Director's Guide to Corporate Risk Management: Implementing a Comprehensive Strategy

Barry Reiter

13 minutes to read

The spectacular corporate failures of the past five years have increased directors’ interest in corporate risk management. Directors understand that risk management is mission critical, and that failing to manage risk effectively can result in legal and regulatory sanctions, shareholder litigation and precipitous plunges in shareholder value. Directors also recognize the need to commit considerable time to their duties as directors, and appreciate that they risk substantial embarrassment if accused of not adequately performing their tasks.

Directors can reduce the risk of failure only if they understand the comprehensive nature of a risk management strategy and take deliberate steps to implement the strategy. Effective risk management should provide confidence that the board has

  • identified risks in the business itself;
  • identified risks in management;
  • identified areas with which the board is not sufficiently familiar;
  • identified appropriate self-protection strategies; and
  • ensured that suitable actions are being taken so that risk is at levels purposefully chosen by the board and management as being appropriate.

Risks to be Managed

Risks in the Business

To manage risks in the business, directors must understand the company’s business, including both the industry generally and their company’s place in it. They must understand the company’s long-term strategy and appreciate which parts of the business are the most important to that strategy. Directors should have suitable metrics to assess progress of the business. These metrics include both financial data (stock price, return on equity, revenues, EBITDA, accounting earnings, gross or net margins, particular line items in the income statement, etc.) and operational data (market share, products, customer visits made or received, etc.).

Directors must also be alert to changes in the business environment, including macroeconomic factors, shifts in markets, changes in the composition or nature of the competition and new directions in the regulatory environment.

While the need to understand, assess and monitor business risks may be obvious, the increased emphasis on the independence of directors means that boards now include more directors who are unfamiliar with the industry and the particular company. To understand the business risks, these directors may therefore need education from both management and fellow directors who are knowledgeable about the industry.

Risks in Management

The difference between great product ideas and successful businesses is (usually) effective management. Boards must pay attention to:

  1. ensuring that the company has the right people in the right jobs. These people must be competent, have integrity and be able to work together as a team. The board must pay particular attention to the CEO, who is the key link between board involvement and corporate performance;
  2. appreciating the nature of competitive threats to the current management group;
  3. monitoring succession issues arising from the natural progression of a founder-led business to a professionally managed enterprise, or issues arising from time-based succession or even from product or market evolution; and
  4. understanding the formal risk management processes that may be available to a particular company, which could range from general management processes to the engagement of a chief risk officer to the development of processes that are strong and effective enough to achieve a clean audit opinion in a Sarbanes-Oxley 404 audit (the external auditor appraisal of internal control processes).

Risks in Board Processes

A board committed to managing risk effectively must have confidence in its own processes. Is the board focused on the right issues? Is it spending the time needed to identify and determine acceptable levels of, and to monitor, risk exposures? Does the board have suitable information and administrative support available at the right times? Does it have adequate management support for an effective risk management strategy (particularly management candour in disclosing matters relevant to corporate risk)? Finally, is the board confident that its assessments of risk and its views on the way in which risks are managed reflect realities outside the boardroom?

Risks in Self-preservation

Despite their best intentions, boards have limitations on their involvement in and influence on corporate behaviours. A board and management committed to appropriate risk management must each understand their respective places and functions in the overall corporate risk program. Directors need advice and support beyond that available from management. This may include legal advice (including advice provided independently of in-house counsel or the company’s usual outside counsel), human resource advice, and audit and forensic audit backup, both to assist the direction of board inquiries and to provide substantive information to facilitate those inquiries.

And on a more personal basis, directors must assess the risks that attach to themselves. At one level, these risks require evaluating whether an individual should continue to function as a director. If the board cannot operate in a collegial fashion, or if one director is always at odds with the others on corporate risk or integrity points, that director may have little choice but to resign (whether in a noisy withdrawal or otherwise). Directors must also focus on directors’ and officers’ insurance coverage that may provide not only the substantive funds required to meet liabilities (a still fairly uncommon eventuality), but also the funds required to defend legal and regulatory proceedings (which are becoming a fact of a director’s life).

