Tag Archive: Risk Management

The Strategic-Asset General Counsel

Published by
Kimberly Simpson

Kimberly Simpson

In June, NACD convened general counsels (GCs) from across the country for a one-day meeting in New York City on the role of the GC in supporting boards of directors. Program panels consisted of directors, GCs, and subject-matter experts on legal issues affecting board decision making.

The Evolving Role of the GC

According to Richard D. Buchband, senior vice president, GC, and secretary for ManpowerGroup, the GC must clear the way for the board to focus on strategic matters. Though each company is different, long past are the days when the GC’s role was to take minutes in the corner of the boardroom.

A clue to how a general counsel will be perceived in any given company may be found in the interview process, when a candidate should take note of whether board members participate. Also, in assessing how the board will utilize the GC, a candidate or sitting GC should be aware of whether board members hail from countries in which the GC traditionally takes a smaller role, reporting not to the CEO but to the CFO, according to Yvonne E. Schlaeppi, director for Stallergenes Greer and former GC for several companies, including Johnson Controls Europe.

Once connected to the board, the general counsel can be of value for many facets of the enterprise, leveraging his or her unique position in the organization to assimilate information and data from across the business. Several suggested that the general counsel should always offer a recommendation when providing input to the board. In fact, judgment is a critical part of what a GC offers the board. “The crux of a GC being a strategic advisor to the board is having your good judgment on the complex mix of puzzles which general counsels deal with all the time—including commercial, legal, and people challenges—recognized and valued,” said Schlaeppi.

Further, the career of Robert Bostrom, senior vice president, GC, and corporate secretary for Abercrombie & Fitch Co., illustrates how the general counsel can be the glue for an organization in turmoil. During a prior role as general counsel at Freddie Mac, he saw several CEOs and CFOs come and go around the time of the 2008 financial crisis and when the government appointed a conservator. Today, Bostrom co-chairs Abercrombie’s enterprise risk management group and leads the organization’s crisis management team, taking point on risks affecting the company’s reputation.

Moving the Board Forward

Of course, given that the GC is often the most knowledgeable person about issues of corporate governance, the GC brings tremendous value by providing advice and counseling on governance matters. Gillian A. Hobson, partner, capital markets and mergers & acquisitions at Vinson & Elkins, pointed out that such governance matters include issues such as independence, diversity, proxy access and others outlined in Commonsense Corporate Governance Principles, published in 2016 by a group of leading executives and investors. In addition, in order to move a board forward, the general counsel has a number of specific tools at his or her disposal. The general counsel can:

  • Suggest formats for a board evaluation and skills matrix;
  • Bring outside information (such as NACD’s Blue Ribbon Commission Reports) and outside perspectives (such as those from ISS, BlackRock and others) to the board; or
  • Develop relationships with board members, including board leadership and more progressive board members.

William E. McCracken, director for MDU Resources Group and for NACD, suggested that when boards get “stuck,” the GC is in a “unique position to lift the board’s vision up to see what else is happening out there.” Steven Epstein, corporate partner and co-head of mergers and acquisitions at Fried Frank, agreed. “The GC will be up to speed on the general M&A landscape and the latest thinking of the courts and will be well-positioned to combine that knowledge with the business objectives of the company, which is extremely valuable to the board.”

No Surprises and Keep It Short

Several times throughout the day, panelists espoused the best practice of imparting “no surprises” to the CEO or the board. For example, if the GC sets up lunch with a board member, Buchband suggests a check in with the CEO after the meeting is set but before the lunch takes place. “I ask the CEO if there are any issues he would like me to raise or discuss,” said Buchband. Keeping the board informed on matters affecting governance is equally important.

Also, all panelists reiterated how important it is for the GC to keep materials short and topline for the board. “We can be victims of our own desire to be thorough,” noted Buchband.

