A board that would fail any test of its governance practices
Recently, I have been talking to the CRO of an organization about helping her, her team, executive management, and the board develop more mature and effective risk management practices.
We have been planning a visit where I would talk to each of the above in separate sessions.
Perhaps the most important is a two-hour meeting with the board. The CRO and I had planned for me to share with them some of the principles of effective risk management, based on what is considered world-class (and discussed here), and the governance of risk management by the board.
I was distressed when the CRO relayed to me a request by the chairman of the board.
He wanted me to include, in that same two-hour slot, a discussion of eight sources of ‘geopolitical’ risk. These are all issues of local rather than broader significance and effect. (For example, one was the liquidity of the local government and its ability to provide citizens with essential services; another was the incidence of crime in the region.)
Let’s leave aside the point that I am most definitely not the best person to discuss these local issues (I live thousands of miles away) and their potential effect on the organization.
Let’s focus instead on the point that the chairman wants to spend a lot (perhaps most) of the time talking about eight sources of risk.
Here are some principles for effective oversight of risk management by the board (IMHO):
- The board needs to have confidence that it can rely on the management team to understand everything of significance (within reason) that might happen (a.k.a. risk) as it works to achieve the objectives of the organization, including the likelihood of each potential event or situation and how it would affect the likelihood of success. (Note: there would be range of potential effects.)
- The board also needs to have confidence that management will take appropriate action if and when the likelihood of achieving objectives falls below acceptable levels. (Note: this is a far better yardstick than a quantified risk appetite statement.)
- The board needs assurance that the management team is considering what might happen, including what might happen for each option, when it makes both strategic and tactical decisions. These would include decisions around budgeting, capital allocation, project management, and more.
- The board needs assurance that the management team is not taking unnecessary and/or inappropriate risks in an effort to achieve goals. In particular, the board needs assurance that the achievement of personal goals (such as bonuses and promotions) is not given priority over the long-term success of the organization. (Note: some might refer to so-called risk culture.)
- The board needs assurance that both the management team and the board can rely on the information they use to make decisions.
- The board also needs assurance that management at all levels is receiving sufficient guidance so that they are taking risks consistent with the desires of executive management and the board.
- The board needs assurance that performance management, planning, and related activities appropriately consider what might happen, its likelihood, and potential effects.
- The board also needs to have confidence in the quality of the assistance provided to management by the risk function.
- Finally, the board needs to know that an appropriate consideration of what might happen is an essential part of strategy and objectives development.
- The first nine principles are essential for continuing reliance by the board on management to run the organization with their eyes and head toward the future, what might happen. The level of discussion of specific sources of risk should depend on how much confidence they have in management. If management is highly capable, discussions may be short. But if there is little assurance that management is able to understand what might happen (or, risk), then the board should be much more active and assertive in its review of how management addresses specific sources of significant risk to the organization.
The ten points above are very different from what I have seen from any consultant. They tend to guide boards to discussions of the risks of the day rather than the possibility that management is not managing risk (what might happen) as part of its day-to-day running of the organization.
Managing a list of risks is not risk management.
Continuously anticipating what might happen so you make informed and intelligent strategic and tactical decisions that will help you achieve enterprise objectives is risk management.
The periodic discussion by the board of a few significant sources of risk is not risk governance or oversight.
Obtaining assurance that management is effectively managing risk (what might happen) and making informed and intelligent decisions every day, combined with hearing from management on the more significant risks, is risk governance.
I welcome your comments. Do you like or dislike my ten principles? How would you improve them?
Leave a reply to Anonymous Cancel reply
Norman Marks on Governance, Risk Management, and Internal Audit 
Hi Norman,
I like and agree with your principles. The Board should have adequate assurances from management the company is properly managed, but refrain from directly managing the company.
Given, what I see as the biggest risk in business today – greed – I “love” your principle 4 around personal goals/benefits and long term sustainability of the company.
I also agree that addressing the likelihood of (not) meeting targets is a much stronger than any absolute value risk tolerance statement – it will also drive a better discussion between management and board.
I particularly like this part:
„management will take appropriate action if and when the likelihood of achieving objectives falls below acceptable levels.“ This is a much better framing of the effects of risks than regarding individual risks and deciding upon action depending on their magnitude (however well or badly measured) as it is too often the case.
Great list. I suspect the Chair wants to talk about actual risks facing the business and not just the risk management process, hence the disconnect. You might separate the agenda along those lines to clarify how much time for each.
I think of risk along the COSO lines of strategic/operational, financial reporting, and legal/regulatory, so that may also be helpful in determining how much time the client wants to spend on each bucket.
Maturity in financial reporting is probably solid, with dozens of risk statements linked to controls as part of SOX. Legal is hopefully the same, with controls linked to laws or frameworks (e.g., InfoSec and privacy controls to Trust Services Criteria and GDPR articles). So hopefully the agenda for those can be shown with a simple process maturity model for those areas or equivalent slide showing functions or businesses down the side and risk management process attributes across the top.
Good luck!
Dear Norman, I particularly like the statement in point #2, that the management would take appropriate action when “likelihood of achieving objectives falls below acceptable levels”. It’s definitely a much clearer and more specific “yardstick” than trying to define the risk appetite. Unfortunately, some would use the risk appetite as “buzz word” with no substance and struggle to define what exactly they mean. I also like point#3 which emphasize the need for “scenario planning” for every option that management would present to the Board.
How to validate and express to get impact. Or, not?
Mike, could you help me understand what you mean?