Boards of directors, in collaboration with their management teams, are being called upon to revise risk-oversight processes.
“The Report of the National Association of Corporate Directors (NACD) Blue Ribbon Commission on Risk Governance: Balancing Risk and Reward” focuses particular attention on explicitly considering risk in making strategic decisions, defining the corporate risk appetite, and designing financial analytics and reporting.
The report, based on a year-long study with Oliver Wyman, can be viewed within the larger context of growing stakeholder demands and expectations for greater risk transparency and disclosure. In particular, stakeholders are looking for greater information on how the company manages risks, the company’s risk profile, risk drivers, risk volatility and the potential impact on performance.
It is clear that directors must address concerns about risk oversight, but many will be challenged. Here are some guidelines to consider:
1. Understand the business’ key drivers of success.
Directors must understand the factors that drive success and introduce and/or amplify volatility in the company’s performance. Risk and strategy discussions must be based on information about the sources of risks under alternative strategies, how key risks contribute to the overall corporate risk profile, the potential variability in its financial performance, and how risks interact and aggregate under alternative scenarios. The close examination of factors affecting success is critical to understanding the main sources of the com-pany’s value creation.
2. Make explicit the risk appetite implicit in the company’s strategy.
All businesses take risks to generate returns, but the types of risk taken, the levels of risk to which the company is exposed, and how and where risk is taken must be an input into strategy decisions, not a collateral by-product.
Risk appetite is defined as the amount of risk that the enterprise is willing to accept; risk tolerance is the degree of variance from risk appetite that the enterprise is willing to accept. A defined risk appetite including both quantitative elements (such as target debt rating, target and minimum leverage ratios and exposure concentration limits) and qualitative elements (such as reputational risk and operational risk-tolerance levels) is a critical basis for assessing alternative strategies, allocating capital and resources, selecting risk mitigation and response strategies and providing for effective communication with stakeholders, including capital markets.
When the board and management discuss strategy, they make decisions about which risks the company will accept and take. Given this, directors must not simply “review and concur with” management’s strategic plans, but must offer active input into management’s portfolio view of strategic alternatives and capital investments, giving explicit consideration to the risk profiles and risk/reward trade-offs associated with each option. This has two significant implications: first, management and the board will require a process and methodology to compare the risks, rewards and volatility presented by strategic alternatives; and second, this information must be considered within a clearly defined risk appetite, and associated tolerances, against which the acceptability of alternative risk profiles can be evaluated.
3. Define the role of the full board versus its standing committees with regards to risk oversight.
The full board must have primary responsibility for risk oversight with active review of the risk-reward balance in strategic plans, the company’s risk appetite and tolerances, and the overall risk profile. This role cannot be delegated to a specific committee.
Committees can still play a critical role in supporting the full board by focusing on key areas such as financial-reporting risks or nominating risks. To date, many boards have delegated risk oversight to the audit committee. Consistent with recommendations from external bodies, such as the New York Stock Exchange, the report notes that this committee or a risk committee may play a role in overseeing the company’s risk-management system and can serve to aggregate risk analysis to present to the full board.
The role of the board and committees should be detailed in board charters and risk-management documents that specify the risks to be addressed by the committee and the information and reporting processes that the committee requires to execute oversight roles.
Pages: 1 2