Risk is properly seen as a key issue, but too often it is delegated to various departments — the IT group manages data security, the treasury function manages credit risk, and so on. This delegation brings with it the benefits of specialized expertise. At the same time, it can obscure the unique and crucial role of the board when it comes to managing risk.
Recently, a colleague told us two offbeat and seemingly unrelated stories:
He said he just had his septic system repaired. Out in the yard, inspecting the work in progress, his contractor pointed to the walls of the freshly excavated pit. “That is some beautiful soil down there,” the contractor said.
He then recounted an experience at a recent medical exam. While drawing his blood, the nurse nodded toward his bare forearm. “Those are truly impressive veins you’ve got there,” she said.
We must admit, this coworker had us curious. What could possibly be the point of these strange recollections?
“The point is,” our colleague quickly told us, “that everybody has a view of the world that is shaped by their knowledge and experience. I looked down in that hole and saw rocks and dirt. He looked in and saw hydraulic gradients and soil permeability. I looked at my arm and saw a purplish line. She saw a protuberant median cubital vein with high productivity potential.”
Ah, we were starting to get it now. Two people can look at precisely the same thing and see something entirely different?
“Exactly!” he said. “And that same lesson applies to business. The perspective that you bring to an issue will influence your response to that issue. Your view of the world will profoundly affect your business decisions.”
“OK,” we said gamely, knowing we were being set up. “And exactly how do you look at business issues?”
“I look at all business issues through the same lens,” he said. “The lens of risk.”
Analyze the demographics of most corporate boards and you’ll find a heterogeneous collection of exceptional talent. The skills members bring to the table reflect a wealth of experience, knowledge and wisdom. Yet despite this extraordinary diversity of viewpoints, we believe that every member of the board should don a pair of risk-colored glasses.
We expect this tinted eyewear to become increasingly popular. These days, you can’t even sit on a public company board without giving at least cursory attention to risk. The New York Stock Exchange requires the audit committee of all listed companies to annually discuss the company’s financial risk exposures and understand how management addresses such risks. Several shareholder ratings services and institutional investors now include risk management in their corporate evaluations. And, of course, the potential for out-of-pocket settlements paid by board members or costly shareholder suits against the company have driven home the point in boardrooms across the land — risk has become personal.
…many board members are unsure how to approach their risk-related responsibilities. They are uncertain about roles and delineation of responsibility. They wonder where to start and how to bring all the disparate pieces together.
But an annual chat (and perhaps a panicked wallet clutch) does not constitute what we consider a risk intelligent approach by the board. To meet their fiduciary responsibilities, directors must share a common vision of risk and adopt a framework to support their risk oversight activities. Unfortunately, today, these elements are lacking at many companies.
This is not to imply that boards are negligent when it comes to risk. Quite the contrary; most board members make careful deliberations and bring to bear their best judgment. They summon the chief risk, strategy and audit executives, along with the external auditor and others who manage exposures to risk and related policies, to appear before the board. They listen to presentations, ask tough questions, and review reports.
Laudable but, unfortunately, insufficient. What is lacking is a context for understanding the issues. The board has nothing to benchmark against; directors have no process or framework in place to allow them to take an independent, objective view. As a result, they are left grappling with risk on an almost intuitive level, an ad hoc approach that allows issues to slip through the cracks. And, as has been demonstrated countless times, when risks are not managed properly, bad things almost inevitably happen.
The buck stops … where?
Boards are under pressure — regulatory, legal, fiduciary, stakeholder — to oversee the risk management activities of the company. But many board members are unsure how to approach their risk-related responsibilities. They are uncertain about roles and delineation of responsibility. They wonder where to start and how to bring all the disparate pieces together.
In fact, many options are open to companies as they develop a framework for managing risk. One of the earliest questions that must be addressed: Where does risk oversight belong at the board level? Companies have tried myriad approaches, each of which offers pluses and minuses:
- Keep risk responsibilities at the full board level. This approach gives risk issues a broad and thorough airing for the entire board membership. However, it can also be unwieldy and inefficient to get into detailed risk considerations with the full body.
