For those of you that know me or have been a student of mine know that I constantly rant about knowing and understanding the client’s business, in order to intelligently comprehend and appreciate the risks the business faces. Well the same goes for the board of directors.
Obtaining an understanding of the client’s business is key to effective oversight, including enterprise risk management, and also helps in building and maintaining a positive relationship with management.
Understanding the business and the space it operates is an ongoing process. I suggest starting with understanding the business strategy – where are we today, where are we going, and how are we going to get there? Then inquire about and understand the obstacles and hurdles the business may have to maneuver around or jump over. This simple exercise will help flesh out or clarify the key risks that need to be monitored and managed. In my opinion, Jim DeLoach said it best, “Risk is often an afterthought to strategy, and risk management is an appendage or “side activity” to performance management.” He’s right!
The National Association of Corporate Directors outlines five categories of risks facing each board, but more importantly, they provide a context for Boards and management to understand the scope of the Board’s risk oversight, as well as the delineation of the Board’s oversight responsibilities and management’s responsibilities for identifying, evaluating, managing and monitoring risk.
- Governance risks – these risks relate to directors’ decisions regarding Board leadership, composition and structure; director and CEO selection; CEO compensation and succession and other important governance matters critical to the enterprise’s success. Often, these decisions require directors to weigh the pros and cons associated with alternative courses of action. While Boards can periodically benchmark their processes for evaluating these matters by considering best practices employed by other Boards weighing similar decisions, they often must rely on their collective business judgment, knowledge of the business and information provided by third-party advisers, including search firms, compensation consultants and legal counsel. Key point: These matters are exclusively within the Board’s domain.
- Critical enterprise risks- These risks are the ones that really matter, the top five to 10 risks that can threaten the viability of the company’s strategy and business model. Certain risks require directors to [understand the business so that they] have the necessary information that will prepare them for substantive discussions with management about how these risks are managed. The criticality of these risks – such as credit risk in a financial institution or supply chain risk in a manufacturer – may require full Board engagement as well as an ongoing oversight process. While management is responsible for addressing these risks, the Board should consider its own information requirements for understanding management’s effectiveness in addressing them. For example, the Board might require management to report on the impact and likelihood of the risk on key strategic goals as compared to other enterprise risks, as well as the status of risk mitigation efforts with input from the executives responsible for managing specific risks. Other examples of relevant information useful to the Board might include the effects of technological obsolescence, changes in the overall assessment of risk over time, the effect of changes in the environment on the core assumptions underlying the company’s strategy and interrelationships with other enterprise risks. Key point: These risks should command a prominent place on the Board’s risk oversight agenda. The Board should satisfy itself that management has in place an effective process for identifying the organization’s critical enterprise risks so that the Board’s risk oversight is properly focused.
- Board-approval risks – These risks relate to decisions the Board must make with respect to approving important policies, major strategic initiatives, acquisitions or divestitures, major investments, entry into new markets, etc. Through careful consideration and timely due diligence, directors must satisfy themselves that management’s recommendations regarding these matters are appropriate to the enterprisebefore approving them. Therefore, such matters may prompt the Board to ask questions regarding the associated rewards and risks and even request further analysis before approving management’s recommended actions. Key point: The matters requiring Board approval are often specified in the corporate bylaws and various charters of the Board and its respective committees. That said, changes in the business may necessitate that the Board and executive management remain on the same page as to what requires Board approval. It is important that the Board approve major strategic and policy issues on a before-the-fact basis.
- Business management risks (i.e., the normal ongoing risks) – These are the risks associated with normal, ongoing day-to-day business operations. Every business has myriad operational, financial and compliance risks embedded within its day-to-day operations. Because the Board simply does not have sufficient time to consider every risk individually, it should identify specific categories of business risks that pose threats warranting attention and determine whether to oversee each category at the Board level or delegate oversight responsibility to an appropriate committee.For example, the audit committee traditionally oversees financial reporting risks. Other business risks might include: operational risks associated with internal processes, IT, intellectual property, customer service, obsolescence, manufacturing and the environment, financial risks such as excessive leveraging of the balance sheet, compliance risks such as non-compliance with a new complex law and reputational risks such as those that threaten the company’s brand image. With respect to all of these risks, it is management’s responsibility to address them. If any of them are critical enterprise risks, they warrant the Board’s full attention (as noted earlier). Key point: The Board’s committees may oversee many of these risks in accordance with their chartered activities. Typically, periodic reporting coupled with escalation of unusual developments requiring Board attention will suffice.
- Emerging risks and nontraditional risks (e.g. cyber, climate change, slowdown in foreign markets, disruptive technological innovation) – These are the external risks outside the scope of the first four categories. While management is responsible for addressing these risks, directors may need to understand them. The effects on the business of demographic shifts, climate change, catastrophic events and new cybersecurity threats are examples. Key point: The Board needs to satisfy itself that management has processes in place to identify and communicate emerging risks on a timely basis. Such processes enable management and the Board to be proactive.
The above risk categories provide a useful context for Boards and executive management to ensure the scope of the risk oversight process is sufficiently comprehensive and focused.
Understanding the business is essential and will allow you to be a better board member because it will enable you to provide more valuable feedback on the risk management process, the internal control structure, the financial statements and disclosures, and other areas. It will also fine tune and help calibrate your degree of skepticism when evaluating the reasonableness of the answers received to the questions we ask.
Don’t be fooled, do your homework!
I welcome your feedback.
Report of the NACD Blue Ribbon Commission – Risk Governance: Balancing Risk and Reward, National Association of Corporate Directors