Risk oversight is a top-of-mind issue for Boards because of the expectations spawned by the financial crisis and the unanswered questions around what Directors might have – or should have – done to thwart that crisis. Since the financial crisis, many believe that Directors in the financial services industry, for example, must do more to avoid another crisis down the road. There are many reasons why the Board’s risk oversight process can fail. We offer 10 of them here.
1. Lack of a robust process for identifying, prioritizing, sourcing, managing and monitoring the enterprise’s critical risks – As they discharge their risk oversight responsibilities, Directors are asking many questions of management. These questions often fall into three categories:
- What are our existing significant risks and what emerging risks do we see on the horizon?
- Do we have the capabilities in place to manage these risks?
- To both of the above questions, how do we know?
The absence of a robust process leaves both management and the Board hanging on the “How do we know?” question.
2. Lack of understanding of or a failure to monitor the significant assumptions underlying the strategy – Boards should understand the critical factors that make or break the successful execution of the strategy and ensure a process is in place to monitor changes in the business or regulatory environment that could impact those factors. Change is inevitable; the question is, are the changes helping or hurting?
3. Executive management and the Board are not on the same page with respect to the entity’s risk appetite – Typically, this means there has been insufficient risk appetite dialogue between the Board and management to obtain a high-level view of how much risk the entity is willing to accept and the risks the entity should avoid.
4. Failure to identify and manage emerging risks – The Board must satisfy itself that management brings to bear the appropriate expertise, processes and information to quickly identify new and complex risks to the execution of the enterprise’s strategy and business model and to manage the impact of those risks.
5. Insufficient time to think about the future – Not long ago, a seasoned Director on several Boards acknowledged to me that he could not get any of his Boards to allocate any agenda time to discuss the “unthinkables.” Boards should expect management to consider the implications of “unthinkables” in formulating the corporate strategy. For example, does management have a process for thinking about the “unthinkable” (i.e., the extreme scenarios that could occur over the time horizon covered by the corporate strategy and business plan that could impair the organization’s business model)? Has management considered how the entity would respond should any of these scenarios occur in setting strategy? Has considering these scenarios created awareness of the forces affecting the organization in the present that can make it captive to events in the future? The “group think” embodied in traditional risk assessments typically enumerates risks everyone knows about. The question here is whether there is a process for alerting executive management, and ultimately the Board, of the risks that no one has considered.
6. The company practices “enterprise list management” – Continuous generation of lists of risks over time with no follow-up action to understand and close gaps in risk management capabilities is not good practice. Risk management should impact the core management activities that matter – strategy setting, business planning and performance management, for starters.
7. Drowning in data with little knowledge or insight – We hear many complaints from Directors about risk reporting. The Board needs relevant information about the enterprise’s risks and how those risks are managed. The Board needs useful information from internal and external sources about the continued validity of critical assumptions underlying the strategy. Keeping the risk reporting fresh and informative is an ongoing process.
8. Deficiencies in the enterprise’s “tone at the top” and culture – The financial crisis provided many examples of executive management not setting the proper tone for managing risk. The risk management process was compromised as a result. A short-term focus on making the numbers at any cost can end up with disastrous consequences when the warning signs posted by the risk management function are ignored. While the concepts of balancing and preserving values and emphasizing both short-term and long-term objectives are relatively straightforward, effective leadership and strong discipline are required in order to pull them off. The Board must ensure that the appropriate leadership and discipline are in place; otherwise, dysfunctional behavior, with the attendant consequences, can set in. The question for the Board is: Will the CEO and executive management team heed the warning signs at the crucial moment?
9. Lack of an effective chief risk officer – In organizations where the nature of the business and its risks indicate that a senior risk executive (such as a CRO) should be designated, either no designation has been made or the designated executive does not possess the requisite skills or is not positioned to be successful. For example, the CRO does not possess the stature of the business unit leaders, has no reporting line to the Board or a committee of the Board and may even face constraints in reporting to the Board, never meets with the Board in executive session and/or is not supported by a formalized escalation process to the Board.
10. The Board isn’t organized effectively for risk oversight – This issue can manifest itself in a number of ways. The Board may not be allocating sufficient time and resources to risk oversight. Or the Board isn’t availing itself to the appropriate officers of the company to focus on identifying areas in which management needs to improve the organization’s capabilities and information for managing risk. Or there is insufficient coverage by the Board’s oversight activities of the enterprise’s risks.
Questions for Boards
The following are some suggested questions that Boards of Directors may consider in cooperation with executive management in the context of the nature of the entity’s risks inherent in its operations:
- Has the Board articulated its risk oversight objectives?
- Has the Board evaluated the effectiveness of its risk oversight processes in achieving its risk oversight objectives?
- Is the Board proactively taking steps to address any gaps impeding its risk oversight effectiveness?