Enterprise Risk Management and Compliance Make the GC’s Job Easier

The role of risk assessment is not to avoid all risk, but rather to identify and manage risk, said George J. Terwilliger III, partner at McGuire Woods. In fact, Bostrom noted that enterprise risk management at Abercrombie helps him and the company prioritize risks. If a risk rises to the top, then a cross-functional, high-level team has agreed that it should be there, and he doesn’t have to champion the cause as a lone voice.

Daniel Trujillo, senior vice president and chief ethics and compliance officer for Wal-Mart International, stressed that a culture of compliance must start at the top. A program must then be implemented that is effective, consistent, data driven, efficient and sustainable. Terwilliger echoed that compliance has to be part of the fabric of the company, with the compliance council acting as a convener rather than as “internal police.” Today, predictive analytics help his team spot trouble early at Walmart, at the country or even the store level.

Consider Cross-Border Complexities

Just as Wal-Mart operates globally, so too do companies like Abercrombie. David H. Kistenbroker, global co-head of white collar and securities litigation at Dechert, reminded the audience to consider cross-border complexities when advising the board. Long-arm statutes in the United States and United Kingdom can impact deals all over the world. Due to such complexities, the GC is in a unique position to be a strategic asset to companies operating globally, especially where board members are all based in in the United States.

NACD would like to thank the panelists for sharing their experiences with attendees, and for these generous sponsors for their support of the event: Dechert, Fried Frank, KPMG, and Vinson & Elkins.


Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.

Managing the Effects of Short-Termism on Risk Oversight

Published by
Jim DeLoach

Jim DeLoach

The complexities surrounding short-termism make it a tough nut to crack. Short-termism in this instance refers to a focus on short-term company performance results at the detriment of achieving long-term strategic goals. But in all its forms, short-termism is not sustainable in a rapidly changing world. That’s why directors need to ensure that the organizations they govern seek a healthy balance in addressing short- and long-term interests of the organization’s senior executives and stakeholders.

Short-termism is certainly not a new concept. In a recent survey of more than 600 public company directors and governance professionals conducted by NACD, 75 percent of respondents indicated that pressure from external sources to make short-term gains is compromising management’s focus on long-term strategic goals. This pressure can affect the board’s risk oversight.

Short-termism manifests itself in many ways. The more common example is focusing on quarterly earnings at the expense of funding long-term sustainable growth. But it can also lead to the pursuit of several risky activities, including: M&A deals for growth’s sake without clear linkage to the overall corporate strategy; releasing new products to market without sufficient testing; allowing cost and schedule considerations to undermine safety on significant projects (e.g., deferring maintenance or taking risky shortcuts); and taking on excessive leverage to pursue activities that are currently generating attractive returns.

Underlying the evidence of short-termism is a complex series of root causes. Globalization, technological developments, improved transparency, and reduced transaction costs have facilitated capital flows, enabling investors to reallocate their assets to seek higher yields with greater ease. Hedge funds and other activist shareholders are also acquiring small stakes in a company with the objective of steering profits to shareholders immediately (through higher dividends, stock buybacks, asset spinoffs, or downsizing in lieu of investing in innovation that will improve productivity and drive future growth, for instance). Still another cause is the existence of compensation structures emphasizing executive pay over the near term to the detriment of long-term shareholder interests. These compensation models skew management’s decision-making toward maximizing short-term profits even at the cost of taking on excessive risk.

Following are six concrete steps the board can take to ensure short-termism does not compromise risk oversight:

1. Focus the board’s oversight on risks that matter. If risk management is focused primarily on operational matters, chances are management is not focusing attention on the right question: Do we know what we don’t know? To face the future confidently, both management and the board need to focus the risk assessment process on:

a. identifying and managing the critical enterprise risks that can impair the organization’s reputation, brand image, and enterprise value; and
b. recognizing emerging risks looming on the horizon on a timely basis.

Even though the day-to-day risks of managing the business are important, they should not command the board’s risk oversight focus except when truly pressing issues arise.

