with contributing author Joy Taylor
Historically, corporate Boards of Directors have held the responsibility of risk management oversight, ensuring that risk management processes are clearly defined and appropriately enacted. Their role in managing risk has been to provide guidance and leadership on matters that impact the strategic direction of a company or its public image. In this traditional view, C-level management is left with the responsibility of actual risk assessment and mitigation, including issue resolution. But in today’s fast-paced and social-media driven world, the speed at which a risk can turn into a widely publicized issue means Board members must now provide both tactical and strategic supervision over risk management as part of their membership.
In the wake of recent financial crises, increased awareness and interest from a broader array of company stakeholders now exists. High-profile and highly reported product quality problems continue to impact multiple industries and both regulators and Boards have been forced to re-evaluate the structure and the role of their risk governance efforts. Whether required by law or not, many corporate Boards, especially (but not solely) those in the financial industry, have taken a more active role in managing corporate risks. Regardless of regulation or stakeholder demands, an active risk management initiative at the Board level makes good business sense because each risk, whether strategic, operational, political, reputational or other, presents companies with an opportunity to build competitive advantage. The proliferation of risks in the current environment has intensified and forced companies to focus on impacts that must be avoided and opportunities that should be seized. From our point of view, the Board of today should play a direct role in the new risk environment paradigm by creating an active Board-level risk management program. Such an approach will allow organizations to transition from a position defending against risk to a more proactive approach that leverages risks as new opportunities and perhaps even advances organizations to more “blue ocean” possibilities.
So what is an active risk management program? It starts with the establishment of a Board-level risk committee. This committee transitions Boards from distributed, silo-based accountability to a closer, more unified and holistic accountability model. The committee should be responsible for clearly delineating the Board’s role in oversight of management level risk programs, separating them from Board-level risk management. It requires the establishment of the company’s risk profile, defining the overall approach and putting the appropriate controls in place to ensure all parties fulfill their risk-related responsibilities. The committee would aim to raise the level of awareness by identifying potential risks and educating the Board on risk governance and best practices and procedures. Lastly, the Board-level risk committee should ensure the various oversight committees, including compliance, audit and strategic planning and share a common view of the desired risk profile and key risks facing the enterprise. Such an approach allows for a stronger and more collaborative environment.
But remember, active risk management at the Board level does not mean resolving issues. Issues are what happen when risk management is not working. And large-scale, newsworthy issues are what occur when the risk oversight process is not functioning correctly.
Active risk management also does not mean eliminating all risk to the enterprise. That would be costly, if not outright impossible. Risk must exist if a company wishes to be innovative and competitive in the marketplace. In a steady-state environment, however, active risk management can be approached in a logical order:
- Clarify risk tolerance and profile – Organizations must figure out their own risk tolerance; this means identifying what matters most to the growth of the company, what the acceptable trade-offs are between risk and reward and what environmental circumstances are worth monitoring and managing. Clarifying an organization’s risk tolerance and establishing a risk profile is as important as having a branding strategy. This discussion should take more than a casual conversation to finalize and once determined, but rather become a major agenda item at each Board meeting going forward.
- Scan the internal and external environments for new threats and opportunities – Intentional and regular environmental scans will minimize costly reactions and “firefighting.” If Board members find themselves spending hours responding to an unplanned and unexpected event, then clearly strategic revenue-generating topics are being neglected. The best approach requires continuous review of internal and external factors that may impact a company in areas including people, process, technology, environment, competitors, industry trends, regulatory and economics.
- Monitor previously identified risks and opportunities – Board members should be cautiously aware of the past, as history informs the future. And a wise Board member will use the failures of others as a guidepost for issues and concerns they wish to avoid. It is important for Board members to continuously monitor not only the most obvious risks and issues in their own backyard, but also those in the competitive surroundings so they can discuss the possibility of responding to such risks.
- Decide when to act – It’s a fine balance between knowing when to act and when to let nature take its course. Managing risk in the public eye provides an opportunity for companies to show off the content of their character. Planning will make all the difference in the world as the best planning includes preset criteria upon which to make decision cues and triggers. When decisions to act are made, it is always wise to communicate those decisions clearly, concisely and with the end in mind.
Take action. When it comes to putting a risk mitigation plan in place, the sooner the better. The mitigation plan should balance the cost of actions against the cost of the potential problem – both financially and to the company’s reputation. Action should be coordinated tightly with communications to internal and external stakeholders, leaving nothing to the imagination. And communications should be open and honest, within the bounds of confidentiality. Keeping an organization profitable and on the cutting edge of innovation requires taking risks. The Board is not responsible for eliminating all risk; it is simply responsible for ensuring that the risks are appropriate.
Active risk management is forward-looking and visionary. It takes knowledge of the past and connections to disparate experiences and ideas and projects into the future to create novel scenarios and solutions. Tasking your Board of Directors with such roles and responsibilities is a crucial way to ensure the long-term prosperity of your company.