One of the most shocking realizations to emerge from the recent global financial crisis is the extent to which the governing bodies failed to understand the level of risk their organizations had undertaken. Perhaps the most egregious and highly-publicized example is insurance giant American International Group, whose $500-billion foray into credit default swaps not only brought AIG to its knees but came close to capsizing the world financial system.
The list of recent major risk debacles is already legend — Lehman Brothers Inc., Merrill-Lynch Inc. and Countrywide Mortgage Co. in financial services, the Fukushima Daiichi nuclear reactors in Japan, as well as other high-profile examples. Certainly, no board of directors wants to be viewed as asleep at the switch. So, a typical response might be, “we didn’t know” or “no one told us.”
Even so, it is a legitimate question to ask with respect to all of these failures: “Where was the board?”
It can be argued that few, if any, of these board members had a clue about the risk levels company management had assumed. Though there has been considerable discussion about dysfunctional incentive systems excessively rewarding risk-taking on the upside — while failing to penalize risk-taking on the downside in the financial crisis — this seems to apply mainly to management.
Boards, on the other hand, appeared to be existing in a bubble of blissful ignorance, unaware of the “bet the farm” positions their CEOs had undertaken.
In this era, it has gotten much easier to play business roulette with highly exaggerated outcomes because of the existence of derivative financial instruments. By their very nature, derivative values can swing wildly up and down with an impact magnified well over the changes in the underlying asset or value. This inherent volatility is well known. For example, the value of an option on a traded stock is considerably more volatile than the price of the stock itself.
As the financial crisis continues to be dissected by corporate America and regulators, there has been something of an epiphany about risk management, that the governing bodies often were not engaged in appropriate oversight of their organization’s risk exposure. A natural conclusion then is to find ways to improve the level of risk oversight by boards of directors.
Improving Board Oversight Of Risk Applying ERM
Congress, through the Dodd-Frank Wall Street Reform and Consumer Protection Act, and the U.S. Securities and Exchange Commission have already acted separately on this front by fiat — requiring organizations to strengthen board risk reporting and mandating improvements in risk communication and disclosure, for example. But even with these regulations in place, the real danger is that boards will pay lip service to their risk oversight duty, making it more a “dot the i’s, cross the t’s” exercise than assuring the organization’s risks are under control.
Enterprise risk management, or ERM, has enjoyed a steady climb in popularity since it took root in the mid- to late-1990s. Every time there is a risk debacle, ERM gains traction. If the world is concerned about organizations that fail to identify and manage risks, there really is only one viable system to turn to — ERM.
It has been repeatedly shown that the old way of managing risks — the silo approach, in which categories of risk are managed independently of each other — is inefficient, or ineffective.
In short, ERM is here to stay, because there just isn’t a better system.
As a result, it makes sense to consider whether boards are ready for ERM — ready in the sense of spearheading ERM adoption in their own organizations, or becoming immersed in an existing ERM system. The result: boards must provide strong risk oversight because stakeholders are demanding it, and the boards must be prepared for the challenge.
In fact, it is becoming more common for prospective board members to ask if the organization has adopted ERM, and even refusing the position if it has not.
The authors’ recent major study on board risk oversight for The Institute of Internal Auditors, Improving Board Risk Oversight Through Best Practices, involved interviews with board members, risk officers and internal auditors of public companies. Key findings of this study follow.
▪ Board Knowledge, Skills and Training. A good place to start in evaluating the board’s ERM-readiness is to find out how much the members already know about risk management in general, and ERM in particular. Some board members may be familiar with it through service on other boards.
In many cases, board members will require training in ERM fundamentals — risk identification, assessment, response and monitoring. Board members in the study obtained their training by attending various seminars and conferences, and inviting risk consultants to attend board meetings or retreats. Individual directors and the full board should assess their ERM knowledge and determine the training and education needed to perform effective risk oversight.
One aspect of preparation seems obvious but is frequently overlooked — a strong knowledge of the organization’s business and its industry. A participant in the study commented that this knowledge, along with ERM savvy, enables a director to “devise a sense of what things are that adversely impact the company.”
Such knowledge also helps directors assess management’s risk information and to have more confidence in it. Related to this is the ability to drill into the financial statement numbers and understand them. Directors should expect that management will help with this. As one director in the study emphasized, the chief financial officer should know “every single page” of the financial information and should be able to respond to any question asked by the board.
A board is also strengthened in its risk oversight when its members possess diverse skills and experiences. Directors with different backgrounds, interests and perspectives should be able to engage executive management in a robust discussion of the organization’s various risks.
