10 Principles for Effective Board Risk Oversight

Evergreen Guidance from the NACD

The National Association of Corporate Directors published an authoritative guide in 2009 on risk governance, and the principles outlined therein are as relevant today as ever. Jim DeLoach provides an analysis of each of the 10 principles, demystifying the process of evaluating board risk oversight.

While risk oversight has always been an important part of the board’s agenda, the disruptive financial crisis of 2007-2008 taught everyone a lesson about just how important it is. In the aftermath of the global financial meltdown and credit crunch, risk oversight became an imperative for boards of public companies, particularly in the United States. Boards of listed companies on U.S. stock exchanges across all industries took a hard look at their membership, how they operated and whether their operations and the information to which they have access are conducive to effective risk oversight.

In addition, since the financial crisis, regulators have taken an active interest in board risk oversight. For example, the Securities and Exchange Commission in the United States requires that proxy disclosures shine the spotlight on the board’s role in overseeing the company’s risk management process, directors’ qualifications for understanding the entity’s risks and evaluation of the entity’s various compensation arrangements by the board’s compensation committee to ensure they are not encouraging the undertaking of excessive, unacceptable risks.

As a result, the risk oversight playbook has evolved over recent years, during which time many boards formulated their respective approaches to risk oversight and organized themselves accordingly. To that end, in 2009, the National Association of Corporate Directors (NACD) published its Report of the NACD Blue Ribbon Commission – Risk Governance: Balancing Risk and Reward.[1] This report recommends 10 principles to assist boards in strengthening their oversight of the company’s risk management.

According to the report, “The Commission believes that [the 10] principles provide a foundation that boards can use to build a more comprehensive risk oversight system tailored to the specific needs of their respective companies.” We agree. Offered as guidance to directors, they provide a context for understanding the risk oversight process, as well as offer an outstanding framework for a board to use when evaluating its current risk oversight process.

Because these principles stand as relevant today as they did eight years ago, we review them below:

1. Understand the company’s key drivers of success; and
2. Assess the risks in the company’s strategy.

These two interrelated principles are especially important, because they focus on understanding what makes the business model work and the risks inherent in the corporate strategy. This understanding provides the foundation for identifying the risks that truly matter – the critical enterprise risks that threaten the execution of the company’s strategy and business model – versus the ongoing risks of managing the business. It is vital that directors understand the risks inherent in the business model, including the key assumptions underlying the continued viability of the business model, and agree with executive management on the company’s risk appetite in the pursuit of enterprise value creation.

3. Define the role of the full board and its standing committees with regard to risk oversight.

This principle is important, as directors collaborate in clarifying risk oversight responsibilities for the full board and the various standing committees. The NACD Blue Ribbon Commission (BRC) asserts, “… as a general rule, the full board should have primary responsibility for risk oversight, with the board’s standing committees supporting the risks inherent in their respective areas of oversight.” Our experience is that the vast majority of directors agree with this general rule, recognizing there are always outliers due to unique circumstances. To that end, the NACD BRC discusses five categories of risks facing each board – governance risks, critical enterprise risks (as discussed above), board-approval risks, business management risks (i.e., the normal, ongoing day-to-day risks) and emerging and nontraditional risks (e.g., climate change, slowdown in foreign markets, disruptive technological innovation) – and delineates between management’s and the board’s responsibilities.

4. Consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources.

This principle is important, because, too often, risk is an afterthought to strategy and risk management is an appendage to performance management (i.e., risk management is often what the NACD BRC describes as a “side activity”). This principle addresses such issues as positioning of the chief risk officer – or an equivalent executive – for success and looking beyond mere risk identification to consider the adequacy of other dimensions of managing risk (e.g., sourcing, measuring and monitoring risk, as well as mitigating risk through appropriate elements of infrastructure, including policies, processes, people, reporting, methodologies and systems and data).