2. Lengthen the time horizon used to assess risk. Focusing on quarterly performance, annual budgets, and business plans may lead to a risk assessment horizon of no more than three years. That period may be too limiting because strategic opportunities and risks typically have a longer horizon—even with the constant pressure of disruptive change on business models. For example, the World Economic Forum uses a 10-year horizon in its annual risk study. Longer risk-assessment horizons are more likely to surface emerging issues, along with new plausible and extreme scenarios, that might have been missed with a shorter time frame. Thus, the board needs to satisfy itself that management is using an appropriate horizon.

3. Understand and evaluate strategic assumptions. Management’s “worldview” for the duration of the strategic planning horizon is reflected in assumptions about several topics: the enterprise’s capabilities; competitor capabilities and propensity to act; customer preferences; technological trends; capital availability; and regulatory trends, among other things. Directors should weigh in on management’s assumptions underlying the strategy. Doing so could reveal insights into the external environment and internal operating impacts that could invalidate the critical assumptions underlying the strategy. This is a useful approach to understanding sources of disruptive change.

4. Integrate risk and risk management with what matters. Short-termism can render risk to an afterthought to the formulation of strategy. Risk management similarly can become a mere appendage to performance management. The strategy, therefore, may be unrealistic and may involve taking on excessive risk. In addition, performance management may be overly focused on retrospective, backward-looking lag metrics. The board should ensure the strategy-setting process considers risks arising from strategic alternatives, risks to executing the strategy, and the potential for the strategy to be out of alignment with the organization’s mission and values. Directors also should insist that prospective, forward-looking leading metrics be used to complement the more traditional metrics used to manage the day-to-day business operations.

5. Watch out for compensation imbalances. Publicly listed companies on U.S. exchanges are required to disclose in the proxy statement whether the company’s system of incentives could lead to unacceptable risky decision-making in the pursuit of near-term rewards. The compensation committee typically conducts a review for excessive risk-taking in conjunction with its oversight of the compensation structure. Board concerns with respect to short-termism are a red flag for the compensation committee to sharpen its focus on the potential for troubling compensation issues that could lead to bet-the-farm behavior. A key question: Do key executives have sufficient “skin in the game” so they will be incented to take risks prudently in the pursuit of value-creating opportunities?

6. Pay attention to the culture. Short-termism can contribute to a dysfunctional environment that warrants vigilant board oversight. For example, management may continue to execute the same business model regardless of whether market conditions invalidate the underlying strategic assumptions. Also, operating units and process owners may be fixated on making artificial moves (e.g., deferring investments) and manipulating processes (e.g., cutting costs to the bone) to achieve short-term financial targets. Instead, the strategy should be focused on fulfilling customer expectations and enhancing the customer experience by improving process effectiveness and efficiency. These and other red flags warrant the board’s attention because they signal the possibility of unacceptable risk-taking that must be addressed.

If short-termism is a concern of the board, directors need to ensure their risk oversight process isn’t compromised by it. A strong focus on linking risk and opportunity can help overcome some of the “blind spots” that a myopic, short-term outlook can create.


Jim DeLoach is managing director of Protiviti. 

Ten Practices for Improving the Risk Assessment Process

Published by
Jim DeLoach

Jim DeLoach

Effective risk assessment is fundamental to the management and oversight of risk. While the risk assessment process must be tailored to the individual needs of each organization, the hallmark of a successful risk assessment is one that helps directors and executive management identify emerging risks and face the future confidently. Rather than shuffle “known knowns” around on a risk map, a risk assessment should help decision makers understand what they don’t know.

To that end, 10 practices are summarized below that will help management and directors maximize the value derived from the risk assessment process.

1. Involve the appropriate people. Surveys we have conducted over the years indicate, without exception, that viewpoints and perspectives about risk often differ across a broad range of senior executives, operating units, and functional leaders. Therefore, it is important to involve appropriate stakeholders across the C-suite and vertically into the organization in the risk assessment process to ensure relevant points of view are heard.

