks is important as it enables each stakeholder reporting to the board to engage in a dialogue with directors on: the underlying risks and assumptions inherent in executing the strategy and achieving performance targets; the “hard spots” (i.e., the aspects of the plan that are well within reach to be achieved) and “soft spots,” (i.e., the riskier parts of the plan) inherent in the performance plan; the implications of changes in the business environment on the core assumptions and desired risk levels underlying the strategy; and the effectiveness of risk management capabilities. The effectiveness with which risk reporting is integrated with performance reporting is a powerful indicator of the enterprise’s risk culture. If risk reporting is an appendage to performance reporting, risk is more likely to receive limited board agenda time.
  6. Report on whether changes in the external environment affect the critical assumptions underlying the strategy. Risk reporting should provide insights as to whether executive management’s assumptions about markets, customers, competition, technology, regulations, commodity prices and other external factors remain valid. Reporting should focus on whether changes in these environmental factors have occurred, which could alter the fundamentals underlying the business model. Boards place high value on “early warning” capability.

The above principles are not intended to prescribe specific reporting practices, but rather offer sound direction for the board and management to pursue in improving the substance and content of the reporting.

Questions for Boards

The following are suggested questions that boards may consider, based on the risks inherent in the entity’s operations:

  • Does the board periodically evaluate the nature and frequency of management’s risk reporting?
  • Do directors work with management to agree on risk information the board and its committees require?
  • Is the board satisfied that both full board and board committee agendas allocate sufficient time to risk?

Do directors think they receive sufficient information on changing risks to avoid surprises?


Jim DeLoach is a managing director with Protiviti, a global consulting firm.

Who Is Trying to Eat Your Lunch?

Published by

Last year, NACD launched its fourth Advisory Council on Risk Oversight—the first of our councils not dedicated to a specific key board committee. In fact, less than 10 percent of public companies even have a committee dedicated to risk oversight. This advisory council was formed as the result of a simple observation: the responsibility of risk oversight has expanded significantly in the last several years. This council is not lacking for discussion topics—the nature of potential risks to an organization is evolving seemingly by the day. Directors need to know the strategies in place to not only mitigate but capitalize on the risks currently facing the company, and those predicted to present challenges in the future.

But that just accounts for what is on the board’s radar. At the second meeting of NACD’s Advisory Council on Risk Oversight held in collaboration with PwC and Gibson Dunn, the discussion went beyond current and predicted risks to the challenges of disruptive technologies and innovation. Increasingly, the most severe shocks have been largely unpredictable: extreme weather, the confluence of multiple events, or innovation that upturns the industry. As one delegate observed: “We haven’t spent much time on the [risk of] ‘I will eat your lunch with a completely different approach.’ Companies don’t sit down and think about who is going to attack from a completely different angle.”

In their oversight capacity, directors cannot constantly monitor the more detailed aspects of the business. Nor can “you anticipate what you don’t know.” Nevertheless, several delegates suggested that the appropriate risk oversight processes in place, coupled with a resilient culture that efficiently reports risks up to the board, can support directors in mitigating known and unknown risks. The meeting, captured in the 2013 Advisory Council on Risk Oversight Summary of Proceedings, focused on areas critical to effective risk oversight processes. These include:

  • Board processes and people. It is critical that the board not only has the right talent, but engages it fully. Directors should have a “real and thorough” understanding of the business to be able to effectively discuss both strategy and risk with management.
  • Recognizing asymmetric information risk. While the board has to be comfortable with the reality of information asymmetry, directors should establish tolerance levels for the level of asymmetric risk they are willing to bear, and look for signs of when this risk has become too high.
  • Engaging with management involved in risk reporting. For companies with a chief risk officer (CRO), that person can keep an “inventory” of risks throughout the organization. Additionally, directors can ask internal audit to identify what it believes will be “hot-button” risk areas.
  • Linking strategy to risk. The board’s oversight of risk should begin with an assessment of the company’s strategy and its inherent risks, which necessitates understanding and agreeing on the risk appetite, or the amount of risk the company is willing to accept.
  • Allocating the work of risk oversight. The significant increase in risks facing the board necessitates defining who will act as an “air traffic controller”—allocating risk oversight responsibilities.

Leading practices for risk oversight—including allocation of work and the development of a risk strategy document—will continue to be the focus points not only for this advisory council but also NACD’s Directorship 2020 initiative. To download the full summary of proceedings, click here.