Duty of Oversight in Disruptive Times
Reliable ERM processes and metrics are essential for protecting companies from excess risk.
Earlier this year, I served on the faculty for the 27th Annual Stanford Directors’ College. The program brought together CEOs, public company directors, investors, regulators and scholars to examine a broad range of corporate governance, risk management, macroeconomy, geopolitical and technology topics.
A common theme was board oversight of strategy and disruptive risks, including the following key trends:
- Digital innovation. The adoption of digital technologies has accelerated by several years during the pandemic and will continue to be a critical success factor. Essential digital transformation initiatives include new business and operating models, customer interactions, workforce management, supply chain management, and automation and artificial intelligence. Board directors must ensure that IT resources, infrastructure and investments will prepare their companies for the future of business.
- Cyber threats. Stakeholders now expect board directors to provide effective oversight and disclosure of cyber risk. For example, the new SEC cybersecurity rule provides heightened standards for cyber risk management, board oversight and disclosure for public companies. In the current threat environment, board directors need to monitor high-impact trends like the security vulnerabilities of hybrid work and the advent of quantum computing.
- Geopolitical risks. The Russia-Ukraine war has directly and indirectly elevated geopolitical risks, such as higher energy prices, food insecurity, cybersecurity, supply chain disruptions and the risk of nuclear warfare. Another great concern is escalating tension between the United States and China. A well-informed national security expert estimated a greater than 70% probability that China will invade Taiwan in the next five years.
- Macroeconomic uncertainties. Businesses around the world face heightened economic risks, including rising inflation and interest rates, slowing or negative economic growth, powerful governmental monetary and fiscal actions, potential asset price bubbles, and fragile financial and energy markets. Given the severe economic uncertainties and negative trends, corporate directors and executives must strengthen capital and liquidity, streamline the workforce and develop contingency plans for high-impact economic scenarios.
- Stakeholder engagement. While delighting customers and satisfying shareholders are still essential to long-term success, businesses must also address the interests of other key stakeholders. Employees, regulators, business partners, special-interest groups and the public are holding companies accountable for their business practices on a wide range of ESG factors. Companies are increasingly caught between opposing groups on thorny social and political issues. One practical recommendation is to use a blue/red team approach to fully evaluate the actions and reactions that the company should consider.
Evolution of Risks and Duty of Oversight
Each decade of my 40-year career as a risk executive, management consultant, and public and private company director has brought new challenges and specific risks that companies have had to tackle. In the 1980s, the focus was on credit and market risks given the Latin American debt crisis, double-digit inflation and interest rates, and unexpected derivatives losses. In the 1990s, the focus shifted to operational risks due to rogue trading losses at Barings and Kidder, as well as massive accounting fraud at Enron and WorldCom. In the 2000s, strategic and systemic risks came to the forefront with the advent of e-commerce and the contagion market disruptions from the global financial crisis. Over the last decade, regulatory and reputational risks took center stage given heightened stakeholder expectations for DEI, climate stewardship, social justice, regulatory compliance and other governance standards.
Today, we are facing the confluence of all these risks. In addition to the significant and concurrent global risks, companies are working through the consequential effects of the COVID-19 pandemic. They are responding to extreme weather events that are increasing in frequency and severity. In this uncertain and volatile business environment, how should directors consider their fiduciary duties?
The duties of care and loyalty are the bedrock requirements for board service and fiduciary responsibility. Importantly, the duty of oversight is embedded in these fiduciary duties. Recent cases, including Marchand v. Barnhill, SEC v. Clovis Oncology Inc. and Boeing Company Derivative Litigation, have added new light and specificity to a director’s duty of oversight. These cases have put the onus on directors to monitor a company’s operations and key risks. Specifically, the board must ensure that:
- A risk and compliance system is in place.
- The system is working effectively on an ongoing basis.
- “Mission-critical risks” and “red flags” are reported to the board in a timely fashion.
- Management is held accountable for risk and compliance results.
One of my favorite movie scenes is from Raiders of the Lost Ark, in which Indiana Jones (played by Harrison Ford) casually shoots his enemy after the menacing villain displayed his expert swordsmanship. It was a funny take on “Don’t bring a knife to a gun fight.”
Unfortunately, a similar scene is being played out across corporate boardrooms. When faced with dynamic and volatile risks, directors are ill-prepared to exercise their duty of oversight if they are supported by inadequate risk management processes. I have closely examined over 100 enterprise risk management (ERM) programs across different industries. Based on this work, I noted three major pitfalls with respect to how risk, compliance, cybersecurity and internal audit teams report to and communicate with the board.
- Don’t do stupid. Many companies use rudimental risk assessments and heat maps to identify and report key risks to the board. The common methodology is to rate each risk from 1 to 5 (lowest to highest) for probability and 1 to 5 for severity. The probability rating is then multiplied by the severity rating to produce a “risk score,” and the results are displayed on a heat map. This methodology is widely used but fundamentally flawed. Consider that each risk has a range of probabilities and severities (i.e., a distribution curve), which cannot be captured as a single point estimate on a heat map. Nonsensical results are often produced. For example, the risk score for a cyberattack that is blocked would be a 5 (5x1), given its inherent high probability (5) and low severity (1). Yet the risk score for a cyberattack that results in a major data breach would also be a 5 (1x5), given its inherent low probability (1) and high severity (5).
