“The number of firms using ESG disclosure is fairly rapidly increasing, they’re taking a very proactive stance,” said GMI CEO Jack Zwingli in a recent interview about the new metric. “All they have to do is look at BP, at NewsCorp, at Massey, to see that it’s not just the finances that pose very serious risks. They need to recognize that ESG concerns do impact risk in the long term.”

The GMI Analyst platform is the flagship product of the corporate governance research firm forged in December by the three-way merger of GovernanceMetrics International, The Corporate Library and Audit Integrity.

“With this merger we are in a great position,” continued Zwingli. “We were a little bit like kids in a candy shop. We have a tremendous amount of info, the question was how to drill it down into a product that people can use, understand and apply. We started at a high level and drilled down to the underlying data. Future versions will layer in additional content, tools for peer comparisons, advanced searches and screenings, more company and information coverage. We’ll continue to make the product easier to use and more informative.”

The service currently offers risk analyses for more than 20,000 corporations, including most large and mid-cap firms and some small cap companies, with 4,200 of those containing a more specific research-based ESG risk rating. The organization identified and tracks over 50 ESG+ (with the plus sign standing for “accounting transparency”) metrics that are most likely to affect performance.

The GMI Analyst also complies with the United Nations-backed Principles for Responsible Investment (PRI) initiative, providing PRI investors with an efficient comparison utility. Over 900 investors and investment funds have signed on with PRI since its launch in 2006.

“Of course, the trickle-down effect is now corporations are looking at the nontraditional measures of performance, and are recognizing that the investors are asking more about ESG,” explained Zwingli. “Recent statistics show that 80 percent of the Global Fortune 250 now all report on ESG.”

Jack Zwingli

GMI joins a growing number of organizations evaluating companies’ ESG risk ratings, including Institutional Shareholder Services’ ESG Solutions. ISS, an MSCI brand, uses findings from MSCI’s ESG Research department in its proxy assessments. MSCI’s team includes over 70 dedicated ESG analysts and researchers. Glass Lewis’ Risk Monitor also tracks and provides alerts for possible risk red flags.

The Global Reporting Initiative, which produces a sustainability reporting framework, finds that the number of companies using this reporting framework is steadily increasing internationally, with a 22 percent increase from 2009 to 2010 after a 34 percent increase from 2008 to 2009. Companies in the financial services and energy industries had the highest numbers of reports.

In addition, the Carbon Disclosure Project (CDP), recently issued a report produced in conjunction with PwC finding that companies reporting climate change policies as an integral part of their strategy doubled, up from 35 percent of respondents in 2010 to 65 percent in 2011. Board or senior executive oversight of climate change programs increased as well, with 87 percent of responding companies delegating oversight to the highest levels of the organization.

The GMI service, Zwingli said, can be used in many different objectives, from boards seeking peer comparisons, to investors, to insurers seeking a quick risk evaluation. “It’s a very pragmatic view for the corporation to look at these factors, know what the ratings are, all investors are using ESG-type research to evaluate company performance and standards.”

Since some of the ESG+ metrics are of a more subjective nature than traditional financial performance metrics, “Companies may disagree with us,” noted Zwingli. “But it’s still valuable to say to investors ‘we have a copy of the report, and we have a different story.’ And that’s fine, that’s their prerogative. You can then be proactive about it, and include in disclosures that we looked at the report and disagree with it and why, or are planning on improving on these measures.”

Zwingli encourages companies to remember that ESG risks can be as devastating to a company as financial difficulties: “Reputational risk can have a high cost of capital. Companies are very concerned with reputational risk, and don’t want to show up on the front page of the Financial Times or Wall Street Journal.”

Stuart Hammer

Lauren M. Boccardi

The SEC released interpretive guidance on the application of existing SEC disclosure requirements to climate change-related matters on February 2, 2010. While the guidance did not create a new rule, regulation or legal requirement, or change the materiality standards under existing SEC rules, it was intended to provide clarity for public companies and their investors and encourage consistent application of existing rules.

At the time the SEC highlighted four areas for companies to consider when assessing whether climate-related disclosure is required under its rules and regulations:

1. the impact of legislation and regulations, such as laws requiring companies to install pollution control equipment,
2. the impact of international climate change accords, such as the Kyoto Protocol,
3. indirect consequences of regulation, such as decreased demand for carbon-intensive products and
4. physical risks of floods, hurricanes and other natural disasters that may result from climate change.

A little more than one year after the SEC issued its guidance, there is some evidence of increased disclosure of climate-related risks. An October 2010 report by ISS Corporate Services, “Disclosing Climate Risks: How 100 Companies Are Responding to the New SEC Guidelines,” analyzed climate disclosure in the 10K filings of the 100 largest U.S. public companies (by market capitalization). Among its conclusions, ISS found that:

• A little over one-half of the companies mentioned climate change in their filings;
• Approximately one-quarter of the companies addressed physical risks to their assets posed by climate change;
• Very few companies addressed all of the issues outlined in the SEC’s climate guidance; and
• The energy and utilities sectors had the most comprehensive climate-related disclosure.

In addition, a February 2011 report from CERES, a coalition of investor and environmental groups, noted that there was some improvement in companies’ climate change disclosure. However, CERES also identified what it considered to be inadequate disclosure by various companies and outlined specific steps for companies to take to improve their climate disclosure.

When it released the guidance, the SEC said it would hold a public climate change disclosure roundtable in the spring of 2010. However, the roundtable did not take place and the commission has not been particularly proactive in following up on its interpretive guidance. In addition, the SEC said it would monitor disclosure both through its Investor Advisory Committee (IAC) (which was considering climate disclosure issues as part of its mandate to provide the SEC with input on investor concerns) and through its ongoing disclosure review program. The IAC has since been disbanded.

While the SEC has been monitoring climate disclosure, its enforcement of any perceived violations has been limited. Based on a review of publicly available information, there are fewer than a dozen comment letters in which the SEC sought additional information concerning climate disclosure in registrants’ 2010 filings. In some of the comment letters, the SEC asked registrants to explain what consideration they had given to the climate guidance. Some registrants acknowledged the existence of the guidance, but explained that climate disclosure was not warranted as climate risks were not material to the business. In other instances, the SEC asked registrants to expand their disclosure concerning the impact of climate change legislation or the effects of possible increases in global temperatures or to discuss the costs incurred in reducing greenhouse gas (GHG) emissions. Some registrants revised their disclosure to more directly address climate-related issues.

