Risk Oversight: Faster, Higher, Stronger
NACD first published the Report of the NACD Blue Ribbon Commission on Risk Oversight in 2002 as the implosions of Enron, WorldCom, and others created an economic upheaval that prompted reforms from government regulators and the exchanges. The Commission was convened to provide practical guidance to boards in those turbulent times.
The Report's introduction begins with the following hypothetical scenario: "The stock market plunges, and a major company declares an unexpected bankruptcy."This prophetic introduction neatly forecast the recent collapse of financial titans and subsequent stock market turmoil. Questionable decisions by the financial industry and the credit rating agencies sent our economy into what many call "the worst economic crisis since the Great Depression."The question now is: How do we keep it from happening again?
Over the past few years, as companies booked large net gains from high-yield business transactions portrayed as solid investments, too few asked, "Is this too good to be true?"Concerned groups such as the Organization for Economic Cooperation and Development have concluded that corporate governance routines did not sufficiently safeguard against excessive risk taking. Boards must now exercise risk oversight as never before.
For years, NACD has advocated for increased attention to risk and its oversight. The current economic crisis should be a wake-up call for all boards to renew their focus on this difficult but critical subject. Boards should seek to mold their risk oversight practices around Key Agreed Principle VII?Attention to Information, Agenda, and Strategy. This principle stresses that governance structures and practices should be designed to support the board in determining its own priorities, agenda, and informational needs, and to assist the board in focusing on strategy and risk. The recommendations from the report, when followed, offer practical and principled guidance on maintaining that essential risk oversight infrastructure. This section summarizes those recommendations.
Mitigating Risk The ultimate goal of a risk program is to mitigate the risks in the implementation of a strategy. Eliminating risk entirely is impossible and even undesirable because a certain amount of risk is inevitable in any activity—and often necessary to make a profit. Setting the right example can go a long way in detecting and preventing undue exposure to risk. Strong corporate culture, reputation, and credibility can mitigate the impact of a crisis situation. The board should proactively encourage, through written policies and individual director actions, a "tone at the top"that conveys basic values of ethical integrity, as well as legal compliance and strong financial reporting and controls, to all levels of the organization. Management should be risk-minded as they create systems for employee selection, retention, training, and compensation.
Strategy and Risk Appetite Companies have different levels of risk appetite. Calculating a company's tolerance for risk requires sustained attention to various elements. To fully assess an organization's risk appetite, the board must be constructively engaged in assessing the company's strengths, weaknesses, opportunities, and threats. The board should also recognize that the corporation's strategic goals may need to change in conjunction with changes in its risk exposure and that, conversely, a company's risk exposure will change as its strategy changes. Additionally, directors need to consider a broader view of risk by factoring in other stakeholders such as employees, customers, and suppliers. A fully developed risk profile encompasses the impact on and from these groups.
Risk Identification Every company must deal with uncertainty. Generally, management should identify and list the specific material risks the company faces, indicate the likelihood that they will actually occur, and estimate their potential cost versus the cost of prevention. However, management cannot conceive of every possible risk. For their part, boards should probe the legitimacy and scope of management's assessment through constructive skepticism. Directors must help identify potential risks and provide scenarios that management may not have considered. It is unforeseen risks—not the predictable ones—that have the potential to cause the most problems for a company.
Monitoring Risk Directors should continually monitor the financial health of the firm, ensuring accurate accounting and safekeeping of corporate assets. Appropriate attention must be given to detecting and deterring significant risks, particularly those that exceed the established tolerance levels of the company. Directors also must pay increasing attention to risks related to the security of information and information technology. An important element of risk identification and monitoring is ensuring the quality, dependability, and timeliness of information. Management and the board cannot afford information overload, or information that is out-of-date, incomplete, or irrelevant. Management must provide accurate reports on past incidents, current risk management activities, vulnerabilities, and red flags.
Crisis Response The board is responsible for ensuring that sound crisis response planning has occurred. Such plans should enable the board to continue to oversee management, and enable management to continue to run the company during a crisis. Planning will help the board and management know what to focus on, decreasing the potential for mistakes by decreasing the number of decisions that must be made on the fly.
The board should remain informed during a crisis. When the situation is most critical, the CEO and the board (or board committee) should be in frequent contact. Management and directors should consider engaging appropriate independent advisors, including crisis management specialists, and they should weigh any advice carefully before acting on it.
Future Challenges for Risk Oversight Building on NACD's general Principles, boards should set new priorities in response to the new environment. Despite the previous work by NACD and others, there is still need for continuing improvement. As boards move forward, they must prioritize their work in risk oversight. This paper suggests four areas of focus.
1. Assignment of Risk Oversight Responsibilities Typically, the role of risk oversight is placed within the audit committee. According to the 2008 NACD Public Company Governance Survey (NACD Survey), 66.7 percent of companies assign the majority of risk-related tasks directly to the audit committee. The audit committee, however, is the most heavily burdened committee on the board.