Ensuring Effective RISK Management

No board, much less any individual director, can implement a "quick fix" risk management program. An effective program emerges only from conscious and ongoing efforts to develop it. These efforts begin far back in the board-building process, and continue in the specifics of managing particular risks.

Board Composition

At the most basic level, a "good board" is required. It must be composed of directors who have the right skill-sets for the job. The board is a team that partners with management to drive forward the overall agenda of the business. Board members must be able to function well together and, as a whole, together with management. Among them, they should have the particular skill-sets that may be relevant at different points in a company’s life cycle. Required skills can include ones that may be mandated (such as financial acumen or expertise, now required for certain audit committee members), industry expertise, skills in human resources, legal affairs, marketing, sales, public or investor relations, or business generally. Directors with "the right" skills must work together to produce an effective board with adequate breadth to perceive and attend to the needs of the company.

Interviews with boards and management have often revealed "common sense" as an important characteristic of a good board member. A director with common sense may not have the expertise or experience that is precisely relevant to a particular problem faced by the corporation at a given moment, but that director would be able to recognize and deal with issues generally. Related characteristics include integrity and the courage to challenge management— and fellow directors, if necessary—when common sense or particular knowledge suggest that a course of action is worthy of (further) scrutiny.

Immediately after the recent big corporate scandals (Enron, Worldcom and the like), the focus of corporate governance was on the independence of board members, much with the sense that independent directors would have the qualities noted above, while directors who were in some way related to a company (beyond the nexus of receiving reasonable directors’ fees) would not. More recently, the pendulum has swung back somewhat, to the recognition that each characteristic—independence, expertise and commitment to the company (including commitment that may derive from other relationships with the company)—presents both benefits and concerns. The debate is now, happily, being framed more in terms of integrity and commitment to the process of being a good director than purely in terms of apparent independence.

Management Support

As noted above, an effective risk management process requires the support of management. Even the most committed and involved board functions at a huge information disadvantage to management, which is involved on a day-to-day basis with the business and which usually has far more support for its efforts than the directors have to pursue their agenda. Management that is not candid or that does not provide information in a timely and useful fashion will prevent a board from doing what it should in risk management. A board faced with management that is not supportive should not abandon its effort to develop suitable risk management strategies, but rather should consider the suitability of existing management.

Involvement in Plans and Budgets

The company must have strategic plans. These plans can be expressed in elaborate and extensive documents or merely in understandings shared by management and the board about intended directions. In the absence of agreement on strategic plans and directions, a board is unable to make a suitable assessment of the level of risk acceptable for the return sought.

At a more tactical level, the board must have in place an adequate budget and budget–monitoring process. The budget process moves the effort from the level of the strategic plan to the level where particular decisions are taken and risk incurred. An effective budget process provides an excellent window on the risks involved in the (typically) annual planning cycle and the risks actually incurred during the course of that cycle (as the plan is monitored throughout the budget period). This monitoring, of course, requires suitable reports and measurement techniques that can be agreed upon as part of the strategic and budget planning processes and that can be refined as experience demonstrates which reports and which forms of measurement are the most helpful in understanding risk as the business evolves.

Productive Meetings

While directors contribute to management and work with each other continuously outside of meeting settings, board members do conduct much of their business in meetings. The nature of these meetings will influence the ability of a board to focus on and manage risk. Effective meetings must be planned well in advance. They should have an agreed agenda that allows sufficient time for discussion of priority items. If a meeting is to be more than a monologue or data dump by one or more executives, and is to achieve a meaningful board contribution, the directors should receive material that is useful (neither too little nor too much, neither too detailed nor too general) and delivered in time to allow the directors to peruse and assimilate the information and be prepared for discussion. Expertise in chairing meetings is essential to ensuring that important topics are covered and that all parties who should contribute to discussion on a topic can do so.

It is also enormously helpful to include the topic "risks in the business" as a template item to be dealt with at every board meeting. Boards that do this find that they spend more and more time on this topic and less and less time on more formal agenda items that used to dominate board meetings—to the frustration of both directors and management. Dealing with risk this way on an ongoing basis promotes, and indeed requires, a deep understanding of the business and an appreciation for the evolution of the business and risks in it, as certain risks become more or less dominant or move onto or off the list from meeting to meeting. This topic can be accommodated under an item such as the "CEO’s Watch List" or "What is keeping the CEO awake at night"; but whatever the name, a direct and intentional focus on this topic will ensure that the board’s attention is drawn to what management and the board have determined over time to be the most meaningful elements of risk in the business.

Access to Management

Boards that wish to manage risk effectively require access to executives other than the CEO. The older model of board/management relations, which suggested that any interaction other than with the CEO was somehow an expression of a lack of confidence in the CEO, has become as unusual as it has been disgraced. Boards that wish to understand the business and its risks cannot rely on a single source of information, particularly if the CEO, who has many other priorities, is to be that source. Access to other managers provides a variety of points of view on important issues, and allows directors and managers to bond naturally with members of management (particularly those with whom they share particular common interests). Broad access to management can be facilitated by a company committed to it. Key executives can be invited to board meetings when topics in their area are discussed. Managers can be part of director-orientation programs. Executives can be invited to participate in other directors’ settings to ensure that the board and management are familiar enough with each other to be comfortable discussing difficult risk-related topics.

Board Trust and Cohesion

The point about bonding applies within the board as well. Directors must know and be comfortable with each other in order for particular directors to take the lead on certain issues, and for the board as a whole to take on management, when necessary. A sufficient number of board meetings should take place in person. The availability of cheap communication and the complexities and cost of travel often militate toward electronic meetings, but there can be no substitute for direct interpersonal contact between directors attending meetings. These meetings can be supplemented with social events that encourage personal interaction on several levels. Strategy retreats, where directors are together for a full day or several days, enable them to learn much about each other. Many boards take the opportunity provided by directors’ travel arrangements to hold dinners the night before a planned directors’ meeting or during the course of a multi-day directors’ conference. While these sessions can be wholly informal, they work best when they are structured, at least in part, to involve discussion around a particular topic.

These sessions may also provide the opportunity for an executive to lead a discussion on a topic that will serve as director education, or for an outside expert (industry expert, visionary, functional expert, etc.) to provide background information that will enhance the directors’ understanding of the company’s place in the business world. It is also a best practice, and in some cases a requirement, that directors meet in "executive session" that excludes management directors and management representatives who may otherwise attend meetings (typically the CEO, CFO and corporate secretary). At these sessions, the remaining directors can identify and discuss topics of interest to them, and develop and pursue their own agendas (in risk and in other areas).

Risk Management Techniques

I have left, to the end of this section, particular risk management techniques. This is hardly to minimize them, as they are, in many cases, where the rubber hits the road in avoiding Enron–type crashes. Suitable internal processes and controls, authority limitations and effective internal auditing are hugely important. For instance, a board, and audit committee, could devise initial financial risk management measures that could be assessed from time to time. These could include: establishing a well-chosen audit committee (in terms of skill-sets, independence and commitment to do the job) with a clear and appropriate mandate; engagement of external auditors (including establishing their terms and scope of engagement); participating in periodic independent reviews with the auditors; developing confidence in the CFO (and in a back–up succession plan); understanding and being involved in the choices of all significant accounting policies; considering and, where suitable, being involved in hedging, treasury and taxation strategies; participating in strategic planning and budget processes; developing suitable reporting mechanisms so that problems are known on a timely basis; creating an internal accounting function (reporting to the board); creating a chief risk officer function (with at least some direct accountability and reporting to the board); developing and maintaining an effective corporate secretary function; developing and sustaining relationships with financial officers other than the CFO; creating and operating suitable whistleblower and up-the-ladder reporting mechanisms; and developing, monitoring and continuously updating relevant policies (disclosure, contact with the media, insider trading, ethics and business practices and the like). This list may not be comprehensive enough for some companies, but too comprehensive for others, at any point in their life cycle. The appropriate elements will emerge from a focus on effective board composition and on the general governance issues described earlier: they will not represent effective risk management and cannot be implemented on their own.

When to Be Worried

Directors who develop their boards and processes carefully can usually be in "vigilant but relaxed" mode. They must pay attention to information that is both provided and omitted, and must continue to hold management and themselves accountable for tasks that have been allocated to each. There is, however, no need to be in a more aggressive, or the ultimate crisis-management, mode.

But as the various corporate crashes have demonstrated, things can change dramatically. A board that is managing risk effectively will recognize warning signs and move quickly from one mode to another. In the case of the big corporate disasters, everyone eventually realized that there were huge problems, but that realization came too late or, when it did, the board did not move aggressively enough.

The following warning signs should cause directors to worry and should lead, ultimately, to crisis management and board leadership positions.

  • The board feels any lack of confidence in the CEO. Hiring, monitoring and ultimately replacing the CEO are key board functions. In the experience of many seasoned directors, the greatest failure of boards is to act expeditiously on evidence of CEO failing that is before them. Whether arising from deference to the CEO’s business knowledge or simply from a desire to avoid conflict, boards often wait too long to do what, in retrospect, was obviously the right thing to do.
  • Corporate governance processes that the board/management have established are not followed or do not work to produce desired results. For instance, the board has requested reporting in a particular format, and management has committed to provide this reporting, but fails to do so. Similarly, the board should become more vigilant if a particular form of report is designed to solve a problem, but the problem continues.
  • Corporate affairs are not being managed in a timely manner. A lack of timeliness may manifest itself in meetings being scheduled at the last minute, in information being delivered late (in extreme cases, at meetings), in regulatory filings being undertaken frenetically and at the last minute, or in any other evidence that suggests that suitable procedures are not in place to meet timelines that should be known well in advance.
  • Directors who take the time to try somehow do not understand the company’s strategy or business. If the directors were chosen well in the first instance, the cause is likely to involve obfuscation by management (purposefully or otherwise), and the problem must be remedied.
  • The focus of the business shifts regularly. In extreme cases, each board meeting is presented with an important new priority. This lack of focus and discipline should be cause for investigating the possible resulting risks.
  • Meetings are hijacked by current events. While important developments may require a shift of focus at a meeting, the inability on a regular basis to produce and stick to an agenda should cause concern.
  • The company produces surprises, particularly when it does so on a regular basis. A good illustration would be a company that seems to have a problem with its financial reporting each quarter. Each case can be explained at the time, but the fact that there is some difficulty, some new surprise that requires explanation at the end of each quarter, should cause concern.
  • There is intimation that management is being evasive. Management may respond to precise questions with precise answers, and yet not be telling the truth or may be omitting information required to clarify the whole truth. Similarly, the board should be very seriously concerned if issues are raised by management only when very specific questions are posed.
  • Management is reclusive. The days when the CEO was the sole window to management information are over, and CEOs or other executives that support that model should be feared. Access to management should be a matter of routine, not available only when a significant issue arises.
  • A director feels a sense of discomfort. This includes discomfort with the handling of a particular matter, discomfort with any aspect of the corporate culture or discomfort with the candour of any employee (on the theory that what is observed among employees often reflects the leadership culture). This is a highly general point, but it derives from the frequent observation that the best directors are generalists with good common sense. Common sense here means the ability to sense that something is going on that merits investigation. The sense being general, the sources from which discomfort can be generated are equally diverse.
  • There is a high employee turnover rate (usually most noticeable in the executive ranks, but can be apparent anywhere in the organization). Exit interview information can provide important data on concerns in the executive or workforce ranks, which may translate into sources of director concern.
  • There is express recognition of internal control issues. Boards should maintain a constant focus on internal controls and other risk management measures. Quite apart from the need (of many public companies) to have Sarbanes-Oxley 404 audits undertaken by independent accountants, the board must itself pay attention to the suitability and strength of risk management processes. Any weakness that is identified, particularly where management neither acknowledges nor intends to deal with it in a timely fashion, should cause concern.
  • Directors are told to be worried. Directors often receive express warnings that they should be vigilant. It would be a most extreme case in which all involved members in management, all advisers and all directors in a position to know conspire together to hide an important risk. Even within what have turned out to be criminal organizations, there were and are persons of integrity who have sought, and will in the future continue to seek, to bring issues to the attention of those in a position to address them. This sense of responsibility has been enhanced by express whistleblower provisions that encourage and protect up-the-ladder reporting of issues, and by professional regulations that have imposed more stringent responsibilities on (now more independent) professional advisers. Accordingly, it is not uncommon for boards to receive express warnings of concern from executives or other employees, from accountants or lawyers, or simply from "the street"¾ industry-knowledgeable people, who are often aware of issues. The bonding that may occur through more frequent interaction between management and the board increases the likelihood of a particular member of management speaking with a director with whom he or she feels particularly comfortable. In addition, other directors are an important source of warnings. One director with particular expertise may feel discomfort in his or her area, but not appreciate or trust the sense of discomfort. Any sense of discomfort that is reported is a warning sign that should not be ignored.
  • The board and management are all trying hard, but are frustrated with each other. The board never seems to get the information it needs or to deal with the topics it finds important; or management gets little contribution from a board it works hard to equip. The directors should look at their processes to determine why this is so. This small problem can turn into a large one, as one side or the other chooses to declare the board process a waste of time and begins to act accordingly.

Board Assessment and Risk Management

Best practices and regulation are leading to requirements that boards conduct periodic evaluations of their processes and themselves. There are many different views on what might be the most effective form of evaluation for a particular company (a separate topic quite beyond the scope of this paper). However, it is important to recognize that this feedback loop is a critical element of the risk management process. It is all too easy for the assessment process to focus on form and to generate little of value in improving board processes in the risk area. Questions about the number of meetings held, attendance records of directors, apparent preparedness of directors, and the like, are only incidentally helpful to this effort.

A well-designed board and director-evaluation program will recognize the importance of risk management and will attempt to contribute directly to the evolution of better processes. Whether the process is carried out through a formal survey by an independent outside party or through interviews undertaken by a chair or lead director, the evaluation process can look specifically at the way in which the board and particular directors function in the risk management area. Questions can be designed to elicit views about whether enough meeting time is spent assessing risk, whether suitable materials are made available, whether management is duly supportive of this effort, whether the board comprises the right directors, whether particular directors are bringing their distinctive expertise to the issue in meaningful ways, whether the board is suitably involved in strategic discussions, the nature of reports and metrics that are sought and provided, whether contact with management beyond the CEO is adequate, the extent to which board team-building takes place, and similar issues derived directly from the desirable characteristics identified above.

Of course, it is one thing for these evaluations to be undertaken, but quite another¾ and far more important¾ that action be taken when deficiencies are identified. One case of a board evaluation process stands out as an example of the positive results that can flow from a suitable evaluation process duly followed up by action. This board comprised highly capable directors of great integrity, and with skill-sets ranging from deep industry knowledge through a complement of ancillary but relevant distinctive expertise. The board was collegial and all members declared it to be one of their favourites. However, the evaluation process identified recurrent themes expressed by both management and the directors relating to inadequate focus on strategy, insufficient time spent on key elements of risk in the business (and too much spent on routine compliance requirements) and poorly planned meetings with inadequate materials delivered too late. Everyone wanted to do better. The management and board identified and implemented the necessary improvements, which included better meeting scheduling, planning and leadership; better meeting materials; the use of a "consent agenda" for routine functions; a "risks in the business" item on every meeting agenda; an annual board strategy retreat; and greater leadership from the corporate secretary role. The management and board are now much more happily focused on the things that always mattered the most to them all.

Conclusion

There is widespread agreement on the importance of effective risk management by the board of directors. Unfortunately, some who seek to improve performance in this area think that there is a "silver bullet", that the risk management function can be improved by the introduction of particular board formalities. In reality, a board can be effective at risk management only if the members understand the board task, if it comprises appropriate directors who seek to work together with the support of management in fulfilling the board’s role generally, and if board members constantly focus on improving board processes. The board must be alert to warning signs and move quickly into concerned mode when it notices any of them. The process of board improvement in risk management, as in all other areas, is a never-ending one that benefits from effective director and board assessment followed by determined action.

Footnotes

1. The author thanks Tony Griffiths, who has drilled the author frequently on this point. Published in Corporate Financing, vol. 11, no. 2, 2004.