Rethinking Risk Management
Anticipating emerging risks means reshaping the board.
Risk management is often cited among the top two or three items on board agendas, yet many companies have found themselves unprepared for a variety of recent shocks, including the COVID-19 pandemic, the Great Resignation, cybersecurity events, labor shortages and supply chain disruptions.
The breadth of risk for public and large private companies has grown exponentially in recent years, but few organizations have gone far enough in evolving and expanding their risk management approach to keep up with the pace of change. This is one reason regulators have stepped up enforcement of board requirements around fiduciary duties.
In some cases, boards may need to update their views about the world’s ability to deal with risks. These views may include the expectation that supply chains are infinite, labor is unlimited and the United States is always able to innovate its way out of problems.
That’s not the world today’s companies operate in. World Economic Forum, the Control Risks global risk survey, McKinsey and others have identified several of the most significant areas of current and emerging corporate risk. The top risk areas include:
• Proper understanding and articulation of company risk appetite, risk review objectives, and existential and emergent risks.
• People and talent.
• Mergers and acquisitions.
• Digital transformation.
• Climate risks and action.
• Future pandemics or similar situations.
• Supply chain vulnerabilities.
• Regulatory risks.
• Political risks.
These risks present challenges on many levels. Boards must identify, assess and manage risks intelligently, while simultaneously focusing on business opportunities that may arise from the very same issues. They must communicate risks not just to shareholders, but also to other stakeholders.
Today’s boards need to consider whether they have the right people, expertise, committees and processes to address today’s higher-risk business environment. Crises are likely to come faster and hit harder. However, boards that make changes to better address risk can succeed in making their companies more resilient.
The following are changes boards should consider to enhance their risk management approach and better help their companies navigate and mitigate emerging risks.
Bridge information gaps
Most boards weren’t composed in today’s risk environment, and they may lack sufficient depth of expertise in some of the most prominent areas of emerging risk. In addition, the company’s operations, its business model or its industry — or all three — may have changed significantly since some directors joined the board. There may be an information gap between what management knows about the business and what the board knows.
There are many ways to bridge the information gap. Ask management intelligent questions about risks and controls. Embrace your natural curiosity and try to absorb what’s going on in the company’s industry, the competitive landscape and with competitive business models.
Also consider mandating the following for all board members:
• Involvement with the company and visits to company sites.
• One-on-one sessions with company executives.
• Training in the company’s industries and risk areas.
Revamp board composition
Rapid change means that the board of the future may need to look very different from the board of today. Start creating the board of the future through a concerted effort to nominate directors with specialized expertise in areas where the board has gaps. These new directors may be outside current directors’ or the CEO’s contact circles.
Consider new directors who:
• Understand emerging risks.
• Have expertise in the company’s complex technology platforms.
• Know the issues and best practices in the company’s industry.
• Make the board more diverse.
• Have good understanding of digital transformations and the underlying value proposition.
• Can intelligently articulate the strengths, weaknesses, opportunities and threats in management’s proposed strategic approaches and tactical implementation plans.
Ensure board independence and objectivity
Nonexecutive directors know that, to represent the interests of shareholders and other stakeholders, they must perform their oversight function with independence and objectivity. But this isn’t as easy in practice as it seems. Human nature fights against independence and objectivity.
The more time a director spends on the board and on nurturing any outside relationships with company executives, the more conscious effort they will need to put into thinking and voting independently and objectively. This is one reason Institutional Shareholder Services considers a tenure of more than nine years potentially compromising to director independence.
One of the best ways directors can become more independent and objective is to visit the company’s locations. By asking questions of local employees, managers and clients, directors can become more attuned to what’s going on in the business, learn about new risks and better understand the controls the company has in place. To facilitate this, the company should consider providing each director with a travel allowance specifically for visiting its locations.
Boards should also begin their meetings with executive sessions where only independent directors are in the room, without anyone from management. When executive sessions are scheduled at the end of the agenda, they tend to get cut short or cut entirely.
Separate the chair and CEO roles
When the CEO is also the chair of the board, it can be hard for directors to ask difficult questions and exercise the oversight they are required to maintain. A nonexecutive board leader should set board meeting agendas.
In addition, boards — not management — should drive the conversation around risk management. Rather than reacting to the information management provides, directors must identify risks the company faces, then ask management how they’re addressing those risks. This proactive approach allows the board to exercise active governance and increase the company’s resilience by anticipating risks that management may not have thought of.
Pattern board risk committees after audit committees
Forming a risk committee, led by a director who has specific expertise in risk management, empowers a dedicated group to own responsibility for this important area of governance. Ideally, the company should have a chief risk officer who works with the committee.
Without a risk committee, risk falls to all directors or all committees — and when everybody is in charge of risk, nobody is. A risk committee and chief risk officer gives shareholders and regulators a clear indication of who is in charge.
The risk committee should:
• Be composed of directors with expertise in risk management.
• Have a charter that clearly outlines its responsibilities.
• Have the authority to engage consultants that the company pays for.
• Define the company’s risk tolerance and appetite, providing management with guidance.
• Document risk assessments and the board’s questioning of management related to risk.
Understand the advantages of appropriate risk management
A board that skillfully identifies, assesses and manages risks brings tremendous value to a company. For example, better management of current and emerging risks can help a company to:
• Maximize value from mergers and acquisitions.
• Improve digital transformation efforts.
• Increase competitive advantage.
• Maximize value from talent.
• Mitigate cybersecurity threats.
• Take a proactive approach to climate risks.
• Prepare to manage and recover from crises.
• Strengthen the supply chain.
• Mitigate regulatory risks.
Consider further changes
The changes outlined may not be enough to deal with a rapidly evolving business environment. As boards continue to improve their risk identification, assessment and management, directors may want to consider these questions:
• To further improve their boards’ abilities to identify risks, should companies introduce their own board diversity requirements?
• Should the no-downside environment of many of today’s boardrooms, which can lead to complacency, be changed? That is, should directors, who are charged with company oversight, be held accountable for violations that fall under their oversight, including a possible clawback of director fees?
• Can a director who has sat on a board for 10, 20 or more years still be independent and objective? Should there be term limits for directors?
• Should directors be accountable for participating in board meetings, site visits and other activities? Should the number of board meetings attended and missed by a director be included in the proxy? Should the board self-evaluation process be strengthened?
These questions contemplate changes to the current structure and operations of many boards. But organizations that undertake them can gain a competitive advantage and increase their resiliency in the face of the next crisis.
Whatever changes directors consider, in today’s risk environment, it’s vital that they are appropriately self-critical and vigorously embrace their role in providing oversight of management. Boards should assess their strengths as well as their gaps, apply what they have learned from the “unimaginable” risks of the past few years, and go forward with a commitment to enhance their risk management approach so they can lead their companies to a successful future.
Glenn Davis is principal emeritus and director of risk management services and Chandrasekar Venkataraman is a director of corporate governance and risk advisory services at Kaufman Rossin.