The SEC’s fairly muted follow-up to the interpretive guidance may be linked to several factors. The political climate has changed since the SEC issued its release; it now appears unlikely that Congress will pass a comprehensive climate change law in the near future. Additionally, the SEC may have limited capacity to address climate change disclosure given budget and staffing constraints and the deluge of Congressional demands arising out of the Dodd-Frank Wall Street Reform and Consumer Protection Act. As a result, the SEC may simply be focusing on what it considers to be more pressing issues than climate change disclosure.

The task of analyzing climate risks is more difficult given the uncertainty regarding climate change legislation and regulation. A year ago, the passage of a comprehensive climate change bill appeared more likely given that the U.S. House of Representatives had passed such a bill and leading lawmakers in the U.S. Senate were discussing similar legislation. However, in 2010, efforts to pass a comprehensive climate change bill stalled in the U.S. Senate. Thus, registrants that previously disclosed the likelihood of passage of a climate change bill should update their disclosure to account for developments in the U.S. Congress.

While climate change legislation has stalled, the United States Environmental Protection Agency (EPA) has started regulating certain GHG emissions. For example, the EPA requires certain large GHG emitters to annually report their emissions to the EPA. The EPA is also seeking to curb GHG emissions under the Clean Air Act. However, some members of Congress are seeking to scale back, if not eliminate, the EPA’s GHG regulations. It remains to be seen whether the EPA will roll back its GHG rules or initiate additional GHG rules. Registrants impacted by the EPA’s regulations should consider these uncertainties when drafting their climate change disclosure.

In addition, companies that are disclosing climate change information in other forums, such as in company sustainability reports or through organizations such as the Carbon Disclosure Project (a not-for-profit organization that maintains a database of climate change information), should ensure that such disclosures do not conflict with any climate-related information contained in their securities filings.

It is unclear whether the SEC will increase its focus on climate change disclosure in coming months. Registrants, particularly large GHG emitters, will need to continue monitoring developments concerning legislation, regulation, physical effects and other trends related to climate change. As developments in these areas change rapidly, registrants should update their disclosure to assure that it remains accurate.

Stuart Hammer is counsel and Lauren M. Boccardi is an associate in the New York office of Debevoise & Plimpton LLP. They are members of the firm’s Environmental Practice Group.

Managing the risks associated with technology has always been a management prerogative. As technology becomes more intertwined with the corporate entity and business strategy, boards have had to step-in and provide greater oversight of the various systems and implementations. This, however, presents a challenge to our boardroom directors. In a recent survey conducted by the NACD, in conjunction with Oliver Wyman, it was found that 46% of respondents were not satisfied with the ability of their board to provide IT risk oversight. The survey also indicated one major reason for this deficiency: there is insufficient IT expertise at the board level.

Unsurprisingly, 38% of survey respondents indicated that the most effective approach to improving board IT risk oversight was to increase the frequency and detail of communications about IT from management. There is obviously some room for improvement and directors believe information management is the right place to begin.

The many aspects of technology can quickly become overwhelming and confusing. Management and boards need an organized method to convey each aspect in a meaningful and effective way. One such method is the Framework for IT Risk developed by Oliver Wyman. The Framework divides the aspects of IT risk into four categories: competitive risks, execution risks, portfolio risks, and service & security risks. Each category has a defined arena of issues with ways to present information.

NACD and Oliver Wyman recently released a white paper addressing the Framework and its application in the boardroom. The white paper highlights many of the issues and red flags boards should look for when considering IT risk.

Technology is not only changing the way we do business but the way we talk about it too. Boards and management need a common language to effectively run their IT systems. A focus on information and its effective presentation will start to remove those communication barriers.

To download the “Taming Information Technology Risk” white paper, please click here.

Compensation Metrics Need a Re-haul
Compensation drives behavior, and it is the compensation committee’s responsibility to take all reasonable steps to ensure that management is not taking imprudent risks by virtue of their pay structure, and to require – if not insist – that any retained compensation consultant recommends a “risk-adjusted compensation” regime that reflects true costs and risks for management compensation, for the specific company within its industry.  The compensation committee however, has an obligation to employ its own judgment, skill and experience in approving and recommending this regime to the board.

The Dodd-Frank Legacy: “Risk-Adjusted Compensation”
It is important to note, however, that risk-adjusted compensation is not attempting to control the amount of executive compensation – only to ensure that the compensation be sufficiently aligned with actual performance and appropriate risk mitigation.

Approaches to Align Executive Compensation with Risk
There are two main time frames and four types of approaches to align compensation with risk: before and after compensation accrues or is awarded; and quantitative, qualitative, explicit and implicit approaches.  The compensation committee should be familiar with timing and approaches, as well as their interactions.

Combining the two time frames and four approaches gives us four adjustments to align executive compensation with risk and achievement:

1. Quantitative Risk Adjustments Before Compensation Accrues or is Awarded
2. Qualitative Risk Adjustments Before Compensation Accrues or is Awarded
3. Explicit Risk Adjustments Based on Actual Results
4. Implicit Compensation Adjustments

Compensation Committees Need to Drive These Reforms
These approaches are emerging practices for addressing risk and compensation in the aftermath of the global financial crisis.

To expect that management, compensation consultants or industry associations, alone or even in combination, will advance or implement the above reforms is ambitious, and perhaps misguided.  Management’s interests may often be contrary to the practices recommended above.  Compensation consultants may prefer simplistic metrics, that are not risk-adjusted, that can be used and explained, and that can be rolled out firm-wide.

The drivers of the above reforms will have to be compensation committee chairs and committee members themselves, who understand the need for such approaches and commit to mastering these emerging standards.

To implement such reforms, compensation committees should employ their experience and judgment; retain independent, qualified compensation consultants; and insist upon tailored, risk-adjusted compensation advice and reporting.