▪ Ensure Proper Inclusion of Strategy and Strategic Risks. ERM and strategy setting are basically “two sides of the same coin.” Directors in the study were quick to emphasize the importance of a strong link between strategy and ERM. If such a link is weak, strategies will likely not be aligned with risk management, leading to an ineffective risk management process.
One of the directors even commented, “ERM helped us put our strategy together.” Another director said his board discusses the strategic plan and the risk assessment together. With the increasing concern over strategic risks, it is critical that risk management be front and center in strategy deliberations.
▪ Demand High-Quality Risk Information. Boards should now expect high-quality risk information, and executives must be ready and able to provide it. Gone are the days when executives could merely prepare for a board risk presentation, give well-oiled but evasive answers and run things as usual.
One executive observed that in that past ERM was “easy to fake.” One could just check the boxes. But that is no longer true. Going forward, boards will — and should — ask harder risk questions.
High-quality risk information encompasses several features. One example is a risk presentation where the board sees not just a visual map of the risks and a dashboard with measures of risk on several dimensions, but also the categories that lead executives to conclude why the risk is ranked a certain way.
A few companies have improved the board risk presentation by taking subjective risk assessments and converting them into more precise and explicit risk metrics. One executive explained: “Where we’ve really gone in and tried to pull from the experts are their subjective risk assessments, and then try to calibrate those and put those into a model that actually means something and can be used as a decision-making tool to allocate resources.”
Other companies have improved their risk information by increasing the frequency of the risk reporting. At one company, every board member wants the top 10 risks quarterly, not just once a year. Several companies have focused their presentation on the major risks since those are of primary interest to directors. There is no magic number here but 10 to 20 risks seem to be the norm. Executives can put the other risks in pre-readings for board members who want more.
Another way to improve risk information quality is to incorporate “velocity” — how fast the risk could impact the organization if the event occurs. Dimensions of velocity could include: very rapid, impact evident within a month; rapid, impact evident within a quarter; and slow, impact evident within a year.
Some boards emphasized incorporating velocity because of how rapidly business and the economy are changing. One company acknowledges that its board believed the risk team had not incorporated velocity, and the company was caught unprepared to manage rapidly changing risks.
Another way to improve the quality of risk information is to incorporate emerging and future risks that could impact the business. One company stated, “We also have a list of emerging risks. And this is much more of a dynamic list; there are many more changes to this list than there are for the top 10 [risks].”
Some companies have also changed their lines of risk reporting to ensure better information gets to more board members. In the past, many organizations had defaulted risk reporting only to the board’s audit committee. That trend appears to be changing. More and more, the entire board wants — and needs — to hear and discuss major risks.
One easy method is to have the ERM presentation made to the entire board. One company noted that it “decided the new CRO (chief risk officer) should report to the whole board and not just the audit committee. In this case the CRO has a line directly to the entire board.”
Another approach is to schedule the risk presentation to the audit committee so that the entire board can attend. And another way is to keep it fresh and evolving. A board member observed, “Today, the board gets the [ERM] book ahead of time that shows what’s changed, what hasn’t changed on the list and why. Keeping the process fresh and sharp becomes the role of the board — by keeping an active dialogue on the big risks.”
▪ Provide for Direct Interaction with Risk Officers. There is a natural tension between the CEO and the board on risk oversight. Though the CEO may not wish to actually mislead the board about risk exposures, he or she may be less than forthcoming on the extent of the exposures or the possibility of severe downside. If the organization has a large derivative exposure, the CEO might dismiss concerns over the exposure with a “we’re on top of it,” instead of “it might wipe out our profits for the last quarter.”
Boards should demand that they be permitted and even expected to have direct interaction with the designated risk officers. This doesn’t mean that the CEO is out of the loop on the interaction, but it does allow the board to engage in a give-and-take discussion with the risk officers without any CEO dilution, filtering or spin control.
▪ Be Committed. Probably the single most important variable in board risk oversight is the level of board commitment to the ERM system. It was somewhat disconcerting in the study that much of the success o`1f board risk oversight seemed to hinge on one or two individuals on the board. Sometimes these individuals had experience from other boards that provided the impetus to rally the troops around ERM. Other times, they were merely motivated by surprise risk issues and wanted to ensure better control in the future.
Effective board risk oversight requires an engaged, committed and knowledgeable board as a whole, not just one or two “risk champions” who basically force the issue and make it happen. Should an organization’s health and future depend on one or two on the board?
Good boards are a valuable commodity, offering their organizations a wealth of experience and sound judgment. ERM is one more way of harnessing these skills and directing them toward desirable and profitable outcomes.