The combination of risk oversight with other mandated responsibilities can be overwhelming. While risk events may ultimately find their way to the audit committee because of its responsibility for oversight of financial reporting, other committees as well as the full board should participate. Many risks (e.g., technological obsolescence, product quality, mergers/acquisitions, and sales practices) lie outside the audit committee and require other committees—if not the full board—to oversee. The full board may want to consider assigning oversight of risks to certain committees to help ensure adequate coverage.
Currently, only one out of four boards uses the full board for its risk oversight, while an even slimmer 6 percent use a risk committee. Boards can benefit from weighing the pros and cons of these different oversight paradigms for their companies. Whether directors use the full board or committees, they must devote greater attention to the primary duty of vigorously probing and testing management's assumptions.
Risk oversight is a full-board responsibility. However, certain elements can be best handled at the committee level with the governance committee coordinating those assignments. Similarly, the board must ask management, "Who is the owner of each risk area?"Management should identify the personnel responsible for managing and mitigating specific risk areas. Assignment of senior-level responsibility will improve the accountability and reliability of information coming from management.
2. Improved Risk Identification Procedures Management has the primary responsibility for the identification of risk. In a recent NACD member poll, a large majority (76.3 percent) of directors indicated that management provides directors with the information they need to effectively execute their risk governance role. However, those same directors said that two of the top challenges in providing risk oversight are: 1) management's capacity to define and explain the organization's risk management structure and process; and 2) the organization's capacity to identify and assess risks.
Directors are increasingly concerned about risk oversight and will become more actively engaged in supporting the company's efforts to manage risk. Boards can prepare by selecting directors who have broad experience as well as industry expertise.
Directors must then utilize their internal and external sources of information. Internal auditors can serve a crucial function because they are often on the front lines in identifying the likelihood of risk events and can raise these issues to the board level. Externally, outside sources of information, such as consultants or even D&O insurance agents, can provide new insight beyond what management supplies. Directors should also be aware that in some of the recent corporate meltdowns, the high-risk behaviors occurred in relatively small pockets of large companies. Therefore, understanding smaller high-risk operations is an important element.
3. Risk Models If the current economic downturn has taught us anything, it is that our risk models should not be the only source of risk information. Risk models can be extremely useful, especially in the financial services area, but models are only a tool—one that requires judgment to use. Not all risks can be quantified and neatly placed in a model. Furthermore, sole reliance on any model can itself pose a risk. The greatest risk for many companies is the combination of inappropriate governance practices with imperfect models.
Directors must learn and understand the limitations of models. For example, models rely on probability, which is based on history, but this current economic environment is without recent precedent. There is room, however, for improvement of our risk models. Models can be more strenuously back-tested—taking risk migration into account—and then updated to reflect current economic scenarios and other environmental issues.
Also, some current models failed by making faulty assumptions—including inflated values for assets used as collateral in derivative securities. This led to catastrophic collapse in some cases—not only in the financial industry but others as well.
4. Information Flow Information that is relevant, accurate, and timely is critical to the task. Boards often cite the problem of "information overload."However, the issue is not just quantity, but quality: much of the information may be irrelevant and may lack the quality of real risk intelligence.
Boards should consider what information they receive and from whom. In addition, boards need to manage the risk of asymmetrical information—information that comes from one perspective, that of management. Depending on the corporation's size and complexity, the board may wish to identify a senior officer (EVP or CRO, for example) with the responsibility for reporting on enterprise risk to the board, or an appropriate committee, on an established schedule.
However, no amount of information, in any format or from any source, can serve as a substitute for a culture of open, effective information flow. Management and directors need to discuss both positive and negative results in the business. Boards and management can develop a dialogue around "tolerances,"where the board must ask three things: What limit was passed or what went wrong? How do we plan to go back within limits? Are the tolerances accurate?
The tolerance dialogue must always be linked back to the business plan, associated risks, and long-term sustainable rewards. Board and committee leaders should also have regular one-on-one communications with the CEO and other senior managers, outside of board meetings, to keep abreast of their perspectives.
Finally, and perhaps most importantly, there is the culture of the board. Boards should consider if there is sufficient skepticism expressed in an acceptable way during some of these critical conversations about risk. There is no substitute for wisdom carefully articulated in a timely fashion.
The NACD White Paper Series I and Key Agreed Principles are not meant to prescribe a specific course of action; they point toward a direction—one that only the board, with management, can choose. The time to make that choice is now. Directors are leading the way to help restore confidence in the corporate governance of U.S. companies through the Director Challenge campaign. To obtain the Principles and White Papers, along with discussion tools for exploring them in your own boardroom, visit www.nacdonline.org/directorchallenge.