- Delegate overall risk responsibilities to the audit committee. This is a seemingly logical choice. But in the Sarbanes-Oxley era, the audit committee may be the most overworked of all board committees. Financial risk is already on its agenda, as is the less-clear-cut financial risk oversight required by NYSE listing standards. Piling on operational, strategic and enterprise-wide risks may present an undue burden that could result in insufficient oversight.
- Create a risk management committee. This option represents a good choice for many companies (including our parent organization, Deloitte & Touche USA LLP, which recently created a risk committee of its own). Many financial services companies maintain dedicated risk committees; they are less common, but not unheard of, in other industries. Full boards with large memberships are more likely to spin off separate risk committees; smaller boards tend to retain risk oversight within their own ranks.
I looked at my arm and saw a purplish line. She saw a protuberant median cubital vein with high productivity potential.
Of course, creating a risk committee is no panacea. In fact, it can be counterproductive if other board committees get the notion that their risk problems are solved because the risk committee is on the job. The risk committee does not relieve other board committees of their risk burdens, but rather makes sure these groups attend to their risk responsibilities by providing a coordinating and harmonizing function.
When the risk management structure is optimized, every board committee will have risk on its agenda. Financial risk falls within the domain of the audit committee; compensation risks, the compensation committee; and succession risk, the nominating committee. (Note, however, that overall succession planning responsibility usually rests with the full board, with the nominating committee often taking a lead role in beginning the diligence process.) Each of these committees, in turn, reports back to the full board, which processes the information to develop a full-spectrum picture of risk. And, finally, the loop is closed when the full board addresses risk issues with management on a regular basis.
Thus, in companies large and small, the buck stops with the full board. But the currency can pass through many hands along the way.
The risk intelligent board
What is the most important function of the board? Many board members and board watchers would contend it is overseeing the development of corporate strategy. Indeed, no other activity — except possibly the selection of the chief executive — exerts such a potentially profound impact on the long-term fortunes of the company.
Of course, every strategy carries risk. This may seem a commonsensical notion, but only recently has it been widely recognized that risk management is as relevant to strategy and value creation as it is to value protection. Thus, overseeing risk- taking for reward may be a new realm for many board members. And it may not be an entirely comfortable realm either, because many established organizations are characterized by a desire for stability, certainty and predictability, not by a propensity to actively pursue risk.
…an annual chat (and perhaps a panicked wallet clutch) does not constitute what we consider a risk-intelligent approach by the board. To meet their fiduciary responsibilities, directors must share a common vision of risk and need a framework to support their risk oversight activities.
Case in point: We are acquainted with the CEO of a large financial publisher consisting of a parent company and several divisions. When he was hired several years back, he took over a solid company that had enjoyed many successive quarters in the black. He could have just ridden out the wave for a few more years and, chances are, his board and shareholders would have been just fine with that.
But this CEO knew that standing pat was risky in itself. He evaluated the long-term growth potential of the company and determined that many of its divisions were mature and incapable of sustaining double-digit growth rates. He also knew that a growth slowdown would influence analysts’ assessments of cash flows, impact ratings, and, ultimately, affect shareholder value. Thus, he made the radical decision to sell off his mature-but-still-profitable divisions and search for new businesses that were complementary but had greater growth potential.
Of course, the CEO had to convince the board of the wisdom of the strategy, which proved a hard sell. Like many, this board was a conservative group whose view of risk was limited to the protection of existing assets, not intelligent risk- taking for reward. Ultimately, the CEO presented a persuasive case and the board agreed to the move.
Both the board and the executive took some heat from shareholders and analysts, but they proved prescient over the long haul. Jettisoning several demonstrated “golden geese” and replacing them with an unproven flock had the potential to lay an egg. The strategy worked, reenergizing stock value and doubling the company’s share price over a several-year period. With its board educated on the merits of intelligent risk-taking for reward, the company avoided a likely period of slow decline and instead ushered in an era of sustainable growth.
Unfortunately, many boards have not yet attained this enlightened perspective. Historically, if the board considered risk at all, it was of the value-protection variety, manifested in insurance policies, currency hedges, futures contracts, and the like. There is nothing wrong with this focus; it is a critical function of the board. But it represents a “half a loaf” approach. Done properly, risk management oversight includes addressing risks to the achievement of long-term strategy. And for any company that hopes to compete and grow, long-term strategy involves risk-taking for reward.
