How to tell if your company is taking on too much risk
The aftermath of the corporate meltdowns at Lehman Brothers, AIG, Merrill Lynch, and others has left board members in all sectors—not just financial services—asking themselves about whether they need to get a better handle on the risks facing the organizations they govern.
To gather insights on this important topic, I spoke to Wendy Lane, a former investment banker with Donaldson Lufkin & Jenrette and Goldman Sachs (GS), who has firsthand experience with a corporate crisis, having served on the board of Tyco. Lane currently serves on three other boards, including UPM-Kymmere, a global forest products company in Helsinki. Edited excerpts of our conversation follow:
Wendy, how can board members get a good handle on the risk appetite of the companies they govern—and whether they should be ringing any alarm bells?
Start by looking at the balance sheet and cash flow statements to see how much risk the company can absorb. It's often useful to do some analysis to determine, for example, by what percentage your assets or cash flow would have to drop before you were in trouble, and what could cause such a drop—alone or correlatively. If the drop were small, that could be a cause for concern.
Also, look at your current leverage ratio and asset and liability mixes, and then look at what they were one, three, and five years ago. Have they been relatively consistent or are you seeing dramatic changes over time? If so, why has that happened? How comfortable are you with this shift and how the change in risk is being managed?
What are some of the underlying risk issues that board members need to watch out for?
One important issue is whether the company is taking on new kinds of risks—especially if they lie outside of its primary business. AIG and Lehman Brothers were not primarily real estate companies. Yet, what caused many of their problems were loans, swaps, and derivatives relating to real estate.
Any time a company is taking on significant levels of risk outside its primary business, Board members should ask some pointed questions about the company's experience and capability in this new area.
What impact has globalization had on risk?
There can be many different risks associated with global assets—political, currency, and cultural—among others. Cultural risks are particularly subtle and pervasive. Board members need to look back over the last three to five years to determine how the company's business risk profile has been changing through globalization. Also ask: How are these global risks being managed, and by whom?
Many companies do an annual strategic planning session with their board. Do you have any recommendations that could help boards address risk issues at these sessions?
Most boards conduct a risk assessment in parallel with their annual strategic planning session. Beyond that, however, I recommend that the board include a valuation of the company, including its breakup value and any hidden or undervalued assets. Over time, this will provide perspective on where value is being created—or lost—within the company. This provides an important context for evaluating strategic plans and risks and for responding to unsolicited bids for whole or parts of the company.
Wendy, you chaired the audit committee of Laboratory Corporation of America Holdings for 10 years and serve as a member of the audit committees of Willis Group Holdings and UPM. Even the strongest audit committees sometimes wonder if they missed anything. What questions would you recommend audit committees ask to ensure that the key risks have been surfaced?
Two primary roles of the audit committee are to oversee the integrity of the financial statements and the systems that provide information for these, which means having sessions with external and internal auditors and IT people. Audit committees should hold executive sessions with just the committee and the external auditors and similar sessions with just the internal auditors.
At the end of each of those sessions, I recommend asking these four open-ended questions:
1. Is there anything we should have asked you but didn't?
2. Were there any pressures exerted on you by management or anyone else to not to do something in conducting the audit or preparing the financial statements or account for items in a different way?
3. If these were your financial statements, would you prepare them the same way? If not, what changes would you make and why?
4. Even if our financial statements meet GAAP standards, are they in any way misleading?
I'd also urge any audit committee members to consider carefully the information they receive. Recognizing that you are dependent on information provided by management and the auditors, determine whether there are any major gaps in the information in terms of what the committee really needs to do its work.
And what if there are any?
If you identify any, the committee needs to discuss with the internal and/or external auditors how these can be filled. For example, if you are on the board of a huge, decentralized, diversified, international company, risk assessment might suggest that the primary risk is "in the field." However, you need to be mindful that risks can exist domestically at headquarters as well and get those addressed.
Often there is a trade-off between the "nice to have" information and the time and expense involved in creating it. If the members of the audit committee really feel there is some "must have" information missing from what it receives, it needs to be firm about this requirement and ensure that steps are put into place to address it. In addition, they need to follow up, follow up and follow up on recommendations.