The Board's Neglected Risk Responsibility

Imagine you are a member of the board of directors at a diversified equipment manufacturer and you get the following surprise at 5:30 on a Friday afternoon: Two private-equity firms have joined forces to acquire the company. At first, that may sound like good news, since the firms are offering a 30-percent premium to the manufacturer’s market value. The trouble is that their press announcement criticizes the company’s corporate governance approach and promises investors that the buyers will build value by “paying more attention to core competencies and avoiding costly distractions in solutions consulting.”

Let’s suppose a move into consulting services—where the company advises customers on systems using its equipment— was one of the board’s biggest themes over the past few years. Unfortunately, not only have profit projections for the consulting business proven too optimistic, but the margins of the core manufacturing operations that motivated the move have continued to deteriorate. If the deal succeeds, it will represent a vote of no confidence in the job you and your fellow directors have done.

It may not look like a typical example of bad risk management— there’s no dramatic unexpected event or financial failure—but cases like this represent a classic confusion about the risk responsibility of the board and the CEO. The board may have even urged management to invest in solutions consulting as a means of reducing risk. And yet it illustrates the consequences when the board and senior executives second-guess risk assessment at the business-unit level, yet blithely neglect their own responsibility to grasp line management’s competence in making such assessments.

This duty to monitor line management’s competence in risk assessment can be more accurately described as a responsibility to assess risk intelligence across the enterprise. In a nutshell, the board and CEO should get out of the job of assessing risk and into the business of assessing management’s risk intelligence.

There’s an even broader reason for boards and multiline CEOs to focus on risk intelligence rather than risk assessment. In a competitive world, how firms choose their risk portfolio matters more than the size of the risks. In other words, as long as the markets price risk more or less accurately, your company can get into more trouble by selecting risks it’s not well-equipped to manage than it can by merely taking on risks that appear large.

If this is true, then a lot of casual risk-management practices go out the window. First, it means strategies that manage risk by permitting only small ones may destroy value and even the firms that pursue them. Second, it means strategic diversification can be dangerous. And third, it means the return firms earn on the risks they’ve taken may change even when the risks do not.

Learnable Risks

The idea that how firms select risks matters more than risk magnitude applies to one of two broad classes of risk. It doesn’t apply as strongly to the class of purely random risks—risks whose outcomes no one is in a position to forecast better than anyone else. Almost all of the risks in this category are financial, reflecting the pricing of competitive markets that already incorporate all publicly available information. Since they already reflect what there is to know, no one has a forecasting advantage. Examples include interest rates, foreign exchange rates, and the overall value of the stock market.

Risk selection really matters when it comes to the other broad class of risks; these are by far the most widespread. I call them “learnable risks” because however hard it may be to forecast their outcomes, they reflect identifiable forces about which some players may be in a better position to learn than others.

Your company can get into more trouble by selecting risks that it's not equipped to manage than by taking on risks that appear large. 

Take, for example, the simple risk of an operating failure by a hypothetical management team. The team may fumble sales, operate inefficiently, misalign suppliers, or swing between inventory pile-ups and stock outs. It’s a risk that for most companies is almost impossible to predict— almost, but not quite impossible. In principle, if you could learn enough about the operating team, you could predict how it would handle the challenges of the business. Operating failures are risk factors because they’re hard to predict, not because they’re random.