Home > Risk > PwC confuses boards on risk oversight

PwC confuses boards on risk oversight

I want to start with two admissions:

  • I worked for 10 years at PwC and still have friends and respect for many of the professionals there.
  • I am hopeful that the pending update to the COSO ERM Framework, written by PwC, will be a leap forward in the practice. In fact I am more optimistic about the COSO initiative than I am that the ISO 31000:2009 update will reflect current leading (that risk management is about disciplined risk-taking through informed and intelligent decisions).

Then I read the latest advice for boards from PwC on risk oversight.

Why your board should take a fresh look at risk oversight: a practical guide for getting started is hugely disappointing.

While the PwC team on the COSO project recognize explicitly that risk management is far more than a periodic review of a list of risks, the authors of the board governance report are on a totally different page.

For example, the report says:

“It’s helpful for the board and committee chairs to work together to ensure all key risks are subject to board-level oversight. Some boards find it helpful to use a risk allocation matrix, which extends the key risk summary that many boards currently receive. Some companies even show overall risk allocation graphically in their proxy statements.”

They are talking about a list of risks, not about the achievement of objectives.

The report has a useful discussion about whether the organization’s disclosures about risk are complete and sufficient to satisfy investors.

It also asks interesting questions about the competence of the board members in risk management.

But, the role of the board is not to second-guess management and perform their own identification and assessment of risk.

The role of the board is to ensure management has the capability to do this and is in fact doing it well.

Frankly, the PwC report advises boards in a way that will lead them all astray!

It suggests the wrong questions.

I have written about this before, but here are the questions I would ask the executive management team if I were on or advising a board:

  1. What does risk management mean to you? Is it something you have to do (for compliance purposes) or does it actually and significantly help you determine and execute on strategy? If the latter, please explain.
  2. How effective do you believe, Mr. or Ms. CEO, is the management of risk is? Does it give you a strategic advantage?
  3. How effective does your CRO believe it is (if you have one. If not what does the responsible executive think?)
  4. How effective does your internal audit team think it is? How did they assess it? If they didn’t, why not?
  5. How do you factor in the consideration of risk (“what might happen”) into the selection of strategies and objectives?
  6. How do you factor in the consideration of risk into the selection, planning, and execution of major initiatives? Where can I find it in the proposals you submit to the board for approval?
  7. How do you and your management team make decisions in the face of uncertainty?
  8. What is the likelihood of achieving each of our strategic and major operational objectives? How do you assess not only performance to date but anticipate what might lie ahead? What are you doing about the latter?
  9. How do you know all decision-makers are taking the desired amount of the right risks? Do you help them at the point of decision-making or only after the fact through risk reporting against risk appetite? Does what you are doing work?
  10. What are you doing to improve the ability to address and respond to likely future events and situations?

The conversation about risk management expertise is, in my opinion, misplaced.

Members of the board should, for the most part, be able as former executives themselves to assess the competence of the executive management team in addressing what might happen.

That doesn’t require skills and knowledge in risk assessment techniques.

It requires the ability to listen, challenge, and think about how the CEO and his/her team are managing the organization with an eye on the future that is realistic about what might happen and what to do about it.

I welcome your comments.

  1. Anand Varma, Ex-PW
    May 27, 2017 at 7:00 PM

    what is wrong for board members to also know risk techniques that will help equip a Board to exercise oversight more effectively and thereby a board can also have answers to the specific questions you have listed. Any board can’t simply observe the theoretical difference between oversight & management. I cant find any thing confusing in PWC report portion you have cited that suggests that a board should overstep oversight into risk management.

    • Norman Marks
      May 29, 2017 at 6:56 AM

      Anand, my opinion is that board members have little time and I prefer that they focus on the big picture rather than question risk assessment techniques, getting into the weeds. If the like and have the knowledge, they can use that to challenge management, but it is better to make sure management can do this than try to do it themselves.

  2. May 28, 2017 at 6:07 PM

    I like your questions, especially those that don’t assume all risks are negative. I’d like to see companion questions for the board needs to ask itself, and the CEO to ask the board. The latter might include “Since taking risks means risking failure, and not taking risks means missing opportunities, can you help me know how risk-friendly or risk-averse you want this organization to be? How will some learning experiences that fail to produce the desired affect or revenues impact your view of my performance?

  3. Jai
    May 28, 2017 at 6:19 PM

    A Board has oversight responsibilities in relation risk management. In my view they cannot effectively undertake this role without having some expertise in risk management within the Board membership. I cannot see too much wrong with Board having competence in various areas including finance and risk.

    • Richard Fowler
      May 30, 2017 at 5:42 AM

      But the Board also has oversight responsibilities for every other aspect of the organization. Are you suggesting that the Board should have competence in each functional area? Most Boards are composed of senior executives who have competence in management and strategic direction. I can see expecting them to have experience in risk management, but not necessarily expertise.

  4. May 29, 2017 at 6:36 AM

    Effectively, Boards are begining to adopt a SOX level of identified oversight of compliance and technical risks controls. Look for an overhaul of the InfoSec policies and Identification of Compliance area governing officers comming soon.