Institutional shareholders and proxy advisors would also be wise to consider this sort of explicit linking of risk and compensation, when voting upon or assessing pay-for-performance linkages and compensation regimes, as risk-adjusted compensation may prove to have a higher alignment with shareholder value creation than more simplistic, non risk-adjusted performance measures.

Dr. Richard W. Leblanc is a corporate governance expert and advisor to leading boards and committees.  He can be reached at http://www.boardexpert.com.

The views and opinions expressed in the article do not necessarily reflect the views of the NACD.

Jim DeLoach (Copyright Gittings, 2007)

As new legislation, shareholders and disclosure requirements force boards to rethink their risk oversight process, they should consider these seven recommendations in view their organizations’ current operations and risks:

1. Implement a more structured process for moni­toring and reporting critical enterprise risks and emerging risks to the board – While most companies monitor and report risks, survey results suggest opportunities for improvement. For example, a com­pany might formalize the common risk assessment methodology that is based on subjective inputs of the severity of impact of potential future events and the likelihood of those events occurring by mak­ing it a regular and more robust process with results shared with the board periodically.

2. Look for opportunities to make the risk reporting process more effective and efficient and increase the regularity of report­ing according to the organization’s operations and risk profile – According to a majority of respondents, reports that the board does not receive at least annually include: scenario analyses evaluating the effect of changes in key external variables impacting the organization; a summary of exceptions to man­agement’s established policies or limits for key risks; and a summary of significant gaps in capabilities for managing key risks and the status of initiatives to address those gaps.

3. Come to an agreement with management on the risk-related matters that need to be escalated to the board, addressing the what, when and why – Escalation protocols specifically tailored to the company’s operations and risks are important. For that reason, it’s vital to the risk oversight pro­cess to determine what must be escalated to the board (e.g., limits violations), as well as when and why.

4. Encourage employment of techniques that foster out-of-the-box, big-picture thinking focused on the critical assumptions underlying the corporate strategy to assess the strategic risks and uncer­tainties the enterprise faces – Given the volatility of the times, organizations may want to allocate more time and resources toward under­standing what they don’t know by employing techniques focused on the critical assumptions un­derlying the corporate strategy. As they do so, they may identify opportunities to enhance and focus the board risk oversight process further.

5. At least annually, focus on whether developments in the business environment have resulted in changes in the critical assumptions and inherent risks underlying the organization’s strategy and the effect of such changes on the strategy and business model – Less than 15 percent of respondents are fully satisfied with the processes for understanding and challenging assumptions and in­herent risks associated with the corporate strategy and monitoring the impact of changes in the environment on the strategy and business model. Implementation of, or enhancements to, these processes may help the board address two questions fundamental to the risk oversight process – “What do we do if the critical assumptions underlying our strategy and busi­ness model are no longer valid?” and “How would we know if our assumptions were no longer valid?”

6. Implement a more defined, rigorous process supporting the risk appetite dialogue between the board and management, and ensure the results of this dialogue are driven down into the organization in an appropriate manner – Risk levels and uncertainty have changed signifi­cantly over recent years for most organizations. The board and management may find it beneficial to en­gage in a periodic dialogue regarding risk appetite, possibly covering topics such as the maxi­mum acceptable level of performance variability in specific operating areas; targeted strategic, financial and operating parameters; upside/downside debates on significant matters; risks and assumptions inherent in the corporate strategy; and “hard spots”/“soft spots” in the business plan. The board also may consider when and under what circumstances it should be informed of exceptions and near misses to the organization’s risk tolerance parameters and any planned actions to address them.

7. Incorporate appropriate questions relating to risk oversight in the board’s periodic evaluation of board performance effectiveness – Depending on the business and its risks, one practi­cal approach for self-evaluating the risk oversight process is to incorporate an assessment of it within the board’s existing periodic self-assessment process, such that the evaluation of the risk oversight process is conducted at least as often as the overall assess­ment of board effectiveness.

For the complete survey report, visit www.protiviti.com.

Jim DeLoach is managing director of Protiviti.

How should boards be thinking about risk?
Henry Ristuccia: The SEC has been in existence since 1934 and has historically had four divisions. Last year, a fifth division – the SEC’s Division of Risk, Strategy and Financial Innovation – was created. Legislators, regulators, and the investing public at large are putting much more scrutiny on boards to execute their fiduciary responsibility for oversight – especially of risk management – which is probably one of the most fundamental dimensions of what the board can do.

The question is: What does this mean for boards? It means they need to create more transparency into what management is doing to manage risk. Boards need to look not only at what has happened, but what could happen. More and more organizations are looking at risk factors related to their business strategy. They are asking: What are the assumptions that we’re making and what are the challenges of our business model? Boards need to think outside the boundaries of an organization and look at bigger-picture risk factors, such as macroeconomic and jurisdictional issues. We think that it’s helpful to think of these bigger-picture risks as falling into four categories: strategic, operational, financial and compliance.

Rick Funston: A lot of the questions that we’re getting today from boards really have to do with how prepared the enterprise is for the risk and opportunities that inevitably lie ahead. They’re asking how they can continue to build reputation, revenue, margins, and productivity – and find the unexpected before it finds them. Some of the common recurring themes from board members are: “We don’t want to be blindsided. How can we get assurance from management that management is really on top of things? How do we get independent reassurance that management’s reports are reliable, and what’s the appropriate balance of roles and responsibilities between the board and executives?” Boards don’t really have the tools to help them deal with this, other than the tools that have been used conventionally.

What’s wrong with conventional risk management?
Funston: I think the fundamental problem is that conventional risk management does not work when risk is extreme—which of course is when it’s most needed. Most people assume that extreme events are extremely rare, and yet it seems that we’re having a once-in-a-lifetime crisis every three to four years – and, more recently, every three to four weeks.

Another problem with conventional risk management is that it focuses on the protection of existing assets, which largely has to do with operations reporting, and compliance. The problem with this is that protection of assets is necessary, but it’s not sufficient for competitive advantage. You really need to focus on the risks that you need to take in order to drive growth. You have to manage those risks if you’re developing new products, entering into new markets with new business partners or alliances, or developing new technologies. These are the risks that one might call “frontier risks,” risks that need to be taken to create future growth.

“A lot of risk assessments look at the impact and likelihood of a risk event…but likelihood has proven to be a very unreliable indicator.”

