Expectations for More Effective Board Risk Oversight

The financial crisis revealed a number of instances where the risks being taken by management were excessive, which resulted in regulators and key stakeholders asking “where was the board of directors in their oversight of this risk taking?”  A number of boards have been criticized for failing to adequately reign in management in their risk taking efforts and  that scrutiny is putting pressure on boards  to enhance their risk oversight processes.  A Deloitte thought paper offers six recommendations that boards can take in order to create a more Risk Intelligent governance.  These recommendations are:

  1. Determine board’s risk oversight responsibility
  2. Enhance Risk Intelligence throughout the organization
  3. Determine risk appetite
  4. Align management’s strategic risk identification and mitigation with strategy
  5. Evaluate the entity’s risk governance “maturity”
  6. Communicate risk process and issues to stakeholders

Recommendation #1:  Determine Board Risk Oversight Responsibility

Ultimately, it’s management who is responsible for risk management and the board is responsible for overseeing management’s process of identifying, monitoring and mitigating risks.  If there is no established risk management framework, the board should charge management to develop a framework that includes the board’s oversight duties. Boards can break down their responsibilities by establishing certain directors with experience or knowledge in a particular area to oversee a certain risk management process.  For instance, the Public Policy Committee of ConocoPhillips is responsible for overseeing risks related to health, safety and environmental issues.  However, these committees are still responsible for seeing the big picture and should come together on a periodic basis to discuss the risks they are overseeing as well as risks the company is seeing as a whole.

The thought paper offers recommendations for boards to develop and define their oversight responsibilities.  Boards should work with management to assign risk oversight responsibilities to individual committees; committees should collaborate on risk-related happenings, and have management brief the entire board on strategic risks facing the company.

Recommendation #2:  Enhance Risk Intelligence

Risk intelligence is how the company, at all levels, perceives risk management and conducts itself with regards to risk.  The board should promote risk transparency at all levels of the organizations so that day-to-day decision-makers are aware of the strategic goals and how their decisions could impact those goals.  Management should communicate and exude a risk intelligent culture for all employees to follow.  To do this, management should:

  • Clearly communicate responsibilities and hold responsible parties accountable
  • Develop a process for lower level employees to communicate emerging risks
  • Encourage employees to challenge new initiatives that could negatively impact the greater company

To promote an effective risk culture, boards can create a tone that allows employees to voice their concerns without fear of loosing their jobs.  They can also help to develop a process to measure risk intelligence that management continually monitors and they should support management with resources, training and data from the company.

Recommendation #3:  Determine Risk Appetite

Risk appetite is the amount of risk a company is willing to take.  This can be defined in quantitative or qualitative ways.  Management should be the one to develop the risk appetite for the organization and the board should understand management’s assumptions and approve or disapprove the company’s overall level of risk appetite.  Once an appetite has been defined, the board should help management monitor emerging risks and opportunities, and evaluate whether the risk appetite should be changed.  The board should also evaluate management’s previous decisions to see whether the risk appetite was bypassed.  And finally, the board should align management’s incentives with the company’s risk appetite.  This will prevent management from taking on too much risk.

Recommendation #4:  Align Risk Management With Strategy

The board is also responsible for helping management develop a strategy that is aligned to the company’s mission.  When the company is developing its strategy, the board should at the same time discuss the risks to the strategy and the risks of the strategy.  This will help the entity identify risks that could ultimately disrupt its ability to compete.  In order to do this, the board should challenge management on their assumptions by asking the right questions, establishing an open dialogue, and identifying alternatives.  

The board should consider whether to provide “active oversight” in these strategic settings.  That may include verifying that management has established key risk indicators and a process for monitoring these indicators, scanning the horizon for emerging risks, and fostering flexibility at the management level to avoid risks or seize opportunities.  

Recommendation #5:  Evaluate Risk Governance “Maturity”

One common measurement boards use to evaluate risk maturity is the amount of experience the company has with risk management.  Boards should dive deeper than this and consider more criteria, such as:

  • How often does management communicate to the board concerning risk management?
  • Are specific risks assigned to their board committees and processes?
  • Which committee is responsible for which risks?
  • During strategic planning, are risks identified and analyzed, are assumptions challenged, and are alternative options evaluated during scenario planning?  Is there scenario planning?
  • How does management monitor key risk indicators and is there agreement when action should be taken?

Depending on the level of risk governance sophistication the entity needs to effectively manage its portfolio of risks, the entity’s maturity may fall anywhere between one of the five phases of risk intelligence.

  1. Initial: ad hoc risk management, based on individual actions.
  2. Fragmented: risks are managed in isolated departments and are rarely aligned to strategy.  
  3. Top-down: Enterprise wide risk assessments and dedicated team to manage risks.  
  4. Integrated: Risk appetite defined, key indicators monitored, escalation procedures communicated.
  5. Risk Intelligent: Risk dialogue is a part of strategy development, linking performance measures and incentives, risk scenarios evaluated, early warning of risk indicators used. 

Recommendation #6:  Communicate Risk Process and Issues to Stakeholders

The SEC now requires public companies to disclose how the board oversees risk and how it works with management to address risks to the company.  These rules were established to provide greater transparency to investors and stakeholders.  However, the thought paper states that meeting this minimum requirement is not enough to make stakeholders comfortable with the company’s risk management process.  By explaining the company’s risk management process and oversight clearly to stakeholders, companies attract more long-term investors.  Over the past three years, Deloitte has seen an increase in the quality of risk disclosures.  Companies can improve their risk disclosures by explaining the processes in plain English, provide insight to the board’s oversight role and ensure risk disclosures are accurate, relevant and specific.  

Conclusion

The expectation that boards will oversee management’s risk taking and managing activities has increased since the financial crisis.  Therefore, boards should ensure that its oversight responsibilities are properly communicated to management and the board as a whole.  Boards should challenge management during strategy development by asking the right questions that can prove or disprove key assumptions and help identify risks to and risks of the strategy.  Also, boards should establish a “tone-at-the-top” that enhances risk intelligence and culture.  And finally, boards should ensure that risk management processes, oversight and actual risks to the company are communicated the stakeholders and investors.