Many companies have adopted a risk language to facilitate dialogue within the organization regarding their risks. While we are not aware of an authoritative risk language or model, there are a number of risk models in the public domain that can be useful to ensure the completeness of the event categorization and risk assessment processes.
The central purpose of a common language is to avoid the problem of beginning a risk assessment with a blank sheet of paper with all of the start-up activity that entails. Simply stated, a common language enables busy people with diverse backgrounds and experience to communicate more effectively with each other and identify relevant issues more quickly regarding the sources of uncertainty in a business.
As the Board of Directors engages executive management in conjunction with exercising its risk oversight responsibilities, the question arises as to whether there is a simple “risk language” the Board should adopt to focus its dialogue properly and ensure the bases are covered. While each Board must decide for itself whether or not a risk language is useful given the nature of the enterprise’s operations, we explore five broad risk categories directors may want to consider as a way of focusing their dialogue with executive management.
We like the five broad risk categories recommended by the National Association of Corporate Directors (NACD). They are: governance risks, critical enterprise risks, Board-approval risks, business management risks and emerging risks. These categories are sufficiently broad to apply to every company, regardless of its industry, organizational strategy and unique risks. More importantly, they provide a context for Boards and management to understand the scope of the Board’s risk oversight, as well as the delineation of the Board’s oversight responsibilities and management’s responsibilities for identifying, evaluating, managing and monitoring risk.
Each of these categories of risk is discussed below.
Governance risks. These risks relate to directors’ decisions regarding Board leadership, composition and structure; director and CEO selection; CEO compensation and succession and other important governance matters critical to the enterprise’s success. Often, these decisions require directors to weigh the pros and cons associated with alternative courses of action. While Boards can periodically benchmark their processes for evaluating these matters by considering best practices employed by other Boards weighing similar decisions, they often must rely on their collective business judgment, knowledge of the business and information provided by third-party advisers, including search firms, compensation consultants and legal counsel.
Key point: These matters are exclusively within the Board’s domain.
Critical enterprise risks. These risks are the ones that really matter, the top five to 10 risks that can threaten the viability of the company’s strategy and business model. Certain risks require directors to have the necessary information that will prepare them for substantive discussions with management about how these risks are managed. The criticality of these risks – such as credit risk in a financial institution or supply chain risk in a manufacturer – may require full Board engagement as well as an ongoing oversight process.
While management is responsible for addressing these risks, the Board should consider its own information requirements for understanding management’s effectiveness in addressing them. For example, the Board might require management to report on the impact and likelihood of the risk on key strategic goals as compared to other enterprise risks, as well as the status of risk mitigation efforts with input from the executives responsible for managing specific risks. Other examples of relevant information useful to the Board might include the effects of technological obsolescence, changes in the overall assessment of risk over time, the effect of changes in the environment on the core assumptions underlying the company’s strategy and interrelationships with other enterprise risks.
Key point: These risks should command a prominent place on the Board’s risk oversight agenda. The Board should satisfy itself that management has in place an effective process for identifying the organization’s critical enterprise risks so that the Board’s risk oversight is properly focused.
Board-approval risks. These risks relate to decisions the Board must make with respect to approving important policies, major strategic initiatives, acquisitions or divestitures, major investments, entry into new markets, etc. Through careful consideration and timely due diligence, directors must satisfy themselves that management’s recommendations regarding these matters are appropriate to the enterprise before approving them. Therefore, such matters may prompt the Board to ask questions regarding the associated rewards and risks and even request further analysis before approving management’s recommended actions.
Key point: The matters requiring Board approval are often specified in the corporate bylaws and various charters of the Board and its respective committees. That said, changes in the business may necessitate that the Board and executive management remain on the same page as to what requires Board approval. It is important that the Board approve major strategic and policy issues on a before-the-fact basis.
Business management risks. These are the risks associated with normal, ongoing day-to-day business operations. Every business has myriad operational, financial and compliance risks embedded within its day-to-day operations. Because the Board simply does not have sufficient time to consider every risk individually, it should identify specific categories of business risks that pose threats warranting attention and determine whether to oversee each category at the Board level or delegate oversight responsibility to an appropriate committee.
For example, the audit committee traditionally oversees financial reporting risks. Other business risks might include: operational risks associated with internal processes, IT, intellectual property, customer service, obsolescence, manufacturing and the environment, financial risks such as excessive leveraging of the balance sheet, compliance risks such as non-compliance with a new complex law and reputational risks such as those that threaten the company’s brand image. With respect to all of these risks, it is management’s responsibility to address them. If any of them are critical enterprise risks, they warrant the Board’s full attention (as noted earlier).
Key point: The Board’s committees may oversee many of these risks in accordance with their chartered activities. Typically, periodic reporting coupled with escalation of unusual developments requiring Board attention will suffice.
Emerging risks. These are the external risks outside the scope of the first four categories. While management is responsible for addressing these risks, directors may need to understand them. The effects on the business of demographic shifts, climate change, catastrophic events and new cybersecurity threats are examples.
Key point: The Board needs to satisfy itself that management has processes in place to identify and communicate emerging risks on a timely basis. Such processes enable management and the Board to be proactive.
The above risk categories provide a useful context for Boards and executive management to ensure the scope of the risk oversight process is sufficiently comprehensive and focused.
 Source: Report of the NACD Blue Ribbon Commission – Risk Governance: Balancing Risk and Reward, National Association of Corporate Directors, October 2009, Appendix A, pages 22-23.