Words of wisdom: the role of the board in risk oversight
March 2018 | FEATURE | RISK MANAGEMENT
Financier Worldwide Magazine
March 2018 Issue
In a world where risk seems to lurk around every corner, companies are well advised to gain an insight of the risks they face by tapping the wisdom of the group of people that sit in and around the very top of their organisation: the board.
The stock-in-trade of the board is guidance. In today’s risk environment – be it strategic, operational, industrial or cultural – the oversight that a board can provide can be of enormous benefit to senior management and is perhaps needed more now than ever before.
Indeed, as a recent survey of more than 700 board members conducted by Protiviti and North Carolina State’s ERM Initiative makes clear, risk in 2018 is plentiful. According to the survey, the top 10 risks for 2018 are: (i) rapid speed of disruptive innovations and new technologies; (ii) resistance to change in operations; (iii) managing cyber threats; (iv) regulatory change and heightened regulatory scrutiny; (v) organisational culture not encouraging timely identification of risk; (vi) succession challenges and ability to attract and retain top talent; (vii) privacy management and information security; (viii) economic conditions; (ix) inability to harness analytics and Big Data; and (x) existing operations meeting performance expectations.
In another treatise on risk, and one that highlights the ultimate responsibility of the board, the UK Financial Reporting Council’s (FRC) ‘Corporate Governance Code 2018’ states that “the board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives… and should maintain sound risk management and internal control systems”.
That is the theory. In reality, the Code’s tenet is not universally adhered to. Despite the myriad risks they face, many boards fail to consider their company’s level of exposure – only stepping up to the plate when risk becomes a crisis and damage has already been done. With this in mind, and personal reputations potentially on the line, the need for the board’s role in risk oversight to be clearly delineated is indisputable.
“It is essential for any board to concern itself with risk, regardless of how well organised the risk function is within the organisation,” says Will Dawkins, leader of Spencer Stuart’s UK board practice. “Since the 2009 Walker Report review of corporate governance in UK banks and other financial industry entities, the boards of most financial institutions have a risk committee, but the proposed revisions to the UK Corporate Governance Code make it clear that, absent a risk committee, it is the audit committee’s responsibility to review the company’s internal control and risk management systems.”
That said, risk is of course an issue that should be viewed in far broader terms than just internal controls. “There are plenty of existential threats to worry about,” continues Mr Dawkins. “Geopolitical uncertainty, cyber attacks, shareholder activism, societal expectations, growing scrutiny and an erosion of trust, business model changes brought about by sector disruption, and so on. And then there are black swan events. The board has to be on top of all these issues and working with management to anticipate their potential impact and identify susceptibilities within the business.”
For Stephen Alogna, director of strategic risk at Deloitte, in addition to understanding the risks a company faces, the board must also oversee management’s processes for identifying, reporting and managing those risks. “Both the risks and the relevant processes must be discussed,” he advises. “This covers a lot, so boards must foster an open, ongoing conversation about risk with management. Key risk areas for most companies include strategic, financial, operational, regulatory, compliance, legal, technology and reputation risk.”
It is no easy matter to determine at what point a company’s board should get involved in enterprise risk management (ERM) practices and strategies. Monitoring risk scenarios is one thing; actively getting involved is another.
“Boards are realising that their role providing risk oversight must evolve to keep up with increasing risks,” suggests Michael Rossen, managing director of Deloitte’s Global Center for Corporate Governance. “Some boards are working with management to clarify and approve the organisation’s risk appetite statement that highlights the aggregate level of risk that management is willing to take in pursuit of its strategy.”
According to Sharon Lindstrom, managing director at Protiviti, a board’s oversight of risk management should extend across five critical areas. First, strategically, risk should be integrated into a company’s strategy-setting and business planning and align with effective communications and image and brand building. Second, culturally, strong corporate values should be supported by appropriate performance incentives and a positive culture regarding compliance with laws, regulations and internal policies. Third, from a quality standpoint, there should be a priority focus on positive interactions with stakeholders, such as shareholders, lenders, customers, suppliers, regulators and employees, as well as quality public reporting. Fourth, operationally, there should be a strong control environment and company performance relative to competitors. Finally, related to organisational resiliency, crisis management preparedness should enable a world-class response to a high-profile crisis.
