Rethinking risk management | Directors and Boards


Anticipating emerging risks means reshaping the board of directors.

Risk management is often cited as one of the top two or three items on boardroom agendas, but many companies have found themselves unprepared for a variety of recent shocks, including the COVID-19 pandemic, the great resignation, cybersecurity events, labor shortages and supply chain disruptions. .

The scope of risks for public companies and large private companies has increased exponentially in recent years, but few organizations have gone far enough in evolving and expanding their risk management approach to keep up with the rate of change. This is one of the reasons regulators have stepped up enforcement of board requirements regarding fiduciary duties.

In some cases, boards may need to update their view of the world’s ability to cope with risk. These views may include the expectation that supply chains are endless, labor is unlimited, and the United States is always capable of innovating to solve problems.

This is not the world in which businesses operate today. The World Economic Forum, Control Risks Global Risk Survey, McKinsey and others have identified several of the most significant areas of current and emerging business risk. Key risk areas include:
• Good understanding and articulation of enterprise risk appetite, risk review objectives, and existing and emerging risks.
• People and talent.
• Mergers and Acquisitions.
• Digital transformation.
• Cyber-security.
• Climate risks and action.
• Future pandemics or similar situations.
• Supply chain vulnerabilities.
• Regulatory risks.
• Political risks.

These risks present challenges on several levels. Boards of directors must intelligently identify, assess and manage risks, while simultaneously focusing on the business opportunities that may arise from the same issues. They must communicate risks not only to shareholders, but also to other stakeholders.

Today’s boards need to consider whether they have the right people, expertise, committees, and processes to deal with today’s high-risk business environment. Crises are likely to happen faster and hit harder. However, boards that make changes to better manage risk can succeed in making their companies more resilient.

Here are the changes boards should consider to improve their approach to risk management and better help their companies manage and mitigate emerging risks.

Filling information gaps

Most boards were not composed in today’s risk environment, and they may not have deep enough expertise in some of the most important areas of emerging risk. In addition, the company’s activities, business model or industry — or all three — may have changed significantly since certain directors joined the board. There may be an information gap between what management knows about the company and what the board knows.

There are many ways to bridge the information gap. Ask intelligent questions of management about risks and controls. Embrace your natural curiosity and try to absorb what’s happening in the company’s industry, competitive landscape, and competitive business models.

Also consider imposing the following on all board members:
• Involvement in the company and visits to company sites.
• Individual sessions with company executives.
• Training in business sectors and risk areas of the company.

Reorganize the composition of the board

Rapid change means that the board of the future may need to be very different from the board of today. Begin to create the board of the future through a concerted effort to appoint directors with specialized expertise in areas where the board is lacking. These new directors may be outside the contact circles of the current directors or the CEO.

Consider new administrators who:
• Understand emerging risks.
• Have expertise in complex enterprise technology platforms.
• Know the issues and best practices of the company’s industry.
• Make the board more diverse.
• Have a good understanding of digital transformations and the underlying value proposition.
• Can intelligently articulate strengths, weaknesses, opportunities and threats in strategic approaches and tactical implementation plans proposed by management.

Guarantee the independence and objectivity of the board of directors

Non-executive directors know that, in order to represent the interests of shareholders and other stakeholders, they must exercise their supervisory function with independence and objectivity. But it’s not as easy in practice as it looks. Human nature struggles with independence and objectivity.

The more time a director spends on the board and in outside relationships with company executives, the more conscious effort they will need to make to think and vote independently and objectively. This is one of the reasons why Institutional Shareholder Services considers that a term of more than nine years could compromise the independence of directors.

One of the best ways for directors to become more independent and objective is to visit company sites. By asking questions of local employees, managers, and customers, directors can become more attentive to what’s going on in the business, learn about new risks, and better understand the controls the business has in place. To facilitate this, the company should consider providing each director with a travel allowance specifically to visit its sites.

Boards should also begin their meetings with executive sessions where only independent directors are in the room, with no one from management. When executive meetings are scheduled at the end of the agenda, they tend to be cut short or cut entirely.

Separating the roles of chairman and CEO

When the CEO is also chairman of the board, it can be difficult for directors to ask the tough questions and exercise the oversight that they are required to exercise. A non-executive board leader should set the agenda for board meetings.

Additionally, boards – not management – ​​should be leading the risk management conversation. Rather than reacting to information provided by management, directors should identify the risks facing the business and then ask management how they are managing those risks. This proactive approach allows the board to exercise active governance and increase the resilience of the business by anticipating risks that management might not have considered.

Compose the risk management committees of the board of directors after the audit committees

The formation of a risk committee, headed by a director who has specific expertise in risk management, allows a dedicated group to take responsibility for this important area of ​​governance. Ideally, the company should have a chief risk officer who works with the committee.

Without a risk committee, risk falls to all directors or all committees – and when everyone is in charge of risk, no one is. A risk committee and a chief risk officer give shareholders and regulators a clear indication of who is responsible.

The risk committee must:
• Be composed of directors with expertise in risk management.
• Have a charter that clearly describes its responsibilities.
• Have the authority to hire consultants paid by the company.
• Define risk tolerance and business appetite, providing guidance to management.
• Document risk assessments and questions posed by the board to management regarding risks.

Understand the benefits of proper risk management

A board that skillfully identifies, assesses and manages risk brings tremendous value to a company. For example, better management of current and emerging risks can help a business to:
• Maximize the value of mergers and acquisitions.
• Improve digital transformation efforts.
• Increase competitive advantage.
• Maximize the value of talent.
• Mitigate cybersecurity threats.
• Take a proactive approach to climate risks.
• Prepare to manage and recover from crises.
• Strengthen the supply chain.
• Mitigate regulatory risks.

Consider other changes

The changes described may not be sufficient to cope with a rapidly changing business environment. As boards continue to improve their identification, assessment and management of risk, directors may want to ask themselves the following questions:
• To further improve the ability of their boards to identify risks, should companies introduce their own board diversity requirements?
• Should the hassle-free environment of many conference rooms today, which can lead to complacency, be changed? In other words, should the directors, who are responsible for overseeing the company, be held liable for violations that fall under their oversight, including possible recovery of attendance fees?
• Can a director who has served on a board for 10, 20 or more years still be independent and objective? Should there be term limits for directors?
• Should directors be responsible for their attendance at board meetings, site visits and other activities? Should the number of board meetings a director attended and missed be included in the proxy? Should the board self-assessment process be strengthened?

These questions contemplate changes to the current structure and operations of many boards. But organizations that undertake them can gain a competitive edge and increase their resilience in the face of the next crisis.

Whatever changes directors consider, in today’s risk environment it is essential that they be sufficiently self-critical and vigorously assume their role of overseeing management. Boards should assess their strengths as well as their shortcomings, apply what they have learned from the “unimaginable” risks of recent years, and move forward with a commitment to improving their approach to risk management so that they can lead their businesses to a prosperous future. .

Glenn Davis is Principal Emeritus and Director of Risk Management Services and Chandrasekar Venkataraman is Director of Corporate Governance and Risk Advisory Services at Kaufman Rossin.


About Author

Comments are closed.