This spring, members of the NACD Advisory Council on Risk Oversight convened in Washington, D.C., to discuss how boards can strengthen their dialogue with management on risk oversight. Participants—including Michael Hofmann, the former chief risk officer of Koch Industries and current director of Calpine—shared experiences, lessons learned, and effective approaches for embedding risk in board-level strategy dialogue. From that discussion—detailed in the meeting’s Summary of Proceedings—delegates focused on these steps directors can take. They include:
Establish a clear definition of what “risk” means at the company: For management and the board to work together, they need to establish a shared definition of what risk means to the company.
Monitor the company-wide risk culture: Directors should ensure that the company has a culture that supports the discussion of risk throughout the entire organization and is seen as part of the company’s fabric.
Avoid the trap of false precision: Looking at only the expected return of a new business program or strategic move can restrict dialogue and lead to minimization of the potential downside.
Get out of the weeds by taking a deep dive: To help counteract the tendency of boards and management to focus on operational, regulatory, and financial reporting risks, many boards conduct an annual “deep dive” or “off-site” meeting. These meetings are dedicated to thinking about, understanding, and challenging assumptions of strategic moves and risks.
The Summary of Proceedings also investigates ways in which directors can and do incorporate these practices into their boards’ activities. NACD members can click here to access the full list of takeaways.
Last year, NACD launched its fourth Advisory Council on Risk Oversight—the first of our councils not dedicated to a specific key board committee. In fact, less than 10 percent of public companies even have a committee dedicated to risk oversight. This advisory council was formed as the result of a simple observation: the responsibility of risk oversight has expanded significantly in the last several years. This council is not lacking for discussion topics—the nature of potential risks to an organization is evolving seemingly by the day. Directors need to know the strategies in place to not only mitigate but capitalize on the risks currently facing the company, and those predicted to present challenges in the future.
But that just accounts for what is on the board’s radar. At the second meeting of NACD’s Advisory Council on Risk Oversight held in collaboration with PwC and Gibson Dunn, the discussion went beyond current and predicted risks to the challenges of disruptive technologies and innovation. Increasingly, the most severe shocks have been largely unpredictable: extreme weather, the confluence of multiple events, or innovation that upturns the industry. As one delegate observed: “We haven’t spent much time on the [risk of] ‘I will eat your lunch with a completely different approach.’ Companies don’t sit down and think about who is going to attack from a completely different angle.”
In their oversight capacity, directors cannot constantly monitor the more detailed aspects of the business. Nor can “you anticipate what you don’t know.” Nevertheless, several delegates suggested that the appropriate risk oversight processes in place, coupled with a resilient culture that efficiently reports risks up to the board, can support directors in mitigating known and unknown risks. The meeting, captured in the 2013 Advisory Council on Risk Oversight Summary of Proceedings, focused on areas critical to effective risk oversight processes. These include:
Board processes and people. It is critical that the board not only has the right talent, but engages it fully. Directors should have a “real and thorough” understanding of the business to be able to effectively discuss both strategy and risk with management.
Recognizing asymmetric information risk. While the board has to be comfortable with the reality of information asymmetry, directors should establish tolerance levels for the level of asymmetric risk they are willing to bear, and look for signs of when this risk has become too high.
Engaging with management involved in risk reporting. For companies with a chief risk officer (CRO), that person can keep an “inventory” of risks throughout the organization. Additionally, directors can ask internal audit to identify what it believes will be “hot-button” risk areas.
Linking strategy to risk. The board’s oversight of risk should begin with an assessment of the company’s strategy and its inherent risks, which necessitates understanding and agreeing on the risk appetite, or the amount of risk the company is willing to accept.
Allocating the work of risk oversight. The significant increase in risks facing the board necessitates defining who will act as an “air traffic controller”—allocating risk oversight responsibilities.
Leading practices for risk oversight—including allocation of work and the development of a risk strategy document—will continue to be the focus points not only for this advisory council but also NACD’s Directorship 2020 initiative. To download the full summary of proceedings, click here.