Also an option is for boards to consider commissioning a regular, independent ERM review. “This will allow the board to identify gaps and put in place remedial plans where risks have been identified,” explains Tom Griffiths, associate director at Lysis Financial. “While the board itself may not need to be involved in the detail of such reviews, they do need to appoint a person who reports to them to manage such programmes effectively and without prejudice. By stating clear goals and meeting these based on fact, rather than trying to avoid accepting failure, an ERM process can evolve into an effective and essential piece of fabric in the firm,” he suggests.
With boards starting to recognise the magnitude of the emerging risks their companies are facing, it is certainly beneficial for them to become as familiar as possible, as early as possible, with these risks in order to provide timely oversight.
“With advances in technology and media platforms, investors and other stakeholders now have the ability to comment in real time on how a company responds to an issue which often places it in the media spotlight,” says Mr Rossen. “Boards, and management, need to be cognisant of the opportunity to leverage their successful response to a risk or crisis to their benefit. It can serve as a way to enhance reputation.”
When it comes to corporate reputation, Mr Dawkins believes boards are now more likely to treat this as a serious governance issue. Thus, reputational issues are increasingly being factored into risk management.
“Addressing reputational issues thoroughly involves considerable forward planning, rather than merely reacting to events,” suggests Mr Dawkins. “Boards are increasingly challenged by the multidimensional aspect of corporate reputation and the need to understand how different issues affect different stakeholders. They are acutely conscious that risk and reputation is closely intertwined, and that in order to avoid the potential consequences of risk becoming reality, corporate reputation has to be nurtured as carefully as other key business assets.”
Indeed, there are few tasks as formidable as rebuilding a battered reputation. To this end, the value of presenting a company’s positive contributions to society should not be overlooked. “This is even more important at a time when the wider role of business is being debated and sectors such as financial services are facing tough questions about their duties and responsibilities to society,” says Mr Dawkins.
“The readiness of any board to cope with risk is entirely dependent upon the constitution, experience and merit of its members,” says Mr Griffiths. “Often, board members who have held the position for a long period of time are less adaptive to identifying and indeed resolving risks, as they may feel a certain amount of personal attachment to the failing. This is why changing the members of the board, and taking the view of independent non-executive directors, will help in providing an impartial approach to dealing with risk.”
While the assumption is that a board consists of a group of people with a diverse range of backgrounds and industry experience – hence their ability to bestow knowledge and provide guidance – it must be recognised that this may not always be the case.
According to PwC’s 2017 report ‘Why your board should take a fresh look at risk oversight’, antitrust regulations can make it a challenge to have many directors with deep industry knowledge on a company’s board. The report notes that “this can make it harder for boards to have in-depth understanding of the key risks or spot risks that management has not already identified”.
Furthermore, the challenge may be more evident in highly specialised or regulated industries, such as a director who has services or general manufacturing experience but who may not be familiar with the more unique risks at insurance or pharmaceutical/biotech companies, for example.
As the World Economic Forum’s (WEF) ‘The Global Risk Report 2018’ makes abundantly clear, risks are becoming “increasingly complex, systemic and cascading”. With the world facing a multiplicity of challenges, the response must be equally extensive, and boards have an important role to play in this regard.
“The situation is dynamic,” says Mr Dawkins. “Risks are changing and new ones continually surfacing. As we have seen many times since the turn of the century, when things go wrong and risks are underestimated or ignored, the damage can be devastating. This threat should ensure that risk management remains one of the board’s key activities and preoccupations – but not to such an extent that it obstructs innovation and progress. The board has a fine line to tread in this regard.”
Going forward, in the view of Mr Rossen, to respond to existing and new risks, boards should be well informed of their company’s risk environment and learn of the processes management has in place to respond to and mitigate such risks. “Boards need to become comfortable with not only overseeing the traditional and emerging risks, but to also understand how these risks pose a threat to their risk environment – in an attempt to ultimately protect and enhance the company’s reputation,” he says.
With the emergence of new risks likely to continue in 2018 and beyond, for many companies, the fundamental truth is this: when it comes to an appreciation of risk, the wisdom of the board is a useful ally – a repository of experience which anyone immersed in the risk function would be foolish to overlook.
© Financier Worldwide