The active pursuit of risk is essential — calculated risk-taking is a fundamental precept of capitalism. Without risk-taking, the prospect of innovation diminishes, competitive advantage evaporates, and, with it, shareholder value. The board must be involved.
Can we talk?
One way the board can get involved is quite simple — talk it up. Merely putting risk on the agenda for discussion starts a process that will spur creative thinking and generate illuminating discourse. Whether the initial conversation takes place at a committee level, at the full board level, or both is not as important as getting the discussion started. The topic of risk should be placed on the full board meeting agenda on a regular basis, perhaps several times per year. And it will play an important role in board strategy retreats. (Obviously, risk will show up with greater frequency on the committee agendas.)
By broaching the risk discussion at the board level, one pervasive problem is immediately confronted — the tendency for risk management activities to take place in “silos.” Most companies spread risk management across the organization. Treasury manages credit risk; IT oversees technology and information risk; facilities handles real property risk. This level of specialization is essential to effective risk management. But problems can arise if these risk specialists remain in isolation, never venturing from their bunkers. Among the potential concerns: the “big picture” remains out of focus; disparities arise in the terminology used to talk about risk and the metrics used to measure it; and risks in combination and cascading risk scenarios don’t enter into the discussion.
…creating a risk committee is no panacea. In fact, it can be counterproductive if other board committees get the notion that their risk problems are solved because the risk committee is on the job.
To combat these problems, the board can act as a catalyst to bridge the silos. By bringing various risk managers into the same room to present their perspectives and strategies on risk, the board is creating an environment that will jump-start a collaborative and synchronized approach to risk management.
Actions for the risk intelligent board
Here are several additional steps you and your board can take along the path to Risk Intelligence:
- Broaden your view of risk. Don’t limit your deliberations to fraud prevention, inventory protection, IT security and the like. These are all important items, to be sure, but they are more related to “survive” than to “thrive.” Embrace the concept of Risk Intelligence to attain a proper balance between value protection and value creation. Read our foundational whitepaper on the topic: “The Risk Intelligent Enterprise™: ERM Done Right1.”
- Take a hard look at the board. Evaluate the risk governance structure within the board and its committees. Determine to what extent risk oversight is occurring. Assess whether the board’s approach is practical and responsive to the challenge. Bring in internal audit or an outside party to assist with the assessment.
- Don’t underestimate the challenge. Your work as a board member does not begin and end with the risk report. Rather, it requires a commitment of your time and intellect to understand the issues and activities that underlie the report. Your board should engage in meaningful dialogue around risk overstatement and understatement — that is, consider if your company is overly risk averse — and at the same time, determine if you have sufficient coverage in the areas of risk exposure.
- Think about your risk framework. Don’t address risk in an ad hoc manner. Make sure there is an appropriate framework over which the risk governance activities occur. The tools that may prove helpful are the COSO ERM framework2, Deloitte & Touche’s Risk Intelligence Framework3, and the Deloitte Risk Map (available free of charge at www.deloitte.com/RiskIntelligence).
- Line up with management. Work in synch, not at odds. Make sure that management is aligned and coordinated with the board’s point of view on risk. Require of management the legwork necessary to support the board’s desire for the highest and most practical level of risk governance achievable4.
- Assess risk performance. Assure there are periodic, independent assessments to evaluate the effectiveness of the full risk management program. It is the board’s duty to determine whether risk processes are as rigorous as they can be. After all, you don’t want to first learn of shortcomings when the mother of all risks lands on your doorstep and you didn’t see it coming.
Finally, as an aid to “seeing it coming,” don’t forget that essential fashion accessory. Get yourself a pair of risk-colored glasses — and a few extra pairs for your fellow board members.
EndnotesView all endnotes
- This and other risk-related titles may be downloaded at no charge at www.deloitte.com/RiskIntelligence.
- “Enterprise Risk Management — Integrated Framework,” The Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org.
- The Risk Intelligence Framework may be downloaded at no charge at www.deloitte.com/RiskIntelligence.
- For more information, see our Risk Intelligence title focused on the chief information officer and the chief audit executive at www.deloitte.com/RiskIntelligence.