To improve communications between the board of directors and management about risk oversight, the Advisory Council of the National Association of Corporate Directors (NACD) met in Washington D.C. in February 2014 to discuss best practices for overseeing risks. The council is made up of risk and audit committee chairs from Fortune 500 companies along with regulators and other stakeholders. This article summarizes key takeaways from the meeting:
- Understand the board’s oversight function
- Board members should first understand the company’s risk management culture and process
- The role of the board during a crisis
Understand the Board’s oversight function
One of the issues discussed during the conference was whether the whole board should be responsible for risk oversight or just a committee like the audit or a risk committee. The general consensus was that it depends on where the organization is along the enterprise risk management (ERM) maturity curve. For instance, if your company is in the beginning stages of developing an ERM process then perhaps the audit committee may be best suited to assume the oversight role. But after key terms have been defined and strategic risks to the company have been identified, then the whole board should assume the oversight function.
Another issue discussed was the tendency for directors to cross over from risk oversight to risk management without knowing it. With expectations growing for board engagement in risk oversight, sometimes those expectations push boards into managing the risks, rather than overseeing what management is doing to address risks. This can be a slippery slope given most board members neither have the time nor the know how to management certain risks. To avoid this tendency, board members should concentrate on the company’s risk appetite and management’s process for identifying and managing strategic risks. It’s management’s job to manage risks and director’s to oversee the process. Board members should be comfortable with management’s process
When boards of directors discuss risk management, they sometimes focus in on non-strategic risks like operational, regulatory or financial reporting risks. Boards should stay in the strategic atmosphere. In order to avoid flying between the trees, directors should conduct an annual meeting that focuses solely on strategic initiatives and challenge management’s current and future assumptions that provide the foundation for those strategies.
Risk Management Culture and Process
One of the first steps to improving risk communications between the board and management is to develop key terms and definitions for those terms. This will naturally lead to the company’s risk appetite statement. These definitions should include both quantitative and qualitative risks. For instance the quantitative aspects could be the length of down time or the number of customers that will likely be lost. For qualitative aspects, the company can establish “absolute zeros” for safety and compliance.
Managers outside of the designated risk management department have the tendency to loosen risk management priorities at their level because they may think that the risk management department is ultimately responsible for all risks. The Chief Risk Officer (CRO) is there to foster the risk management process throughout the entire organization; however, it needs to be clear that management of key business functions owns the risks related to their areas of responsibility. And it is the duty of all executives and managers to foster risk discussions throughout the organization.
The board of directors should not rely on management’s word alone. If management uses absolute terminology like “never,” “only,” or “always,” the board should seriously challenge management’s assumptions and conclusions.
What role does the board play in crisis management? Ultimately, it is to oversee management’s plan. However, a director, depending on the crisis, may have to communicate to regulators, investors or even the media. The method of communication during a crisis should be identified beforehand and should be knowledgeable of the area that is impacted by the crisis. For instance, if the crisis is a result of a data breach, the director with the most IT experience should be the one to communicate the issue with regulators and the media.
Crisis simulations were also discussed at the conference. Many companies are doing tabletop exercises in order to identify gaps and weaknesses in their plans. They are also hiring outside consultants to test their plans. However, it seems that crisis plans aren’t being executed in the event of a real crisis.
The Advisory Council of the NACD held a conference with audit and risk committee directors to discuss ways to foster better communication between the board and management, discussed the importance of understanding the role of the board in risk oversight and crisis management. It’s important for directors and managers to understand the board’s oversight function because separation of responsibilities will improve dialogue during risk discussions.