In October 2009, the National Association of Corporate Directors (NACD) published its Report of the NACD Blue Ribbon Commission – Risk Governance: Balancing Risk and Reward. This report recommends 10 principles to assist boards in strengthening their oversight of the company’s risk management.
According to the report, “… the Commission believes that [the 10] principles provide a foundation that boards can use to build a more comprehensive risk oversight system tailored to the specific needs of their respective companies.” We agree. Offered as guidance to directors, these principles provide a context for understanding the risk oversight process.
Principles 1 and 2 are especially important because they focus on understanding the risks inherent in the corporate strategy. It is vital that directors understand the business, including the risks inherent in the business model, and understand and agree with management on the company’s risk appetite.
Principle 3 is important as directors collaborate in clarifying risk oversight responsibilities for the full board and various standing committees. The NACD Blue Ribbon Commission (BRC) asserts that “… as a general rule, the full board should have primary responsibility for risk oversight, with the board’s standing committees supporting the risks inherent in their respective areas of oversight.” To that end, the NACD BRC discusses five categories of risks facing each board – governance risks, critical enterprise risks (i.e., risks that threaten the company’s strategy and business model), board-approval risks, business management risks, and emerging and nontraditional risks (e.g., climate change) – and delineates between management’s and the board’s responsibilities.
Ten Principles of Effective Risk Oversight
- Understand the company’s key drivers of success.
- Assess the risk in the company’s strategy.
- Define the role of the full board and its standing committees with regard to risk oversight.
- Consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources.
- Work with management to understand and agree on the types (and format) of risk information the board requires.
- Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions.
- Closely monitor the potential risks in the company’s culture and its incentive structure.
- Monitor critical alignments – of strategy, risk, controls, compliance, incentives and people.
- Consider emerging and interrelated risks: What’s around the next corner?
- Periodically assess the board’s risk oversight processes: Do they enable the board to achieve its risk oversight objectives?
Source: Chapter 4, Report of the NACD Blue Ribbon Commission – Risk Governance: Balancing Risk and Reward, National Association of Corporate Directors, October 2009, pages 14-19.
Principle 4 is important because, too often, risk is an afterthought to strategy and risk management is an appendage to performance management, i.e., risk management is often what the NACD BRC describes as a “side activity.” This principle addresses looking beyond mere risk identification to consider the adequacy of other dimensions of managing risk, including policies, processes, people, reporting, incentives and culture.
Principle 5 is a common issue for many boards. We often hear directors complaining of being overwhelmed with reports while being underwhelmed with insightful information for decision-making. Reporting should consider the importance of providing different perspectives on a given risk as opposed to sole reliance on quantitative models.
Principle 6 addresses the need for constructive engagement between boards and management on risk matters. This principle’s reference to challenging assumptions is especially important in light of the global financial crisis. As a result, many have questioned whether boards really understand the key variables driving success and the sensitivity of those variables to changes in markets.
Likewise, Principle 7 points to another lesson of the financial crisis – the importance of the potential impact of a company’s culture and incentive compensation structure on its risk profile over time.
Principle 8 speaks to alignment of strategy, risk, controls, compliance, incentives and people, for without it, there is likely to be a disconnect between a company’s strategy and its execution. Principle 9 asks the question, “What’s around the next corner?” This question is anticipatory in nature and deals with emerging risks that currently are not on management’s radar. Finally, Principle 10 advocates applying the best practice of periodic board self-evaluations to the risk oversight process.
Questions for Boards
Following are some suggested questions that boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:
- Has the board articulated its risk oversight objectives?
- Has the board evaluated the effectiveness of its risk oversight processes in achieving its risk oversight objectives? Does the board plan to conduct this evaluation periodically?
- Is the board proactively taking steps to address any gaps that impede its risk oversight effectiveness?
How Protiviti Can Help
Protiviti assists boards and executive management with assessing the risks inherent in the enterprise’s strategy and business plans, either across the entity or at various operating units, and the capabilities for managing those risks. We help organizations identify and prioritize the risks that can impair their reputation and brand image and lead to failure to execute the corporate strategy successfully.
Board Perspectives: Risk Oversight (Issue 7)