Risk has become a popular four-letter word in the world of corporate governance, yet it has been part of the business environment long before the first formal public board was ever elected. While there is no question that risk oversight for the protection of the shareholders is one of the core responsibilities of the board, the risk-reward thought process is inherent to any strategic or procedural decision a business will make.
I’m not sure I can point to a single incident that brought risk to the forefront in the boardroom, but the extensive work by COSO in 1985 is surely a significant event. COSO is the Committee of Sponsoring Organizations of the Treadway Commission, which is a joint initiative of five private sector organizations dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. COSO’s impact has come in the form of thought papers, research and ERM framework recommendations over the last 30+ years.
I could spend hours discussing the board’s involvement in enterprise risk management, but in this article, I want to focus on two questions that boards should be asking themselves when they think about their role in risk oversight.
“Owns” may not be exactly the right word, but this question has been bantered about for so many years that I don’t want to lose the context. In the truest sense of the word “own,” the simple answer is that the board as a whole owns risk oversight. Even though risk is spread across the organization and across various board committees, the simple answer is that the entire board “owns” and is legally responsible for risk oversight.
So let’s discuss who on the board actually performs the function of risk oversight, which is what we mean when we consider the concept of “ownership.” Two truths about board involvement in risk oversight in today’s companies are self-evident:
The reality is, when the NYSE amended its listing requirements in 2002, audit committee agendas weren’t as overwhelmed as they are today (and there certainly wasn’t the same focus on cyber and data security). If we could convene that 2002 commission today, I believe the risk oversight instructional language would be quite different and take into account the changes that have occurred in the new digital business environment.
I have grown to favor the idea of a risk committee for many company boards, especially when they can structure that committee to have a chair (who invariably does much of the committee’s heavy lifting), but also include the chairs of audit, compensation and nom/gov who provide needed communication about what risks reside in each committee’s monitoring processes. This committee would also be responsible for thinking through black swan events and other global risks not normally discussed in business division strategic planning.
I offer this as just one alternative to a host of other successful structures that have gotten the job done at today’s companies. The key here is executing any process put in place. Most companies house monitoring and legwork in the audit committee. Audit committee members typically possess the temperament and process-oriented minds required to oversee the policies, procedures and structures necessary for financial or operating risks. At the same time, their skill sets are not always perfect for black swan, reputational or governance risks, which seem just as prevalent these days. All this lends to my understanding that structure and ownership isn’t nearly as important as communication and execution. Maybe the question should be “How successful is our board in monitoring the company’s risks?” versus “Who owns it?”
When I think of balancing risk and reward, a lot of factors come into play: risk appetite, risk tolerance, corporate culture, innovation and market disruptors (just to name a few). As a former corporate director, I was always challenged by the conflicting issues of building versus protecting shareholder value. What is the right amount of calculated risk-taking that still allows us to benefit from the rewards?
Once again there are different structures and processes that companies use to analyze current and future risks and to decide whether they meet financial/capital and strategic guidelines. As a board member, I always tried to ask the stress test question on major strategies. What’s the risk and reward on having everything go as planned and what is the worst-case scenario? Then, by looking at the likelihood of strategy disruptors (economy, interest rates, competitors, technology, etc.), I can decide how risky certain major initiatives are and make an assumption of how likely it is to contribute to shareholder value.
And don’t forget the importance of one’s corporate culture or risk culture. What is the tone at the top on risk-taking, values, innovation, etc.? The Institute of Risk Management describes an effective risk culture as “one that enables and rewards individuals and groups for taking the right risks in an informed manner.” Boards need to ensure that compensation, data systems and other support systems assist key decision makers.
The bottom line is that risk oversight is one of the toughest of all board duties. Constantly evaluating your processes and ERM performance will help you be a better board and company.
TK Kerstetter is the CEO of Boardroom Resources LLC and is a second generation pioneer of governance thought leadership and board education. He can be reached at firstname.lastname@example.org.