Home > Risk > Talking about Risk Governance

Talking about Risk Governance

My thanks to Alex Sidorenko, who recently wrote about The Directors and Chief Risk Officers Group (DCRO) on his blog in Companies need intelligent risk-taking to survive according to DCRO Institute.

I really like the shift from talking about risk management to risk-taking.

Alex says:

Avoiding risk altogether is the single surest way to fail over time, as innovation, competition, and customer lethargy will slowly eat away at the advantages you currently enjoy. Because there is plenty of evidence that organizations don’t take risk well – or at least well enough for long-run interests – we need to adopt practices that ensure our future.

The DCRO Institute [is] a collaboration among practicing board members and C-suite executives has developed an extensive program to help current and aspiring board members become comfortable with the positive governance of risk-taking. In just its first year, registrants for its programs come from more than 65 countries, and graduates of its flagship Board Members’ Course on Risk, an intensive study program, are found serving in boardrooms and C-suites on five continents.

He goes on to assert:

Boards and senior executives who embrace risk in this framework foster an environment of innovation, allowing organizations to grow at rates that allow them to escape the well-documented corporate fade in performance.

When a board changes its view of how risk is governed and taken, the transition to embracing risk carries throughout the organization to every employee, especially those that face customers. Today when most talk about risk, they still think of the fear of loss or uncertainty, especially given our current health, social, economic, and political climate. Loss and uncertainty are partially correct conceptualizations of risk, but both fall short of the approach we need to take to be our best fiduciaries.

The staged transition from the board’s embrace of risk-taking, to the C-suite’s implementation of that guidance, to the frontline employees’ management of essential risk-taking, leads us to the most crucial conceptual change of risk-taking: its impact on the trust that all capital providers and external influencers have in us. Organizations have an expressed purpose and stakeholders trust us to pursue that purpose in value-enhancing ways. That trust, in turn, makes all transactions more effortless and less expensive.

DCRO’s Guiding Principles for Board Risk Committees (published in 2018) lists seven principles:

  1. At any organization, the full board has the overall responsibility for risk governance. In many cases, the full board will benefit from the focused and specialized support of a well-structured and competent board risk committee.
  2. The focus of a board risk committee is to link the risk-taking activities of an organization with its strategic objectives. It provides the full board with the capacity to evaluate the risk management infrastructure and capabilities of the organization and to challenge the effectiveness of management’s pursuit of strategic objectives from a return-on-risk perspective.
  3. Board risk committee meeting agendas should be guided by best practices, stakeholder expectations, and regulatory requirements. Agendas should cover topics that include a review of risk culture, strategy, tolerance for loss, and both internal and external communications.
  4. Regular meetings with key executives and independent information gathering from stakeholders are both essential for the board risk committee to develop a full narrative of a company’s risk-taking activities.
  5. The board risk committee must interact with other board committees to ensure full coverage of the organization’s risk profile and the interdependencies across its risk and performance drivers.
  6. Board risk committees should be populated with Qualified Risk Directors who are competent to govern the risks to which the organization is exposed.
  7. The board risk committee should provide sufficient guidance and information to allow the full board to issue a simple-language disclosure about the organization’s risk culture and control processes. Further, and only if warranted, the full board should issue a statement that the organization’s risk philosophy, infrastructure, processes, and capital base are “fit for purpose.”

Frankly, the only one that resonates with me is the second. The rest are ho-hum. The first sentence in #2 is the key:

The focus of a board risk committee is to link the risk-taking activities of an organization with its strategic objectives.

I will come back to that, but first want to share some interesting excerpts, with my highlights.

  • Formal and effective implementation of a board risk committee fosters a corporate environment in which the most value can be created from an organization’s limited risk-taking capacity. Garnering the most benefit from risk-taking requires both an understanding of downside risks, from either action or inaction, as well as an understanding of the drivers of success.
  • The full board’s responsibility for risk oversight and governance mirrors its responsibility for oversight of strategy and the evaluation of results.
  • A board risk committee helps the full board to evaluate if the organization is taking risks that will truly generate value after accounting for their costs, both actual and prospective. It further helps to focus the full board’s attention on the organization’s most critical risks and risk management capabilities.
  • Board risk committees should meet quarterly or monthly, depending on the complexity of the organization and overall cadence of full board meetings. The focus of the conversations should be on linking the organization’s risk-taking activities with its strategic objectives and evaluating whether the return on risk-being-taken is sufficient to support strategic goals.
  • At least annually, the committee should independently gather information from key stakeholders in their supply chain, from customers, line employees, securities analysts, investment bankers, and regulators. The committee may go even further and create a stakeholders committee to advise it on external perceptions of the organization for alignment with the representations made by internal sources. To be clear, this is not intended to be a two-way flow of information, but rather a way for the board risk committee to receive additional perspectives on the work of the organization.
  • The committee should always consider ways to avoid barriers that prevent risk information from reaching the highest levels of an organization. Regular meetings with randomly selected line employees from key business and operational units may provide additional perspective on emerging risk or cultural issues that have not yet garnered the attention of senior management or that may contradict the representations they are making to the committee. These types of conversations can also help to identify obstacles to the free flow of critical information to the board.