2. Reduce the danger of groupthink. The risk assessment process should encourage an open, positive dialogue among key executives and stakeholders for identifying and evaluating opportunities and risks. As a safeguard against executives forming opinions or reaching conclusions without robust debate or considering dissenting views, management should ensure that all perspectives are heard from the right sources and considered in the process. Accordingly, anything an executive truly fears should be out in the open and any concerns about opportunities missed should be aired. The board should set the tone for this kind of open process.

3. Focus comprehensively on the distinctive dimensions of strategic risk. According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), there are three dimensions to strategic risk: the implications from the strategy; the possibility of strategy not aligning with an organization’s mission, vision and core values; and the risks to executing the strategy. All three dimensions need to be addressed if the company expects to avoid unintended consequences that could lead to lost opportunities or an unacceptable loss of enterprise value.

4. Understand the assumptions underlying the strategy. Boards and executives that are navigating the risk assessment process should consider how the organization’s strategy and risk appetite work in tandem, and how it will drive behavior across the organization in setting objectives, allocating resources, and making key decisions. Are risks evaluated in the context of their impact on the organization’s strategy and operations? Is adequate consideration given to macroeconomic issues? Is there a business intelligence process for monitoring the environment to ensure that critical assumptions remain valid? Is the board informed when assumptions are no longer valid? Are strategic assumptions stress-tested?

5. Consider the impact of disruptive change. The rapid pace of change in the global business environment is risky for entities of all types. Change alters risk profiles. The unique aspect of disruptive change is that it represents a choice: On which side of the change curve does an organization want to be? With the speed of change and constant advances in technology, rapid and innovative responses to new market opportunities and emerging risks can be a major source of competitive advantage. Conversely, failure to remain abreast or ahead of the change curve can place an organization in a position of becoming captive to events rather than charting its own course. The risk assessment process must be dynamic enough to account for significant change.

6. Consider appropriate criteria to assess “high impact, low likelihood” risks. When considering extreme risk scenarios, the operative question is: How resilient is our organization in the event one or more of these scenarios occurs? Velocity of the impact as the scenario evolves, persistence of the impact over time, and the entity’s response readiness are useful risk criteria to consider when answering this question.

7. Understand the sources of risk. One of the most difficult tasks in risk management is translating a risk assessment into actionable steps in the business plan. Risk owners often don’t know what to do to address significant risks based on risk assessments displayed on the traditional two-dimensional graph. Accordingly, it may make sense to source the root causes of the most significant risks to better understand them and design more effective risk responses. Therefore, the process should be designed to identify patterns that connect potential interrelated risk events—risks that are not necessarily mutually exclusive.

8. Inform the board of the results in a timely manner. Directors should agree with management’s determination of the organization’s significant risks and incorporate those risks into the board’s risk oversight process. In addition, significant risk issues warranting combined attention by executive management and the board should be escalated to directors’ attention in a timely manner. A process for identifying emerging risks should be in place to supplement the ongoing risk assessment process.

9. Integrate risk considerations into decision-making. As important as the risk assessment process is, it may be just as important to consider the impact of major decisions on the organization’s risk profile. If risk is understood to be the distribution of possible outcomes over a given time horizon due to changes in key underlying variables, it should be noted that major decisions either create new or different outcomes, some of which may be unintended, or alter previously considered outcomes. Significant decisions, therefore, should involve the board’s understanding of the organization’s appetite for risk and consider how those decisions impact the entity’s risk profile.

10. Never end with just a list. Following completion of a formal or informal risk assessment, management should designate the appropriate risk owners for newly identified risks so that appropriate responses and accountability structures can be designed for their execution. “Enterprise list management” is aimless, loses its novelty over time, and can lead to trouble if risks are identified and nothing is done to address them.

An effective risk assessment process lays the foundation for executives and directors to navigate a changing business environment with confidence. The above practices can assist organizations in defining their most important risks and enable the board to ensure that its risk oversight is appropriately focused.


Jim DeLoach is managing director of Protiviti.