As the business environment changes, so must the board’s risk oversight. As the pace of change quickens and the stakes for “getting it right” increase, a question arises: Is our board risk oversight process still fit for purpose?
A year ago, a joint report prepared by the National Association of Corporate Directors (NACD), Protiviti and the North Carolina State University’s ERM Initiative advanced the view that boards may not be overseeing the appropriate risks and offered suggestions to close the gap. The report highlighted five areas demanding increased board focus: innovation and technology disruptions, growing cyber threats, competition for talent, evolving economic conditions, and political and regulatory changes. It also asserted that enterprise risk management (ERM) approaches used by many companies may no longer be sufficient to address a changing risk landscape and inform the board’s risk oversight.
Fast-forward to today, and these five risk areas remain relevant. The joint report outlined a road map for strengthening the board’s risk oversight in today’s complex and unpredictable marketplace. In this issue, we cover the four points defining that road map because we think they still apply today.
Revisit the board’s risk governance model and director skill sets. Depending on the nature of the enterprise’s risks and the extent of the expected change in its risk profile over time, the board should assess whether it has access to the requisite expertise and experience needed to provide the appropriate oversight — either on the board itself or among its external advisers. For example, with digital disruption affecting many businesses, do directors have sufficient understanding of digital business models, digital ecosystems, and the potential that hyperscaling digital platforms have to facilitate rapid growth and reinvent the company’s business model? These are trends that bring both opportunity and risk to the business, and understanding them is essential to sound oversight. In addition, the board should rethink how it organizes itself for risk oversight, including the delineation of responsibilities among its various committees and the full board.
Make culture an enterprise asset as well as an oversight priority. Culture is almost always the source of both positive and negative reputation and financial performance outcomes, as it is a potent source of strength or weakness in an organization. A strong culture is a critical asset for any brand. It is of vital importance to both a differentiating strategy and superior performance. Accordingly, the board should expect management to understand the culture at lower levels of the organization and whether the mood in the middle and the tone at the top are aligned. Concerns that this topic may be “too soft” for objective assessment should not distract the board’s focus on the real question:
Does the CEO really want to know the unvarnished truth about people’s perceptions across the entity, and is he or she prepared to act on that knowledge?
A “speak up” culture that encourages transparency and sharing of contrarian data and bad news entails convincing employees that they can indeed speak up without fear of repercussions to their careers or compensation. Anonymous and confidential surveys are an example of how executive management can learn what they need to know from employees. Metrics addressing such things as mission and values alignment, innovation, resiliency (speed), collaboration, and employee satisfaction also offer insights regarding culture. Candid, open and constructive board and management interactions should also prioritize the tough questions on directors’ minds.
Focus on the quality of the risk management process. Given the pace of change experienced in the industry and the nature and relative riskiness of the organization’s operations, does the board understand the quality of the process informing its risk oversight? For example, how much manual effort is required by management and various board-reporting functions to generate the reports used in board meetings? How actionable is the entity’s risk information for decision-making? These and other questions focus on how mature and robust the risk management process is and whether it is effective in.
- Delineating the critical enterprise risks from the day-to-day risks of managing the business;
- Establishing accountability for results;
- Fostering an open dialogue to identify and evaluate opportunities and risks; and
- Informing key decision-making processes with current, reliable information.
Ensure management integrates risk considerations into strategy, performance and decision-making. The unique aspect regarding exposure to disruptive change is that it presents a choice: On which side of the change curve do organizations want to be? Organizations must make a conscious decision about whether they are going to be the disrupter and try to lead as a transformer of the industry or whether they are going to play a waiting game, monitor the competitive landscape, and react appropriately and in a timely manner as an agile follower to defend their market share. These market realities strongly suggest that the board should ground its risk oversight with a solid understanding of the enterprise’s key strategic drivers and management’s significant assumptions underlying the strategy and risk appetite framework.
With the steady drumbeat of change and technological advances, the ability to respond rapidly to new market opportunities and emerging risks can be a major competitive advantage. Conversely, failure to stay abreast or ahead of the change curve can place an organization in the position of becoming captive to events rather than charting its own course. Therefore, directors need to ensure that risk oversight and risk management are not appendages to strategy-setting, performance management and decision-making, but contribute information and insights relevant to the success of these core processes.
In summary: We encourage everyone to look up the joint report from 2018, as its message remains current. Boards should take a fresh look at how they are approaching risk oversight, including how the company’s ERM is informing that oversight. With risk management practices for many industries largely rooted in the prior century, the big question is this:
Are we prepared to improve our risk management and risk oversight, or do we face the challenges of the next 10 years in the digital age with what we’ve been doing over the past 10 years?
The nature, velocity and persistence of risks have changed. Consequently, it’s time for boards to revisit their governance model and skill sets and refresh the focus of their risk oversight. To that end, directors should expect management to enhance the quality of risk management processes using new technologies. They should also expect management to better integrate risk considerations into their strategy-setting and execution, performance management, and decision-making processes. Most importantly, they must give closer attention to sustaining a strong risk culture.
Questions for Boards
Following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:
- Are we well-organized for risk oversight in the digital age and supported by the diverse expertise and experience we need to discharge our oversight role effectively?
- Are we mindful of signs of organizational resistance to change? Are we encouraging management to embrace change and lead the necessary transformations to remain competitive?
- Does the risk management process bring new value and insights into the dialogue and facilitate risk-informed decision-making? Does it ever tell us something we don’t know?
- Are we satisfied that risk management is integrated sufficiently with strategy-setting and execution, performance management and monitoring, and critical decision-making processes?
How Protiviti Can Help
We assist boards and executive management with identifying and assessing the enterprise’s risks and implementing strategies and tactics for managing risk. We also assist public and private companies with integrating their risk assessment process with their core business processes, including strategy-setting and execution, business planning, and performance management. We provide an experienced, unbiased perspective on issues separate from those of company insiders to help organizations gain confidence that their executives and directors are focused on the highest-priority risks.
(Board Perspectives: Risk Oversight, Issue 117)