Dealing with the new realities of risk management was the topic of a recent roundtable held in New York City that attracted board directors from a wide range of companies and industries. Sponsored by Deloitte LLP, the NACD Directorship peer exchange roundtable examined the leading practices for risk-intelligent board oversight. Conversation centered on three general topics: board oversight of executive risk-taking, trends and leading practices with regard to risk governance structures, and aligning risk oversight and management to company strategy.
A key focus of the conversation was board governance structure and who, at the board level, “owns” risk oversight. Most directors place responsibility for risk oversight on the audit committee, although many of those assembled agreed that certain types of risks—including technology, reputational and strategic risks—need to be addressed by the full board. The consensus that risk can be managed within the existing committee structure, or by the full board where needed, runs somewhat counter to calls from shareholders and regulators for the creation of specific risk committees for banks and financial institutions. Outside of financial services companies, it was generally agreed that there is no real need for specialist risk committees.
For some directors, creating a risk committee can lead boards to think, in the words of one participant, that “risk is being dealt with and therefore I don’t have to think about it.” However, this is likely not the case, which may mean that risks are not getting the full consideration they require.
To that end, it was noted that there is now a trend for the non-financial services companies to bring all committees involved into the risk oversight process. While the audit committee may take overall responsibility for oversight of the risk management policies and procedures, the nominating and governance and compensation committees may analyze and discuss risks within their specific purview. Regardless of how the responsibility is delegated, it is critical that there is a structure in place to ensure oversight of the risks identified in the process and that none “fall through the gap,” and that all committee charters clearly state the committee’s responsibility with regard to risk oversight.
All of the directors in attendance maintained they are devoting increased time and attention to risk oversight. They are more involved, more aware and are receiving far more information on risk than ever before, they said.
Maureen Errity, a director with Deloitte and a leader of Deloitte’s Center for Corporate Governance, highlighted the concerns of some directors that, although financial risk remains at the heart of the discussion, boards may be spending time on it at the expense of other concerns, such as strategic business risks. Boards should address those enterprise-wide issues that may have the most significant impact on the organization, as well as on the strategic risks that could create opportunity for the business.
Broadening the scope of the board’s risk analysis requires directors first to understand what risks a company really faces. Dan Konigsburg, a director with Deloitte LLP and the Center for Corporate Governance, suggested the board gather information from a wider group of company executives and employees.
Indeed, some directors at the roundtable admitted being less than optimally familiar with the senior risk managers in their organizations. These managers occasionally make presentations to the board, but directors asked if it is desirable to establish a closer relationship. Emerging thinking says it is.
One consideration is that many companies do not have a chief risk officer, and directors may receive risk reports from different sources and at different times. A significant topic being analyzed is the risk management infrastructure. For nonfinancial services companies, the CFO or chief compliance officer may be tasked with leading risk management. Participants agreed that centralizing the information flow to directors provides the board with greater understanding of how risk is being assessed and managed.
Perhaps one of the most pressing questions for directors is how to align risk with strategy. Businesses have inherent risks, but the key, Errity explained, is to strike the right balance and establish the company’s risk appetite. This also raises the question of how much money the company is willing to spend to mitigate risks, since many systems and processes have associated implementation costs.
Many directors believe the line between risk and strategy is blurry. Capital financing, mergers and acquisitions, market listings and the like are strategic issues, yet they all involve risk. The challenge is thinking through all the risks and presenting them not only individually but in the aggregate. Further, some companies are using risk management as a foundation for broader strategic thinking by holding discussions with management to explore “what-if” scenarios and new-business paths that will have associated risks but that may create long-term value for the organization.
Perhaps the best way to address these issues, participants suggested, is to create a structure whereby board members can question and challenge the assumptions and decisions of management in relation to the intersection of strategy and risk. The culture of each board is unique, and so the exact process of achieving effective risk management will vary, but there are some common factors. Success involves asking the right questions and making sure directors understand the answers, while also recognizing the value and experience the board can bring to the risk and strategy discussion.
Often, management will suggest strategies that seem sound, but directors need to analyze them in relation to industry trends, the company’s internal risk appetite and what is best for long-term shareholder value.
In fact, the directors noted, the lack of unified risk oversight actually opens the company to risk in and of itself. While it may not have overall ownership of the various risk functions, the board must have a clear picture of all the material risks facing the company and the certainty that senior management is well apprised and equipped to manage these enterprise-wide risks effectively.
Participants:
Gary G. Benanav: Director, Barnes Group
James Benson: Director, Sapient Corp.
Neil Braun: Dean, Pace University’s Lubin School of Business; Director, IMAX Corp.
Beth Bronner: Managing Director, Mistral Equity Partners; Director, Jamba Juice, Syms Corp.
Laura L. Brooks: Director, Provident Financial Services
Phebe Neely Ciulla: Senior Manager, Deloitte Financial Advisory LLP
James W. Dyke Jr.: Director, WGL Holdings
Maureen Errity: Director, Deloitte LLP Center for Corporate Governance
David R. Haas: Director, National CineMedia
Nitish Idnani: Principal, Deloitte ERS
Matthew S. Kissner: CEO, The Kissner Group; Director, John Wiley & Sons
Dennis E. Klima: Director, WSFS Financial Corp.
Dan Konigsburg: Director, Deloitte LLP Center for Corporate Governance
W. James MacGinnitie: Director, RenaissanceRe Holdings
Harvey Morgan: Managing Director, Bentley Associates LP; Director, Family Dollar Stores
Richard G. Nadeau: Founder, Chairman, Vistair Ventures; Director, IRIS International
Wilmer F. Pergande: Chairman, Director, Consolidated Water Co.
Dr. Warren R. Phillips: Professor Emeritus, University of Maryland; Director, CACI
Michael Pocalyko: Managing Director and CEO, Monticello Capital; Director, Herley Industries
Scott Roulston: Managing Partner, High Road Partners LLC; Director, Developers Diversified Realty
Laurie M. Shahon: President, Wilton Capital Group Director, Knight Capital Group
Ervin R. Shames: Director, Choice Hotels International, Select Comfort Corp., Online Resources Corp.
Burt Steinberg: Director, Provident, New York Bancorp
Stephen E. Wasserman: Partner, Wasserman & Associates; Director, IRIS International
Karen Hastie Williams: Director, NACD
With all due respect, I did not get much in the way of action from this roundtable discussion. Is it working well at your clients and/or companies? or not. Is it ok at your companies and/or clients? but needs improvement. Is it an infant? and needs a lot of nuturing.
If the financial sector is an example of risk committees we should do away with them because they are by and large have failed with nonsense modeling and third party ratings with no objectivity. Any by the way they no nothing about strategic or product risk (UBS how may times?)
The full BOD has responsibility for shareholder value creation and preservation. How it discharges it responsibilities through Board committees, C management and operations managements should be clear with regular assessment, monitoring and feedback. The cost effective and efficent value management (and risk management if you want) approach for people, process and technology is there. As BOD membership take a stand and either get it done or influence better than the rest for your competitors.
Ps don’t spend a lot on SOX