5. Work with management to understand and agree on the types (and format) of risk information the board requires.

This principle remains a common issue for many boards. We often hear directors complaining of being overwhelmed with reports while being underwhelmed with insightful information for decision-making. This issue leads to a cry for less and a sharper focus on actionable information (e.g., “tell me what I need to know and recommend what I need to do”). Whether or not there is reliance on quantitative models, reporting should provide different perspectives on a given risk as well as more leading, forward-looking risk indicators.

6. Encourage dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions.

This principle addresses the need for constructive engagement between boards and management on risk matters. The principle’s reference to challenging assumptions is especially important in light of the financial crisis, after which many questioned whether boards really understood the key variables driving an institution’s success – including the extent of risk-taking – and exposing the institution to failure, and also understood the sensitivity of those variables to changes in markets. When an organization is making a lot of money, directors need to understand why and the risks undertaken rather than applaud as management does a victory dance.

7. Closely monitor the potential risks to the company’s culture and its incentives structure.

As with the sixth principle, this principle points to another lesson of the financial crisis – the importance of the potential impact of a company’s culture and incentive compensation structure on behaviors, decisions and attitudes toward taking and managing risk. Culture and incentives form the glue that binds all elements of risk management infrastructure together, because they reflect the shared values, goals, practices and reinforcement mechanisms that embed risk into an organization’s decision-making processes and risk management into its operating processes. In effect, they represent a look into the soul of an organization to ascertain whether risk/reward tradeoffs really matter. One of the significant lessons of the financial crisis is the danger of “heads I win, tails you lose” compensation structures for executives whose actions or inaction could expose the organization to significant risks. Such arrangements can poison an organization’s culture.

8. Monitor critical alignment – of strategy, risk, controls, compliance, incentives and people.

This principle speaks to the importance of aligning critical elements of infrastructure to bring everyone and everything – people, processes and the organization as a whole – on the same page, for without alignment there is likely to be a disconnect between a company’s strategy and its execution. Disconnects can be costly. That all said, alignment is hard for management to achieve. It is even harder for directors to oversee.

9. Consider emerging and interrelated risks: What’s around the next corner?

Emerging risks are anticipatory in nature and deal with issues that are not on management’s radar. The worst kind of uncertainty is being unaware of what we don’t know; while management has knowledge from internal and external sources, do they really know what they don’t know? The fundamental question raised by this principle is an inquiry as to whether management looks out far enough, is monitoring what matters in the external environment and devotes sufficient time to “connect the dots.” Sooner or later, something fundamental in the organization’s business will change, and whenever disruptive change occurs, a company’s risk profile is likely to be altered in significant ways. Therefore, thinking about the unthinkable and response readiness preparation are key to world-class reaction.

10. Periodically assess the board’s risk oversight processes: Do they enable the board to achieve its risk oversight objectives?

The last principle advocates applying the best practice of periodic board self-evaluations to the risk oversight process. The assessment of the risk oversight process can be integrated into the periodic assessment of board effectiveness.

In closing, directors can use these 10 timeless principles to assess their board’s risk oversight process to ascertain whether it needs refreshing or redirection. The NACD’s Report of the NACD Blue Ribbon Commission – Risk Governance: Balancing Risk and Reward is also worth a close look, as it includes other useful insights on risk governance and oversight that directors and executives may find useful.

Questions for Boards and Executives Supporting the Board

The following are some suggested questions that boards of directors and executive management may consider, based on the risks inherent in the entity’s operations:

• Has the board articulated its risk oversight objectives? Are those objectives incorporated into the board’s charter?
• Has the board evaluated the effectiveness of its risk oversight processes in achieving its risk oversight objectives? If so, have the board and executive management considered the NACD BRC’s 10 principles in evaluating the board’s risk oversight processes?
• Are the board and management proactively taking steps to address any gaps that impede the board’s risk oversight effectiveness?

[1] Available at www.nacdonline.org/Store/ProductDetail.cfm?ItemNumber=675.