Many companies have adopted a risk language or taxonomy to facilitate an ongoing dialogue regarding their risks. With respect to board risk oversight, the question arises as to whether directors should adopt their own risk language to ensure they are covering the bases and focusing the oversight process. While each board must decide for itself whether such a language is useful given the nature of the enterprise’s operations, we explore five risk categories directors may want to consider.
We often hear concerns from directors and executives alike about the board risk oversight process being an unfocused activity. If the board is mired in the minutiae of risk management, the oversight process lacks the necessary focus to be effective. We also often receive questions about how to ensure that the board’s risk oversight addresses the right issues. This question is important for several reasons, including the following:
- If the board’s oversight is focused on the risks that really matter, directors are in a position to add value to senior executives.
- A focused risk oversight process is one that can be aligned more effectively with the rhythm of how senior executives manage and run the business.
- If the board is providing input on the right issues at the right time, it is easier to delineate between the responsibilities of the board and those of management.
How is this important focus achieved?
The five broad risk categories recommended by the National Association of Corporate Directors (NACD) provide insight. These categories apply to every company, regardless of its industry, organizational strategy and unique risks. Each category of risk is discussed below.1
Governance risks. Periodically, boards of directors must consider chief executive officer (CEO) selection and compensation, board leadership and composition, board structure, and other governance issues critical to the enterprise’s success. These decisions often require directors to weigh the risks and rewards associated with alternative courses of action. While boards can benchmark their processes for evaluating these issues from time to time by considering best practices employed by other boards engaged in similar decision making, they often must rely on their collective business judgment, knowledge of the business, and information provided by third-party advisers, including search firms, compensation consultants and legal counsel.
Critical enterprise risks. Disruptive risks that threaten the company’s strategy and viability of its business model should command the board’s risk oversight agenda. The criticality of these risks – such as credit risk in a financial institution or supply chain risk in a manufacturer – requires full board engagement, as well as an ongoing process to identify and monitor Focusing the Board’s Risk Oversight on What Matters such risks. While management is responsible for addressing these risks, the board should consider its own information requirements for understanding them. For example, the board might require management to report on the impact and likelihood of the risks to key strategic goals as compared to other enterprise risks, as well as the velocity and persistence of such risks. The board also might want to understand the status of risk mitigation efforts with input from the executives responsible for managing the risks.
Other examples of relevant information might include the effects of technological obsolescence on the business model; changes in the overall assessment of risk over time; the effect of changes in the external environment on the core assumptions underlying the company’s strategy; and interrelationships with other enterprise risks.
The critical enterprise risks should be a topic on the agenda when the board provides input into the strategy-setting process. The board should be updated on these risks periodically.
Areas of Board Responsibility for Risk Oversight2
- Governance risks – Risks related to directors’ decisions regarding board leadership, composition and structure, director and CEO selection, and other governance matters.
- Critical enterprise risks – The top five to 10 risks that can threaten the company’s strategy, business model or viability.
- Board approval risks – The risks related to decisions the board must make with respect to important policy areas, such as major strategic initiatives, acquisitions or divestitures, major investments, and entry into new markets.
- Business management risks – Risks associated with normal, ongoing, day-to-day business operations.
- Emerging risks – External risks outside the scope of the previous four categories.
Board approval risks. Through careful consideration and timely due diligence, directors must satisfy themselves that management’s recommendations regarding strategic initiatives and other policy matters are appropriate to the enterprise before approving them. Therefore, such matters as proposed acquisitions, divestitures, major capital expenditures or entering new markets may prompt the board to ask questions about the associated risks and rewards and even request further analysis before approving management’s recommended actions.
Business management risks. Every business has myriad operational, financial and compliance risks embedded within its day-to-day operations. Because the board simply does not have sufficient time to consider every risk individually, it should identify specific categories of business risks that pose the greatest threats and determine whether to oversee each category at the board level or delegate oversight responsibility to an appropriate committee. For example, the audit committee traditionally oversees financial reporting risks, and the finance committee might oversee risks related to strategic opportunities, mergers and acquisitions, financial exposures, and capital availability. And there are other business risks to consider, such as operational risks associated with internal processes, information technology, intellectual property, customer service, obsolescence, manufacturing activities and the environment; financial risks, such as excessive leveraging of the balance sheet; compliance risks, such as noncompliance with a new complex law; and reputational risks, such as those that threaten the company’s brand image.
With respect to all of these risks, it is management’s responsibility to address them. As noted earlier, critical enterprise risks warrant the board’s ongoing attention. If a significant issue warranting attention arises for other business risks that are not considered critical enterprise risks, they may be escalated to senior management and the board on an exception basis. In addition, the board may request a briefing from the primary owners of specific business risk areas from time to time.
Emerging risks. While management is responsible for addressing those external environment risks outside of the scope of the risks noted above, directors need to understand them. The effects of demographic shifts, climate change, catastrophic events and new security threats are examples of emerging risks.
Disruptive change arising from technological developments, market forces and unexpected threats is a business reality. Adapting is a game every organization must play to survive – and to thrive – in a rapidly changing business environment. Properly focused, the board’s risk oversight process can assist management in adapting the organization successfully to market forces – and identifying emerging risks is a key aspect of the adaptation process.
The above risk categories provide a useful context for boards to consider to ensure the risk oversight process is focused and sufficiently comprehensive. The following is one train of thought about using these five categories as a way of approaching the board’s risk oversight. Obviously, governance risks fall within the domain of the board. Board approval risks require directors and management to agree on the matters the board approves in advance and the timeliness of board involvement with such matters. With respect to the other three risk categories, the lion’s share of the board’s risk oversight is directed to critical enterprise risks and emerging risks.
The board should satisfy itself that the organization has effective processes in place to identify emerging risks so that the company can position itself as an early mover3 in terms of addressing those risks. Finally, with respect to business management risks, the board should expect escalation of significant issues on a timely basis and periodic briefings in specific areas.
Questions for Boards
- Is there a process to identify the organization’s critical enterprise risks? Are these risks reported to the board or its designated committee(s) to prioritize the board’s risk oversight focus?
- Is the board approving major strategic and policy issues on a before-the-fact basis?
- Is there a process in place for identifying and communicating emerging risks to enable management and the board to be proactive in responding to them?
- Are significant, unexpected risk issues escalated to executive management and the board on a timely basis?
How Protiviti Can Help
Protiviti assists directors in public and private companies with overseeing the organization’s key risks. We provide an experienced, unbiased perspective on issues separate from those of company insiders and an analytical assessment approach that facilitates board risk oversight.
1Source: Report of the NACD Blue Ribbon Commission – Risk Governance: Balancing Risk and Reward (Appendix A, pages 22-23), NACD, October 2009.
2Ibid, page 9.
3Protiviti defines an “early mover” as a firm that quickly recognizes a unique opportunity or risk and uses that knowledge to evaluate its options before the opportunity or risk becomes widely known. Protiviti’s Early Mover Series is available at www.protiviti.com/earlymover.
Board Perspectives: Risk Oversight (Issue 63)