Ristuccia: Historically, risk professionals have focused, as Rick mentioned, on certain limited views of risk. There is an opportunity for senior executives to help sponsor and elevate the message and create a culture that allows the organization, the board, executive management, and risk professionals to all work together to identify what an organization’s major risk factors are and what future trends could look like.

Funston: Directors and executives that we’ve spoken with feel that they’ve been blindsided by risks that never appeared on their radar screen. They thought everything was fine until it wasn’t. What we did in the book, Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise, was to identify some of the reasons why conventional risk management has failed, especially in highly turbulent and uncertain conditions. We also explored alternative ways of finding possible threats to your business model, as well as where the opportunities lie for you to be a real game changer.

In the book, we identified 10 fatal flaws of risk management. One of the most important of them is failing to check your fundamental underlying assumptions. The subprime mortgage crisis is a good example of that. It wasn’t the math that got people into trouble; it was the assumption that the national price of housing in the United States would continue to rise indefinitely, and the choices people made based on that assumption.

Also, there’s generally a lack of vigilance. People aren’t paying attention to what’s going on in the environment around them. They don’t understand the connections in a very complex environment. They don’t factor in velocity.

Another problem is that many executives dismiss worst-case scenarios as implausible, based on their own experience. The challenge then becomes: How can executives constructively challenge the ideas they hold most dear? They need to challenge those ideas, because the things that made them successful are also the things that can end up being the cause of their downfall. They need to challenge what their experience has been, because if you look at some very successful companies that are no longer in existence, you’ll see that they continued to do what they had always done until it was no longer relevant. For example, you could be the best buggy whip manufacturer in the world – but that is irrelevant if there are no longer any buggies. The challenge is to find the unexpected before it finds you.

In your research and work, who have been some of your greatest sources of information about risk?
Funston: I have had the privilege of speaking with some very talented people. Among those was The Honorable Tom Ridge, who was the nation’s first Secretary of Homeland Security. He was very influential. I tried to take his lessons and apply them to the commercial enterprise. He emphasized vigilance, cooperation, threat assessment prioritization, and recognizing that you have to tolerate some level of risk.

Jamie Clark and Esther Colwill are two people who have successfully climbed Mount Everest. They emphasized that you have to be brutally honest with yourself about your skills and abilities. You have to be very, very well prepared for all kinds of contingencies, but you have to know your limits—even while you’re trying to extend them. You need to be confident, but beware of false confidence.  According to Clark and Colwill, most mountaineering accidents happen on the way down. People are very cautious trying to make the ascent but they’re less cautious—particularly the more they’ve done it—as they come down.

Bill McCabe, a former B-52 pilot and later a commander, and Matt Sharp, who was in the U.S. submarine force, both emphasized the importance of operational discipline – how important it is to do everything humanly possible to understand and manage the risks, leaving nothing to chance, so that you can complete your mission successfully and still come home safely. Their mantra was, “Hope for the best but prepare for the worst.”

Describe the concept of velocity. What can corporate leaders learn from them so they’re not caught off guard by velocity of change?
Funston: If I were to ask Mario Andretti how quickly things can go wrong when he’s driving at 180 miles per hour, the answer is pretty obvious—it’s the snap of a finger.

It’s very important to factor in velocity and to think about how effective and timely your response will be to a crisis situation. The key is to think about both speed and impact. How fast can things happen and how fast can you respond?

A lot of executives aren’t used to thinking along these lines. Traditional approaches to risk assessment don’t consider velocity—how bad the situation can get or, inversely, how good it can get and how fast it can get that way. A lot of risk assessments look at the impact and likelihood of a risk event, but likelihood has proven to be a very unreliable indicator. The problem is that highly unlikely causes of failure can still result in a meltdown.

Where do you see today’s companies making their mistakes while “descending the mountain?” Are companies not asking the right questions?
Funston: I think part of the issue is that success breeds complacency – or it can. It’s very difficult to try and convince someone who is successful that they should do things differently. Our recommendation is to continue to challenge your assumptions about what has made you successful and see whether there are any signs that things are changing. You must maintain constant vigilance in an environment where things are changing and ensure that you are alert to those signals.

You make a cogent point about how directors need to think of the corporations they oversee as “living entities.” Would you elaborate on that?
Funston: The average life expectancy for a Fortune 500 company is less than 45 years. For smaller companies, it’s even shorter than that. Rather than thinking of enterprises as inanimate objects, it’s important to think of them as living entities that have high mortality rates and a short life span, despite the apparent advantage that they have a choice about whether to live or to die.

The question then becomes: What are the choices they are making and how are they being made? To be enterprising really means to be bold and willing to take new initiatives that involve risk. Frontier risks, such as entering new products and markets, new alliances, disruptive technologies etc. are where larger and more mature organizations often fail because they often don’t take enough of these risks.

Ristuccia: There are two imperatives that are applied to any living entity: Survive adversity and thrive—despite uncertainty and turbulence. To do this, it comes down to using intelligence to make better decisions to avoid or manage the risks that cause loss or harm—and doing so while taking calculated risks successfully, thus creating new opportunities and new value.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

This survey explores not only financial risk, but the other important areas of risk being discussed in boardrooms, such as regulatory compliance and reputational risk, as well as how boards gain insight on new topics of interest to their companies.  The survey results along with our analysis are presented in this report. These insights could impact your thinking and, we hope, spur important discussions.

Click image to download PDF

The executive summary outlines our results, but we invite you to read on to understand more about what we are hearing from board members. Risk and compliance are always hot topics. However with regulatory changes, the effect of the recessions and an uncertain recovery still very much top of mind; these topics are commanding the agendas of boardrooms.

We hope you find this report useful and that you’ll share your thoughts and ideas with us.

Click below to read and download the report from Directorship and Eisner LLP.

Concerns About Risks Confronting Boards: Annual Board of Directors Survey

This is an excerpt of Surviving and Thriving in Uncertainty, Creating the Risk Intelligent Enterprise by Frederick Funston and Stephen Wagner (Wiley Books, 2010).