The last two bullet points are controversial, at least in my opinion.

The idea that the members of the board committee should meet with “randomly selected employees” and other stakeholders is a strange one. I am not persuaded that directors should do that, especially as I am not sure they will receive sufficient information from a small sample to challenge management’s position. I would prefer that management justify how they arrived at their assessments.

Another controversial suggestion relates to where there is a combined Audit and Risk Committee.

DCRO points out that there is a lot of work for such a committee. It has a full slate just on the Audit Committee side. DCRO also asserts that understanding financial reporting doesn’t mean that you understand risk and risk-taking.

So they suggest that there might be dual chairs, one for each responsibility of the committee.

I am not in favor of that, although I do agree that combining Audit and Risk may give short shrift to the oversight of risk-taking.

The same criticism applies when the Audit Committee is expected to address risk, even though it is not part of their name. In those cases, DCRO points out that attention to risk-taking is often one of the last items listed in the committee’s charter.

My personal belief is that there should be a Risk and Strategy committee.

When you have a Risk committee, it may devolve into a focus on managing and mitigating risk (a list of risks, more often than not). This is especially true when there is a separate Strategy committee.

Going back to the second DCRO principle:

The focus of a board risk committee is to link the risk-taking activities of an organization with its strategic objectives.

Isn’t this best achieved by a Risk and Strategy committee?

Whatever you believe, I think the DCRO guidance is useful and should be considered by every Risk, Audit, Audit and Risk, and Risk and Strategy committee.

What do you think?

  1. July 25, 2022 at 7:40 AM

    I 100% support the idea to have strategy and risk instead of audit and risk committee. I tried that at last company. Did not work at all, still a long way to go to change the mindset of strategy director and CEO.

  2. djallc
    July 25, 2022 at 8:10 AM

    I believe a better name for a Risk and Strategy committee is the Board of Directors. This is THE key role for the board. They should then obtain whatever additional support they need to execute their oversight responsibilities.

    • Norman Marks
      July 25, 2022 at 8:15 AM

      Doug, it all comes down (IMHO) to whether the full board has the time to do the work or whether it should delegate some of it to committees – and then what and to whom.

  3. Anonymous
    July 25, 2022 at 11:16 PM

    If the Board risk committee discussions should focus on strategy and risk together, then I wonder what’s the purpose of the Board meeting. Where’s the separation of duties between the Board risk committee and the Board of Directors?

    • Norman Marks
      July 26, 2022 at 6:13 AM

      Why should there be a separation of duties, per se? The committee would focus in more detail on the achievement of objectives, as explained in the post and the guide as the responsibilities of a risk committee.

  4. July 26, 2022 at 1:58 AM

    Norman, the first sentence of #2 is ‘The focus of a board risk committee is to link the risk-taking activities of an organization with its strategic objectives’. I would have said that the ‘risk taking activities’ should be driven out of the strategic objectives. You shouldn’t have any activity outside the strategy. If that happens either the activity shouldn’t happen or the strategy is incomplete.

    • Norman Marks
      July 26, 2022 at 6:14 AM

      Yes, although enterprise strategies are defined at a high level.

  5. Ammar Ahmed
    July 26, 2022 at 7:08 AM

    In my view, the idea of having a separate risk committee, but not a risk and strategy committee. The reason is that strategy oversight and making is precisely the prime fiduciary duty of the BoD which they should do in light of advice given by the risk committee apprising them of hazardous risk and opportunities available in the market. This advice would be used by the BoD while making and approving strategic decisions.

    • Norman Marks
      July 26, 2022 at 7:25 AM

      So you don’t see that both are the responsibility of the Board and are interwoven?

      • Ammar Ahmed
        August 1, 2022 at 12:09 AM

        Thanks for your comment, Norman. They are linked and interwoven, for sure. But as you mentioned, the board needs to segregate between tasks they need to discuss and approved and what could be managed by forming the sub committees. In my view, strategy is high level subject which should to be tackled by BoD members.

  6. Catalystic converter
    July 30, 2022 at 12:28 AM

    Board is composed of humans with brains that have a ways of working “software package” built in – regular upgrades are often iterative – looping through repetition and refinement. Other times, challenges, catalystic in nature, quicken the impetus to succeed.
    Best Board brains tolerate the regular and thrive in catalyst events that push the boundaries. Norman refers to committee capability able to ‘quickly’ sift more detail at lower than enterprise levels, often the thrivers. Cross functional “opt in” committees attract best talent and skill to effect tangible outputs for later use by the Board of Directors whose day job is that of strategy and risk.
    Board members course on risk therefore IMHO would deliver less benefit than say providing each Board member executive level 1:1 coaching directly upgrading software package. IMHO Transformation of risk – working 1:1 with Executives – why that score, what else, had you reviewed the as is – demonstrated a lack of thinking capability. Some get to Board by being good at what they do. Strategy and risk doesnt always feature. Hand rubs and back slaps often do.

  1. July 25, 2022 at 7:36 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: