The National Association of Corporate Directors (NACD), an independent non-profit organization, is composed of board members across the world and is dedicated to improving corporate board performance. In 2009, NACD created a Blue Ribbon Commission to consider the board’s role in risk oversight. In October, this Commission issued its Blue Ribbon Commission Report to inform the corporate world of best practices related to risk oversight in the boardroom. The report on risk governance includes board objectives, guidance for aligning strategy and risk, a description of the board’s role regarding risk oversight, and finishes with “Ten Principles of Effective Risk Oversight” to aid boards in their daily responsibilities.
Recent economic times have led to a significant decline in the time directors have to respond to changing risks while the level of expectations of shareholders and regulators for board risk oversight are increasing rapidly. Fulfilling these expectations for robust risk oversight are especially challenging for boards given the speed of change in how risks and opportunities arise.
The board is responsible for the overall risk governance process. Unfortunately, it is often easy to get caught up in the small details while missing the big picture of risk in a company. The Report emphasizes that it is clear that boards need to guard against this by taking a broader view of risk in the context of strategic decision.
Risk is inevitable in any business; therefore, the report emphasizes that directors must learn how to shift attention away from little details and focus on the larger picture of risk relating to the company’s overall strategy. The NACD outlines several responsibilities that directors have to ensure that this strategic alignment with risk is taking place. In addition to risk oversight, directors are responsible for determining the risk appetite, linking risks to expected rewards, ensuring that management has implemented a process for monitoring and mitigating risks and has formed a management system that addresses major risks, maintaining a risk-aware culture, and recognizing that risk management is essential to the achievement of management goals.
The Reports describes that a first step in fulfilling these responsibilities is to consult with management to agree on the appropriate level of risk that is acceptable given the company’s strategy—the risk appetite. Directors must be familiar with shareholder expectations, management skills, and strategic alternatives in order to make this decision. It is also important for directors to understand the underlying structure that is necessary to support the acceptable risk appetite. The more risk, the stronger controls around risk management that should be present. Risk appetite is a “fundamental strategic decision”, meaning directors should be presented with strategic decisions made by management before reaching a decision about the risk appetite. Providing alternatives in the boardroom will give board members more input in the decision making process and allow for more influence on management’s choices. The assessment of the company’s risk appetite should be an ongoing process, considering that risks facing the company are constantly changing.
The directors have a huge responsibility regarding risk governance and oversight; therefore, it is understandable that they would delegate certain risk areas to other committees. The problem with this delegation is that certain risks might not be considered in aggregate or in relation to other known risks facing the company. It is essential for the full board to be responsible for making sure that the company is within its risk appetite so that interrelated risks will not be overlooked between committees. Although the full board should remain responsible, it is helpful to assign more focused risk-topics to committees while still requiring review by the board in its entirety.
The Report suggests three critical areas that boards should communicate with each committee:
- Aggregation and integration, and
- Underlying assumptions and strategic direction.
Tolerances involves the role of management and the board collectively deciding the appropriate level of acceptable risk, the degree of variance from this level that will be tolerated, and plans to revert to acceptable levels of risks when and if these variances are exceeded. Directors should confirm with management the point at which certain operations become unacceptably risky and how management will respond if an unacceptable risk level is reached. The planned response should include discussions about how the risk is being mitigated, monitored, and managed.
Aggregation and integration addresses the issue previously mentioned—risks that are interrelated may go undetected if approached individually. Directors should “develop a process to understand” the potential impact of smaller risks in aggregate. Certain risks may be acceptable within themselves; however, when added to other risks, they could prove crippling to the company as a whole. Directors must consider all risks in aggregate when developing a risk appetite and tolerance for the company.
The underlying assumptions and strategic directions are essential to directors’ roles. Directors should challenge management’s assumptions and request further details or information as needed. Instead of taking management’s word that risk is being appropriately managed, directors should request supporting evidence for management’s assertions about risk. The NACD offers a list of questions that directors might inquire of management in Appendix B of this report.
The Report lays out “Ten Principles of Effective Risk Oversight” that consist of ten best practices to guide directors in their risk responsibilities. The ten principles are described briefly as follows:
- Understand the company’s key drivers of success.
- Assess the risk in the company’s strategy.
- Define the role of the full board and its standing committees with regard to risk oversight.
- Consider whether the company’s risk management system—including people and processes—is appropriate and has sufficient resources.
- Work with management to understand and agree on the types (and format) of risk information the board requires.
- Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions.
- Closely monitor the potential risks in the company’s culture and its incentive structure.
- Monitor critical alignments—of strategy, risk, controls, compliance, incentives, and people.
- Consider emerging and interrelated risks.
- Periodically assess the board’s risk oversight processes: Do they enable the board to achieve its risk oversight objectives?
In conclusion, the Blue Ribbon Commission Report provides detailed guidance and best practices for directors and emphasizes their responsibility to take control of risk governance to ensure that the shareholders are their top priority. Understanding all major risks facing a company is essential to the planning of strategies and objectives that provide overall success for the company.
Click link below to purchase the full report.
Subscribe to ERM Insights
The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.