Conventional risk management focused on asset protection, typically in the form of insurance. It was also believed that risks could be identified and managed within silos and that risk aversion would maximize shareholder value. Risk was typically seen as a cost, not an opportunity. Risk management programs took “one size fits all” forms. For these and many other reasons, conventional risk management has failed.

In the turbulent and uncertain 21st century, the buffers of space and time no longer exist. Information has become instantly available. It still confers power, but now everyone has it. Communities of interest can form overnight. Centralized control often fails in the face of turbulence. Fixing pieces no longer solves problems. Many assets are now intangible and cannot be protected in traditional ways. Many risk events are unknown and perhaps unknowable.

Surviving and thriving in uncertainty and turbulence requires unconventional thinking and calculated risk taking. The enterprise must be understood holistically and seen as a living organism. Risks must also be understood as opportunities that can be optimized or exploited, not just as costs. Risks must be viewed as interconnected and difficult to contain. Like wildfires, they cross boundaries and must be managed accordingly. If a risk is relevant and potentially life-threatening, be prepared for it.

Everything has changed but human nature. Judgment will always be difficult. The 21st century enterprise must develop a 21st century view of risk and risk management. Nearly all enterprises have certain characteristics in common. They all operate to a large degree in the same macro-economic environment. The “fatal flaws” and corresponding “risk intelligence skills” described in Part II apply almost universally.

That said, every enterprise is also unique and differs from all others in key ways. Every enterprise operates at a different stage of development. It possesses different skills, understanding, awareness, and culture. Each of these distinct characteristics must be considered carefully by leaders trying to improve risk intelligence, along with the unique benefits the enterprise can realize through that improvement.

The benefits of improved risk intelligence
Demonstrating the value of prevention is often difficult. It should be intuitively obvious that the improved ability to protect existing assets while more effectively managing the risks to future growth ought to improve the enterprise’s chances of survival and success. The enterprise that builds risk intelligence into the core ways of running its business can improve its resilience and agility and should realize the following benefits:

• Challenging basic business assumptions can help identify “Black Swans” provide first-mover advantage
• Defining the corporate risk appetite and risk tolerances can help reduce the risk of ruin
• Improving signal detection can provide advance warning and enable more proactive responses
• Identifying mission-critical interdependencies can help establish an appropriate margin of safety
• Anticipating potential causes of failure can improve chances of survival and success through improved preparedness
• Factoring in momentum and velocity can improve speed of response and recovery
• Verifying your sources and corroborating the reliability of information can improve insights for decision making and thus the quality of decisions
• Taking a longer-term perspective can aid in identifying the potential unintended consequences of short-term decisions
• Improving operational discipline helps sustain success
• Understanding the Total Cost of Risk (TCOR) can help demonstrate the value proposition and reduce the Cost of Failure while improving risk intelligent enterprise management

Making the transformation
Once the enterprise understands its current state of risk intelligence and the best opportunities for improvement, it needs a plan to close the gap and transform the way it comprehends and manages risks to value. It takes time and effort to become a risk intelligent enterprise.

Risk intelligence is not a status or designation that can be attained and then enjoyed ever more. Rather, it is a way of making better decisions amid uncertainty and under turbulent conditions. Thus, risk intelligence is not an end in itself but a way of doing business, not a goal but a developmental journey. By the same token, improving risk intelligence must be a deliberate and sustainable enterprise process, rather than a mere project.

Voice of experience
“To be successful, risk management has to be a core process of managing the enterprise, not merely a project. A lot of directors seem to think that because they devise a ‘strategy’ to deal with known risk, they’ve got a good handle on risk. My perception is that they don’t. Too often, all they want to do is identify the top 10 risks based on what people know. It’s a project approach—and that’s not what’s really needed. A systematized approach of understanding the most basic business assumptions has more long-lasting potential.”

—Larry Rittenberg, Professor and Chairman Emeritus, Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Developing and applying the necessary supporting processes, systems, and tools enterprisewide requires a “fractal” approach, in which any part of the whole embodies the properties of the whole. That implies that skills, processes, systems, and tools are common at every organizational level.

To be effective, these processes, systems, and tools must be deployed throughout the enterprise and applied with discipline. Although they will be applied differently at different levels, if the skills, processes, systems, and tools work for senior executives and the board, then directors and executives should have confidence that they will work elsewhere. Also, as with any skills, the more you practice, the better you become—provided you practice properly and maintain discipline.

At its best, risk intelligence informs every area of the business at every level such that the practices become part of every function, strategy, initiative, decision, activity, and job. This entails making risk intelligence an organizational value on the order of practicing true customer focus or achieving high quality through zero defects.

Such values do not come about by themselves or by executive decree or through a one-shot training initiative, a short-term project, or a “check the box” approach. They come about because the board and management view them as worthwhile, practice them publicly, recognize them in compensation programs, and embed them in core processes and systems.

The transformation challenge
In many organizations, despite the number and severity of risk management failures, executives still remain unconvinced of the business case for improved risk intelligence and thus risk management. Given this, there are several possible explanations as to why transformation efforts may fail.

For starters, even though the greatest value of risk management is prevention and preparation, demonstrating its value in advance often proves daunting. People may say, “That can’t happen here,” or “It can’t happen again,” or “We’re too smart to let that happen to us.”

Voice of Experience
“People don’t see the need for prevention until it’s too late. Obviously when a crisis occurs, everyone recognizes the need; it’s self-evident. It ought to be obvious that prevention is less expensive and more effective than response and recovery. I’ve tried to create recognition of the need for prevention in stages by starting with a risk scan. Let’s make sure we understand the risks that we have in the organization and the need to take some actions to mitigate the risk, understand it more, and be more involved in what this looks like.”

–Suzanne Hopgood, director

Prevention, therefore, is much less likely to receive priority, especially when resources are scarce. A clear statement of the TCOR may be required to demonstrate the value of improved prevention and preparation. Even when executives are convinced of the value, those who try to implement a systematic approach may experience flawed or prolonged execution.

Generally, it is best to aim for rapid implementation by building more systematic consideration of risk to value directly into core business processes. Early wins are important to demonstrate value. Nothing succeeds like success, and word of mouth can aid implementation.

Lack of program management such as specific milestones and metrics as well as a failure to recognize the level of effort required can contribute to failed implementation. The implementation may also fail if the implementation team lacks dedicated, credible, and capable resources; if the vision and expectations are poorly communicated; and if the enterprise lacks a common language of risk. Difficulties in reconciling the different perspectives of various specialist silos also can result in a lack of cross-functional alignment and coordination.

Conclusion
The first part of this book addresses the reality that conventional risk management has failed. The 21st century enterprise requires an unconventional approach to the understanding and management of risk to value in times of uncertainty and turbulence. Because turbulence cannot be predicted or modeled, the enterprise needs to improve its vigilance and preparedness.

The second part of the book describes 10 risk intelligence skills that ought to be common to directors, officers, and employees even if the challenges and decisions they must make will be different. The development of these ten skills is, of course, no absolute guarantee of success. However, their absence is likely a harbinger of fatal flaws that could lead to the demise of the enterprise.

The third part of the book describes the characteristics of the risk intelligent enterprise and the responsibilities of directors, officers, and employees. It outlined steps that can be taken to improve risk intelligence. It also discussed some missteps that ought to be avoided.

While all these parts when taken together may seem to be onerous and costly, the reality is that decisions that affect the enterprise’s survival and success are made every day at every level of the enterprise. This is enterprise management.

1. Truth
This is a powerful principle. It has been stated simply as, “Say what you do, and do what you say.”

Michael Ross

When searching for solutions to problems, there are often several alternatives. Directors and senior management often engage in cost-benefit or risk-reward analysis, and sometimes obtain expert opinions. This is certainly appropriate, but in some instances, decisions can be reached, or at least some alternatives eliminated, by simply sticking to the facts. When an alternative has the “benefit of being true,” it is likely to be a viable one.

Decisions based on the assumption, or hope, that “no one will know” are very likely to turn out badly. This is probably truer now than historically was the case because there are so many parties interested in finding the truth for their own purposes. It is not just the press, the various levels of Federal, state and local government and the class action bar. There are also shareholder activists, special interest groups, whistle-blowers and bloggers. They are all out to “scoop” the company with some evidence of the truth that has not been told by the company.

Illustrations of the importance of truth come from many of the investigations of wrongdoing by corporate executives. These investigations often turn from the underlying allegations of substantive violations of law to allegations of obstruction of justice, commonly making false statements to government officials or destruction of documents. How different might the result have been if Martha Stewart had been motivated by truth as a guiding principle during the investigation of her alleged insider-trading.

Truth promotes long-term credibility and inspires confidence among the company’s constituencies. A company’s reputation for truthfulness can facilitate dealings with regulators, help manage investigations into alleged wrongdoing and get the company’s story effectively communicated to the public. We know how we feel about companies whose explanations do not make sense or contradict prior explanations, and it is not good.

2. Disclosure
A general inclination toward disclosure can be a sign of a healthy corporate culture. If the issue is whether or not to disclose material unfavorable facts, stretching to rationalize non-disclosure can be dangerous. A good general indicator of integrity is management’s willingness to disclose material adverse facts. Disappointing financial results or other adverse developments are bad enough, but the failure to make required disclosures compounds the problems. Material misstatements and omissions will cause the company to bear the costs of investigations and litigation, and possibly fines, damages and the loss of credibility with investors and the public.

The disclosure question arises in many contexts, e.g., public company reports and releases to investors, regulatory filings, certifications to creditors, advertisements and promotions and product labeling. Senior management’s propensity to engage in effective disclosure and resist burying salient facts in fine print or behind puffery is an indication of integrity.

There are, however, exceptions to the benefits of disclosure. Competition requires keeping secrets. Strategies for reducing the pressures from Wall Street for short-term profits may include limiting or eliminating disclosure of projections and “guidance.” Shareholder activists tout “transparency” as a bell-weather of good corporate governance, but there are limits. For example, when pressures for disclosure become a de-facto requirement that a company post its code of business conduct on its web site, the benefits of “transparency” may be outweighed by the costs. The incentives to create and take competitive advantage of a confidential, superior code are lost; many companies merely look to see what is prevalent in the industry, and there is a tendency for the substance of the codes to sink to the “lowest common denominator.”

3. Clarity of Communications
The business world is full of important communications. Companies constantly communicate with numerous audiences by a variety of means. Clarity in these communications is a sign of a well-run business and a healthy corporate culture. Fuzzy language is often a pretty indicator of fuzzy thinking.

For the board of directors to discharge its responsibilities, management must give directors clear information about the company’s strategy and its plans for execution. When (not if) problems arise, communications often break down, and what communication there is becomes unclear. The board must insist, in good times and bad, that management give the board concise, understandable information on a timely basis.

For its part, the board must be direct with management about what information it wants, and how and when it wants it. In setting policy, the board must be certain that management understands the policy, the rationale for it and how the board expects to see the policy implemented and its effectiveness measured.

Management should be clear with analysts and investors in describing the company’s strategy, plans and results. Confusion in the marketplace will generally lead to lack of confidence, and that will usually adversely affect shareholder value.

Clarity is also important in communications to customers. In advertising, marketing, promotions, labeling, warranties, disclaimers and customer relations, management should be sure customers know what they are buying and what they are not buying. Putting the bad news in the “fine print” is not likely to be a sensible long-term tactic. Bold print might do a better job.

Employees cannot be expected to perform unless they understand what is expected of them, and the consequences for them and the company of success and failure. To avoid misunderstanding, multiple communications, by various means may be necessary. When it comes to codes of conduct and compliance, effective communications should include the reasons for the rules and illustrative examples.

If management’s communications with regulators are straightforward, the company should gain a reputation for integrity that will pay off in the long run. Regulators will be around forever, and the regulatory, institutional memory is long. Regulators will discover and seize upon inconsistent company communications to various constituencies, e.g., investors, customers and employees.

4. Consent
Consent goes hand in hand with disclosure. It is often the next logical step. Consent is relevant with many constituencies, not just shareholders, but also employees, customers and suppliers.

Consent is not always required, as a matter of law, contract or otherwise. In many circumstances, it is not advisable or practicable to obtain consent. Consent may be implied in some situations, such as, when a customer has full and fair disclosure about the company’s products or services, and makes a purchase. In more sensitive contexts, such as, the confidentiality of personal medical or financial information, advance written consent may be more appropriate.

This is not to say that public companies should seek shareholder consent for actions that do not require shareholder consent as a matter of law. It also does not mean that companies should give counter-parties more consent rights than are customarily negotiated in commercial contracts or corporate transactions. The principle of consent may, however, be instructive in making decisions about the treatment of stakeholders. We know from our personal experience when we think that our consent is required, and how we feel when our consent is obtained and when is it not.

“The Report of the National Association of Corporate Directors (NACD) Blue Ribbon Commission on Risk Governance: Balancing Risk and Reward” focuses particular attention on explicitly considering risk in making strategic decisions, defining the corporate risk appetite, and designing financial analytics and reporting.

The report, based on a year-long study with Oliver Wyman, can be viewed within the larger context of growing stakeholder demands and expectations for greater risk transparency and disclosure. In particular, stakeholders are looking for greater information on how the company manages risks, the company’s risk profile, risk drivers, risk volatility and the potential impact on performance.

It is clear that directors must address concerns about risk oversight, but many will be challenged. Here are some guidelines to consider:

1. Understand the business’ key drivers of success.

Directors must understand the factors that drive success and introduce and/or amplify volatility in the company’s performance.  Risk and strategy discussions must be based on information about the sources of risks under alternative strategies, how key risks contribute to the overall corporate risk profile, the potential variability in its financial performance, and how risks interact and aggregate under alternative scenarios. The close examination of factors affecting success is critical to understanding the main sources of the com-pany’s value creation.

2. Make explicit the risk appetite implicit in the company’s strategy.

All businesses take risks to generate returns, but the types of risk taken, the levels of risk to which the company is exposed, and how and where risk is taken must be an input into strategy decisions, not a collateral by-product.
Risk appetite is defined as the amount of risk that the enterprise is willing to accept; risk tolerance is the degree of variance from risk appetite that the enterprise is willing to accept. A defined risk appetite including both quantitative elements (such as target debt rating, target and minimum leverage ratios and exposure concentration limits) and qualitative elements (such as reputational risk and operational risk-tolerance levels) is a critical basis for assessing alternative strategies, allocating capital and resources, selecting risk mitigation and response strategies and providing for effective communication with stakeholders, including capital markets.

When the board and management discuss strategy, they make decisions about which risks the company will accept and take.  Given this, directors must not simply “review and concur with” management’s strategic plans, but must offer active input into management’s portfolio view of strategic alternatives and capital investments, giving explicit consideration to the risk profiles and risk/reward trade-offs associated with each option. This has two significant implications: first, management and the board will require a process and methodology to compare the risks, rewards and volatility presented by strategic alternatives; and second, this information must be considered within a clearly defined risk appetite, and associated tolerances, against which the acceptability of alternative risk profiles can be evaluated.

3. Define the role of the full board versus its standing committees with regards to risk oversight.

The full board must have primary responsibility for risk oversight with active review of the risk-reward balance in strategic plans, the company’s risk appetite and tolerances, and the overall risk profile.  This role cannot be delegated to a specific committee.

Committees can still play a critical role in supporting the full board by focusing on key areas such as financial-reporting risks or nominating risks. To date, many boards have delegated risk oversight to the audit committee. Consistent with recommendations from external bodies, such as the New York Stock Exchange, the report notes that this committee or a risk committee may play a role in overseeing the company’s risk-management system and can serve to aggregate risk analysis to present to the full board.

The role of the board and committees should be detailed in board charters and  risk-management documents that specify the risks to be addressed by the committee and the information and reporting processes that the committee requires to execute oversight roles.

When it comes to risk and risk oversight, it’s easy to miss the forest for the trees. The board can lose sight of the big picture; risk-taking may yield rewards, and excessive caution may lead to mediocre performance, and even losses.

It is perfectly appropriate—indeed essential— to the health of our economy, and to product innovation and enhancement, for some companies to adopt business models and strategies that have greater risks than others. In successful businesses, however, boards and management work together to define an acceptable level of risk that produces the greatest opportunity for reward. Without risk, there is no reward. True, there may be a need to curb unbridled risk-taking in certain core industries or large companies, but clearly no single solution fits all situations.

Just as corporate America and, indeed, businesses and policymakers worldwide are taking a step back to reassess the state of risk management, every board is well advised to step back and consider its risk oversight objectives.

Before considering how the board should oversee the organization’s activities to manage risk, it is helpful to consider the goals and objectives of this oversight effort. What should the board seek to accomplish in its oversight role?

It is important to note that “oversight” is used in a broad manner in this report; it incorporates both the monitoring function of directors as well as decision-making that involves business judgment.

While risk oversight objectives may vary from company to company, every board should be certain that:

• The risk appetite implicit in the company’s business model, strategy, and execution is appropriate.
• The expected risks are commensurate with the expected rewards.
• Management has implemented a system to manage, monitor, and mitigate risk, and that system is appropriate given the company’s business model and strategy.
• The risk management system informs the board of the major risks facing the company.
• An appropriate culture of risk-awareness exists throughout the organization.
• There is recognition that management of risk is essential to the successful execution of the com-pany’s strategy.

While individual boards may have other, more specific risk-oversight goals, by clarifying these overarching objectives at the outset, a board will be better positioned to determine how to conduct its oversight.

Deloitte’s guide is broken down into six sections:

1. Define the board’s risk oversight role

2. Foster a Risk Intelligent culture

3. Help management incorporate Risk Intelligence
into strategy

4. Help define the risk appetite

5. Execute the Risk Intelligent governance process

6. Benchmark and evaluate the governance process

Allocating risk management resources in a cost-effective manner; assisting in shaping the organization’s response to regulatory issues; employing risk management for competitive advantage; and driving long-term growth while preserving assets, are integral to a board”s risk intelligence process.

Click here to read the full report.

With so many recent corporate crises, it is plain it’s suffice to say that a great many corporate board members and executives are experiencing similar regret right now. Perhaps this could have been avoided if they too had practiced routine diagnostic check ups. Like an individual blood test, board members need to know the risks their company is facing, and as with any health risk, they also need to be able to mitigate those exposures.

Sounds great, but the devils in the details, right? Perhaps not.

As chief consultant for governance and risk at Audit Integrity, I’ve examined the worst U.S. companies from an “integrity” standpoint in order to help board members and general auditors see how their company’s health stacks up. Audit Integrity’s metrics have shown which companies are 10 times more likely to face SEC Actions; five times more likely to face class action litigation; and four times more likely to face bankruptcy.

Using Audit Integrity’s proprietary AGR (Accounting, Governance, and Risk) score, 196 companies were identified as laggards or high-risk companies. These companies have been proven to have higher odds of SEC actions and class action litigation, loss of shareholder value, and increased odds of material financial restatement and bankruptcy. All are North American, non-financial, publicly traded companies with over $2 billion in market capitalization with an average-to-weak financial condition.

Directors should no longer accept “no worries” explanations on regulatory matters. Compliance tests should be employed routinely and if regulatory action does occur, management needs to take action.

Next, I tested the 119 metrics that Audit Integrity flags and discovered that 15 of those metrics appeared consistently as identifiers of problematic companies; the first metric was prevalent in 65 percent of the 196 high-risk companies and the 11th evident in 40 percent. The other 8,000 companies tested had low incidences of these same metrics. A list – dubbed the Risky Business Catalogue – details the common metrics within high-risk companies. Board members, the C-suite, and general auditors should note if their company is a candidate for the RBC. The evidence is not saying that significant issues are imminent if a company has one of the RBCs, but a combination of RBC metrics indicate risk factors to the entity’s business model and strategy.

RBC’s metrics include:

1. The company has entered into a merger within the last 12 months.
While there is certainly nothing wrong with corporate M&A activity, it’s common for policies to be revised and system integrations to be rushed. Company directors need to caution general auditors to be extra vigilant post merger and increase testing of balance sheet accounts.

2. The CEO and CFO’s compensation is more highly weighted toward incentive compensation than base compensation.
This situation can cause negative motivations and earnings to be increased more creatively to ensure a larger portion of executive pay packages. Close attention should be paid to revenue recognition.

3. The Board Chairman is also the CEO.
An age-old debate, but indispuditedly conflicts of interest invariably result when a company CEO is also its Chairman. Separate the roles to improve governance and reduce compromised oversight.Compromised reliability exists because the very architecture of governance has a built in conflict when the Chairman is also CEO.

4. The company has undergone a restructuring in the last 12 months.
Restructuring may be completely valid, but also can be employed to conceal the lack of sustainable earnings growth. Directors, by role definition, should be intimately involved in restructuring procedures decisions and promised outcomes.

5. The company has encountered a public regulatory action in the last 12 months.
Many corporate stakeholders hold true to the statement that where there’s smoke, there’s fire. Directors should no longer accept “no worries” explanations on regulatory matters. Compliance tests should be employed routinely and if regulatory action does occur, management needs to take action.

6. The amount of goodwill carried on the balance sheet, when compared to total assets, is high.
When intangible assets such as goodwill grow, boards should ask more probing questions about how the business model generated these assets and about concomitant valuation protocols. General Auditors should confirm that models are comprehensively back tested and impairment procedures are adhered to assiduously.

7. The ratio of the CEO’s total compensation to that of the CFO is high.
If a CEO is awarded a much larger paycheck than anyone else (particularly particularally the CFO), it increases governance risk and leads to a top-directed culture, thus limiting collaboration. Boards need to be involved in all executive compensation issues including that which drives pay packages for the CFO, Chief Risk Officer, as well as internal auditors,. etc.

8. Operating revenue is high when compared to operating expenses.
Riskier companies have revenue recognition in excess of what is expected based on operating revenues. Directors should fully understand revenue recognition policies and instruct management to test them to be sure they are not aggressive.

9. A Divestiture(s) has occurred in the last 12 months.
Data shows that riskier companies have more divestures, usually because it is an opportunity for more aggressive accounting activity. Board members should inquire as to how this action fits the strategy.

10. Debt to equity ratio is high.
When a business relies too heavily on debt it reveals that markets are not independently funding the business model or strategy. Boards should know why the markets are not investing in their entity and therefore why debt is so heavily relied upon. Board members should also be knowledgeable on the quality of their equity and not just the amount. Lastly, they should understand management’s funding overall funding strategy and the strength of contingent funding plans.

11. A repurchase of company stock has taken place in the last 12 months.
A repurchase of stock is usually presented to investors as an avenue to increase market demand for the stock, thereby elevating overall shareholder value. Management must provide reasoning for why there are no other ways to invest excess funds. Boards should also request the general auditor to review insider sales during the period of share repurchase programs.

12. Inventory valuations to total revenue is increasing.
When inventory increases in relation to revenue it should raise control questions about inventory valuation. It could indicate changing consumer preferences, which should spur an analysis of a corporation’s business model.

13. Accounts receivables to sales is increasing.
This situation can typically be indicative of relaxed credit standards. Directors should ask whether sales are decreasing due to market conditions and instruct the general auditor to probe receivables to determine their viability.

14. Asset turnover has slowed when compared to industry peers.
If assets are increasing and sales are not flowing it could indicate less productive assets are being brought, or retained, on the balance sheet. Conversely, if sales are decreasing, executives and auditors will again want to analyze changing customer preferences.

15. Assets driven by financial models make up a larger portion of balance sheet.
A collection of other accounting metrics indicates that boards, the C-suite, and general auditors should pay special attention to the controls, assumptions, and governance surrounding assets whose valuations are model driven. This is particularly true if assets that are valued by financial models make up a larger portion of the entities balance sheet.

To be sure, any one of these in isolation as an indicator of accounting and governance risk can be debated. Company divestitures and M&A can be a healthy indicator. But if a corporation fails more than a few of these metrics, board members need to take action.

It is easy to dismiss any one of these metrics when you find it is an issue in your company. Human nature is quick to retort – maybe for others but not for us. However, like time and tide, the numbers too, wait for no one. So, if you have any of these AGR metrics, you need to begin confronting these risk characteristics today to improve your corporate health and avoid the much more drastic financial equivalent of cardiovascular surgery tomorrow.

Walter Smiechewicz is chief consultant for governance and risk at Audit Integrity, a research firm that provides accounting and governance risk analysis