The pendulum of board-level risk management has shifted. For many public companies, intentional risk management has evolved in recent years from virtually nonexistent to finance department driven (focusing on internal control) to operating segment driven (involving division heads and the various compliance functions) (see The Link Between Risk Management and Compliance). At the board level, risk management was typically limited to Audit Committee oversight of financial reporting.
In recent years, however, directors have become educated on the concept of enterprise (not just financial) risk management and on their ultimate responsibility for its effectiveness. More and more, the board is asking pointed questions about how the company’s enterprise risk management functions and how the board can better fulfill its fiduciary duties by being more involved. Management, on the other hand, may struggle to translate its detailed, operations-oriented risk management plan into macro concepts that the board can work with (see Determining Risk Appetite).
Director interest is certainly a good thing. It is no secret that a key to effective risk management, and a host of other corporate culture positives, is a strong tone at the top. The challenge is determining how to, and how much to, involve the board in what is essentially a detailed, process-driven, vernacular-laden exercise of risk assessment and process implementation that encompasses every corner of the company. (It doesn’t help that many consultant-generated risk management plans, though carefully crafted and well-intentioned, can be nearly indecipherable.)
A subset of risk management foremost in the minds of many directors is crisis management, which is really the same thing as risk management but with much more urgency and potentially bigger consequences (see this Doug’s Note.) Directors want to understand exactly what happens, how it happens and what their role will be if and, almost inevitably, when a crisis occurs. You might think that most companies already have a well-oiled crisis management strategy that efficiently funnels essential information to the board so that prompt, clear-headed decisions can be made and risks mitigated. You would, however, be wrong.
The point is this:
Expect your 2014 board to be more focused than ever on enterprise risk management and to be unwilling to accept generalized responses to their questions. Your directors are being peppered with outside presentations and articles that emphasize their expanding responsibility for reviewing and overseeing enterprise risk management and ensuring that the proper systems are in place. Boards are also being increasingly scrutinized for their roles in corporate scandals and crises. They are right to be interested.
To be (or stay) ahead of this issue:
- Be sure you know and they know the board’s proper role in risk management and crisis management.
- Find out whether your directors are getting the risk management information they want and in the form they want to receive it.
- If risk management oversight is not already a regular agenda item, consider how to make it one.
- If risk management is already a regular agenda item, consider whether it’s merely a rote exercise. Your directors may prefer to allocate more time for substantive, strategic discussion.
- Determine whether the board understands and is satisfied with its role in crisis management.
- Don’t be surprised if the board requests a detailed review and report regarding the company’s enterprise risk management program and suggestions as to how it can be more involved going forward. Develop alternative approaches for them to consider.
While this may sound like a dangerous game of Whac-A-Mole (after all, you already have too much on your plate), it’s better to approach your board proactively, rather than waiting for them to take the initiative, due to the topic’s growing visibility. Doing so lets you better control the timing, process and results and further strengthen the board’s confidence in management.