  5. Azar Abbas
    May 29, 2017 at 11:10 AM

    Hi Norman. I hear you, and I don’t disagree with you on most counts except that I think you feel too strongly about the Board not getting into identification (or second guessing as you say). The best Boards would comprise a Risk Committee typically chaired by someone from the same industry. Challenge is, of course, a fundamental duty of the Board, but mere probing could be rendered ineffective by expert story telling, of simply by “too much” understanding between different lines of defense, which is easily possible in large organizations run by executives grown into C spots over their careers side by side. So in those situations we simply need a specialist or two on the Board who sensibly turn on their activism switch, and use internal audit to launch direct probes or assign direct action when management views don’t add up.

    Balance is crucial. Staying away from direct action isn’t an option for the Boards anymore.

  6. Robert Bush
    May 29, 2017 at 1:17 PM

    I agree – balance is crucial. Organisations exist not to manage risks but to achieve objectives and that is where the boards focus should be. Putting too much focus on the how of risk management rather than the purpose can become a distraction from the bigger picture, pulling the board into the detail rather than trusting the management team. Obviously there is no reason why the board should not be involved in identifying risks but at that level risks are unlikely to emerge out of nowhere so by the time the board enter the equation somebody elsewhere in the organisation should already be on the case.

    • Norman Marks
      May 29, 2017 at 2:31 PM

      Very well said

  7. Glenn Daly
    May 29, 2017 at 3:32 PM

    Fine line between sales/marketing and provision of objective “robust” advice. For a board to undertake and demonstrate that it is engaged in and oversighting “risk”, according to PwC it needs to have “risk” explicitly on the agenda and for board members to then discuss “risk”. So much for “integration”.?. When a board meets it considers papers prepared by management to make “decisions” on. Such papers in well run companies deal with important matters (otherwise they would not need board decision). These papers (even though the word “risk” may not get a mention) would typically outline the issue/matter, options, implications etc… surely when a board considers such papers, it is engaged in “risk”. The very topic of the paper is most likely addressing a “risk”. From a “risk” oversight perspective, is not the job of the board to ensure that such papers come to it in a timely manner, and that they do in fact clearly outline the issue/what is to be achieved, options identified with implications and an appropriate recommendation etc. But no, robust risk management is about making “risk” a specific agenda item, and have “risk” being discussed not as part of some decision making process relating to achievement of an objective…Makes sense???? Value adding???? But it allows people to make “robust” disclosures in annual reports that the board is engaged in and is oversighting “risk” . Meanwhile, papers that should come to the board do not..meanwhile when papers do get presented they do not outline all the implications, options etc…but so long as we have that agenda item called “risk” all is well. More tick a box stuff. I can think of some more robust disclosures in annual reports that need to be made than what PwC are recommending, in relation to the board demonstrating and engaging in / oversighting “risk”.

    • Norman Marks
      May 29, 2017 at 3:45 PM

      Love it!

  8. Gab
    May 30, 2017 at 5:51 AM

    Having the Board deciding or reviewing on operational risks methodologies can be classified as costs to the Board in both time and material.

    The right level of controls protects businesses from risk while keeping costs in check. Control rationalization can have a positive impact on governance, risk and compliance. Businesses must first determine if excessive controls are in place before costs escalate?

    To about it. Can escalating costs lead to other inherent risks or problems?

    The Board’s role should focus on strategic directions for the management team.

  9. ohwojero uyota
    May 30, 2017 at 11:19 PM

    Wow that was enlightening

  10. ohwojero uyota
    May 30, 2017 at 11:26 PM

    Thanks for your insights From what you explained and from your posts CO SO adjustment seeks to treat risk mgt as an end in itself and other a means to an end

  11. Gamaliel Njomane-Bhebhe
    June 2, 2017 at 12:52 AM

    Risks arise out of a context of objectives. I tend to agree with Norman in his take that the Board needs to keep a manageable distance from the ‘detail’ of risk management techniques but focus more on provision of oversight in the protection of attainment of strategic objectives. What technical knowledge that may exist at Board level amongst the members is necessary in validating management assumptions, decisions etc as and when that technical expertise is needed. I don’t think the Board should be seen as becoming a ‘pseudo-C suite’ that is seen to be second guessing management decisions. Trust is a vital variable within the entire organizational system and perceived Board ‘over-involvement’ could be misinterpreted thus creating a ‘trust tax’ in the system; low trust = high costs, the converse applies…

  12. June 2, 2017 at 11:40 AM

    Norman, I would put your points 8 and 2 as the most important and would say the others are probably implied in these two.
    Your point two has been admirably demonstrated by British Airways, closed down for three days due to a computer fault and facing £100m in compensation claims.
    One of the strategic risks listed in the 2016 BA accounts (page 8).
    ‘Failure of a critical IT system:
    BA is dependent on IT systems for many of its principal business processes. The failure of a key system may cause significant disruption to operations and result in lost revenue. System controls, disaster recovery and business continuity arrangements exist to mitigate the risk of a critical system failure.’

    June 20, 2017 at 12:52 AM

    Great insight here Norman on what the Board should be focusing on: Achieving the strategic objectives and not necessarily going to the trenches.

  1. June 3, 2017 at 10:03 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: