Editor’s note: The National Association of Corporate Directors’ newly published Blue Ribbon Commission Report on Risk Governance examines the objectives of the board’s risk oversight activities, the link between strategy and risk, and the board’s role concerning risk. The BRC report considers how boards might achieve their risk oversight objectives. The report focuses on the critical link between strategy and risk and considers the role of the board and its standing committees in relation to specific categories of risk. What follows is an excerpt. The full report is available from the NACD at www.nacdonline.org/publications.
When it comes to risk and risk oversight, it’s easy to miss the forest for the trees. The board can lose sight of the big picture; risk-taking may yield rewards, and excessive caution may lead to mediocre performance, and even losses.
It is perfectly appropriate—indeed essential— to the health of our economy, and to product innovation and enhancement, for some companies to adopt business models and strategies that have greater risks than others. In successful businesses, however, boards and management work together to define an acceptable level of risk that produces the greatest opportunity for reward. Without risk, there is no reward. True, there may be a need to curb unbridled risk-taking in certain core industries or large companies, but clearly no single solution fits all situations.
Just as corporate America and, indeed, businesses and policymakers worldwide are taking a step back to reassess the state of risk management, every board is well advised to step back and consider its risk oversight objectives.
Before considering how the board should oversee the organization’s activities to manage risk, it is helpful to consider the goals and objectives of this oversight effort. What should the board seek to accomplish in its oversight role?
It is important to note that “oversight” is used in a broad manner in this report; it incorporates both the monitoring function of directors as well as decision-making that involves business judgment.
While risk oversight objectives may vary from company to company, every board should be certain that:
- The risk appetite implicit in the company’s business model, strategy, and execution is appropriate.
- The expected risks are commensurate with the expected rewards.
- Management has implemented a system to manage, monitor, and mitigate risk, and that system is appropriate given the company’s business model and strategy.
- The risk management system informs the board of the major risks facing the company.
- An appropriate culture of risk-awareness exists throughout the organization.
- There is recognition that management of risk is essential to the successful execution of the com-pany’s strategy.
While individual boards may have other, more specific risk-oversight goals, by clarifying these overarching objectives at the outset, a board will be better positioned to determine how to conduct its oversight.