Advice on board oversight of risk management
BoardMember has a series in which it interviews experts on a variety of topics relevant to directors. Recently, they interviewed a good friend of mine (Brian Barnier). Brian (see here for his bio) works at a number of levels: with boards and executives, advising on several topics including risk management. In this video, he shares advice for directors on how they can effectively provide oversight on risk management and key questions they should ask.
Now, Brian is a good friend. He and I have partnered on presentations and we are both OCEG Fellows. But that doesn’t mean we always agree. This is one of those times where I would go further than Brian has in this discussion.
This is what I would say to a board:
1 Recognize that risk is the effect of uncertainty on objectives. Risk management is not just about how the organization is protected from adverse events, such as an earthquake, the loss of a top executive, a supply chain disruption, or a 60 Minutes piece on certain alleged waste disposal practices. It’s also about how the organization handles uncertainty in general, which includes its ability to respond with agility to minimize potential adverse effects and embrace potential opportunities. It’s not only about protecting corporate value; it’s about seizing the moment and achieving – or exceeding – objectives.
2. Ask penetrating questions of management about the more significant (adverse) risks facing the organization, including those that are emerging. How does management identify the risks and assess their likelihood and potential impact? Are those processes adequate? Does it have reliable processes for evaluating and responding to the risks? What assurance does it have that the risks are being managed at appropriate levels? Is the risk organization appropriately staffed and resourced? Does it report at a level where it will be heard?
It’s probably more important to obtain assurance that management has good processes than it is to understand and provide your counsel on the risks themselves! After all, management is relying on those processes between meetings and may only bring to your attention matters that are the result of the processes.
I would definitely ask the internal audit function to provide a formal report on the adequacy of the risk management framework and processes on at least an annual basis.
3. Work with management to agree on how they (and you) will determine when (adverse) risks should be accepted. Is there a way to set an acceptable risk level for each area so that not only can you and management monitor to ensure they are not exceeded, but operating management is able to apply the standards when they are making decisions – taking the risks?
4. Also ask about management’s readiness and agility to identify, evaluate, and respond when there are market opportunities? Can management move fast enough, yet in a thoughtful and considered fashion?
5. Ask management how they ensure that people on the front-line are trained to handle risk and make appropriate decisions. Do they understand the organization’s attitude towards risk (their inclination to take or avoid risk) and how do they ensure it is consistent with desired risk-taking practices? How is risk addressed when it comes to IT or other major projects?
6. Agree with management on when and how you will be informed that either risk levels have been exceeded or an adverse event has occurred.
7. Recognize that the board should take the lead on certain risk management activities, such as addressing risks relating to the performance of the CEO and other top executives, whether there are compensation or other risks that might influence executives to make decisions contrary to the long-term interests of the company and its stakeholders, and whether management’s process for determining strategies is sound.
8. Oversight of risk management can and probably should be allocated to several board committees, with an overall review by the full board. Be careful about overloading the audit committee. That team already bears a large burden and may not be able to give sufficient consideration to all areas if risk management is added. I would only assign financial and possible compliance risks (if there is no compliance committee) to the audit committee.
9. Don’t underestimate the need to obtain education and orientation in risk management. Have a look at the ISO 31000 standard, and have an expert on risk management present to the board.
10. Seek to continuously improve, assessing your performance annually. It would be useful, especially in the first few years, to engage an expert to assist in your self-assessment process.
Above all, the board needs to exercise common sense and not accept explanations that are not clear, or that it does not understand. While there is something of a science in quantifying certain risks (such as relating to currency fluctuations), most risk management functions have not failed because of that: they failed from a failure to apply common sense! (Just think of the assumption that house prices would never fall.)
Have I got this right? How would your advice differ? I would love to hear.