- Don’t do lazy. Risks are often defined and measured as nonperformance of a business objective. This is too simplistic. For example, if the company wants to maintain 99% or greater availability of its core operating systems, then the risk would be defined as downtime and measured against the 1% maximum allowance. That represents lazy thinking and produces backward-looking metrics and reports. Instead, risks should be defined as the underlying variables that can result in downtime. In this example, these underlying variables may be internal (IT capacity) and controllable (cybersecurity tools), as well as external (customer order flows) and uncontrollable (denial-of-service attacks). With better definition and quantification, more actionable metrics and useful reports can be produced.
- Don’t do boring. Board reports and presentations provided by risk, compliance, cybersecurity and internal audit teams often focus on key accomplishments, progress reports, and major plans and initiatives. While well-intentioned, this information does not support the risk oversight role of the board. Frankly, as a board director, I am not interested in spending my time hearing about how you spend your time. A concise summary is fine, but I am more interested in what risks and scenarios can impact our strategy, earnings and long-term value. The role of the board in risk oversight can be better served with contextualized, quantitative, outside-in, forward-looking and decision-oriented information.
As a director, I do not accept work products that are stupid, lazy and boring. Board time is limited and precious. We should spend it on content and discussions that are more impactful to the organization.
Over the past 15 years, I have served as a public and private board director, including roles as chairman of the board; vice chairman of the board; and chairman of the risk, audit, and compliance committees. Based on this work, I created the governance, policy and assurance (GPA) framework to organize the key questions and best practices for board risk oversight. Using the GPA framework, I have identified seven critical actions for effective board risk oversight.
- Governance. The board must establish an effective governance structure to oversee risk. Should there be a separate risk committee? How should the board and its committees share risk oversight responsibilities? How should the board oversee strategy and risk? How can the company strengthen the independence of risk management and compliance? The critical actions are:
- Rationalizing the committee structure for the board and delegating specific risk oversight responsibilities to each committee or full board. Ensure board calendars and agendas provide comprehensive review of the key risks facing the company, including deep dives on a periodic basis.
- Aligning ERM and strategy by integrating five specific steps: Define business objectives; establish KPIs to measure performance against these objectives; identify and assess key risks to these objectives; establish KRIs and risk appetite for these risks; and implement monitoring, reporting and decision-making processes.
- Strengthening the independence of the risk and compliance functions. Holding executive sessions during quarterly board meetings is not enough. A long-standing practice to enhance audit independence is to establish a reporting line between internal audit and the audit committee. Similarly, risk and compliance functions should have a reporting line to the board.
- Policy. The board must review and approve risk management policies that provide effective guidance and limits to management. Is there a risk appetite statement that clearly defines the types and levels of risks that the company is willing to accept? Are the company’s risk and compensation policies aligned? Critical actions are:
- Reviewing and approving three essential board-level risk management policies: the risk escalation policy to establish thresholds for reporting risk events to senior management and the board, the risk appetite statement to establish the metrics and maximum risk tolerance levels, and the risk acceptance policy to provide processes to approve and manage risk policy exceptions.
- Ensuring executive compensation policies are aligned with risk management objectives. CEO and executive team performance goals should incorporate risk, compliance and internal audit results. Financial performance metrics should be risk-adjusted. The board should evaluate CEO and executive team performance in terms of not only what business results were produced, but also how those results were produced.
- Assurance. The board must receive assurances that the company’s ERM program is working effectively. What metrics and feedback loops will the board use to evaluate ERM performance? How can risk reports convey the right information most efficiently? Critical actions are:
- Establishing an ERM performance feedback loop to monitor overall effectiveness. The key objective of ERM is to minimize unexpected performance variance. For example, on a quarterly basis, the board can monitor unexpected earnings variance, which is calculated by comparing earnings-at-risk analysis at the beginning of the period with earnings-attribution analysis at the end of the period. Unexpected earnings variance must be within an acceptable level, say 20% of total earnings variance.
- Ensuring that board risk reporting provides the right information, including an executive summary, actual loss data and risk events, KRIs tracked against risk appetite, forward-looking scenario analysis and stress testing, and integrated strategy and risk performance. The quality of board risk reporting substantially influences the quality of board discussions and decisions.
As board directors, we have a heightened duty of oversight in these disruptive times. The stakes are too high to bring a knife to a gun fight. We should assess and benchmark our ERM processes, metrics and reports to ensure that they are fit for purpose.
James Lam is a director at FAIR Institute and RiskLens, where he is also chair of the audit committee. He is president of James Lam & Associates Inc. and the author of Implementing Enterprise Risk Management: From Methods to Applications.