Skip to contentSkip to navigation

Boards of Prevention

Corporate directors can – and should – play a much more active role in overseeing risk and avoiding major crises.

(originally published by Booz & Company)

In July 2007, as once-giddy financial markets began sensing that something might be horribly wrong, the top executive of the then-largest financial-services firm in the United States justified his bank’s “party hearty” attitude toward risk. “When the music stops, in terms of liquidity, things will be complicated,” Citigroup’s Chairman and CEO Charles Prince told the Financial Times. “But as long as the music is playing, you’ve got to get up and dance. We’re still dancing.”

This quote has become the emblematic aphorism of the economic crisis of 2008–09: a symbol of how some banking and financial-services executives justified their poor judgment and negligent (or even fraudulent) behavior. But it also reflects a more pernicious pathology — relevant to all the corporate crises we’ve seen recently in the oil, automobile, and financial-services industries, in which companies’ own missteps have been at least partially responsible for their woes. As one respected non-executive director of a rival top-tier U.S. money center bank noted in private conversation recently, “I still can’t believe Prince said that. If I had been one of his shareholders, I’d have been furious. Where was his board?”

Where was the board? Prince apparently believed that his boardroom overseers were comfortable with their bank dancing away on its shareholders’ behalf. And he had every reason to believe that, because his directors apparently never challenged the assumption.

This “Prince of the Citi” governance model is more a norm than an exception in business. For example, at most of the banks and financial-services companies that were severely affected by the downturn, their corporate boards had sat on the sidelines during the mid- to late 2000s, doing little or nothing demonstrably substantive to oversee or critique the risks that those companies took with financial instruments, leverage, and investments. Among bailed-out or failed companies in the U.S., from General Motors to Citigroup to AIG to Fannie Mae to Goldman Sachs, no boards or independent directors stand accused of illegally breaching their fiduciary charges. The same is true, at least so far, for BP, Toyota, and other companies whose operational missteps have led to massive litigation and losses. In all these cases, as far as the courts and regulators were concerned, the boards did their duty. They merely followed the law and the customs of the moment.

The passive board — which obeys the law but does not provide meaningful oversight — is a hindrance and handicap for any corporation. In accounting terms, its oversight is mere overhead. Even when boards are more active, their involvement tends to focus on pressuring CEOs for better financial performance; it’s not clear that they provide the needed function of overseeing risk and identifying questionable behavior. Conversely, the value of a well-managed board oversight role has never before been so apparent in facilitating a company’s own health and longevity.

If evidence is needed that boards aren’t playing enough of a risk management role, it can be found in an underappreciated analysis that was published just before the financial meltdown. “Shareholder Report on UBS’s Write-Downs” was an April 2008 report commissioned by the board of this top-tier Swiss bank to examine how it lost roughly US$40 billion in 2007. The assessments were damning; they charged senior UBS management with a “failure to demand holistic risk assessment,” a “failure to manage [its] agenda,” and a “lack of succession planning.” Additionally, the report excoriated the firm’s risk management controls and testing methodologies, asserting “complex and incomplete risk reporting,” “lack of substantive assessment,” “inadequate systems,” “lack of strategic coordination,” and “inability to accurately assess valuation risk on a timely basis.” As for the board, its processes also lacked accountability for evaluating the firm’s risk exposures, assessments, and management. In other words, according to the report, the UBS directors were as guilty as the management they ostensibly supervised of failing to confront risk.

In the months to come in the U.S., Europe, and elsewhere, legislators will try to put in place new rules for financial reform and corporate risk management (along with fines and regulations designed to stop malfeasance). But if we want prevention as well as punishment, then regulatory reform, in itself, will not be enough. Indeed, no matter how noble the intent, governance reform may make things worse. Over the past 20 years, in fact, well-intentioned reform efforts have led to what Yale governance guru Ira Millstein calls “recurrent crises in corporate governance,” in which each new crisis leads to a new bout of poorly crafted laws, complex regulations, and punitive court decisions that collectively make corporate governance less viable, thus beginning the cycle again. The logical conclusion is that governance reform itself requires reform.

The place to start is with risk oversight as practiced by the board of directors. Meaningful oversight must go beyond the aspirational principles espoused by most board members — to actionable practices and processes that inspire investor confidence and trust.

Three practices in particular would elevate the board’s risk competence while giving key stakeholders more involvement in risk oversight.

  • The first practice would be the creation of an explicit risk manifesto articulated by the board: a set of principles that describe and govern how directors will define and oversee enterprise risk management.
  • The second practice would reach beyond the boardroom into the company: Small teams of talented executives would prioritize and present future risk scenarios that the board could then ponder.
  • The third practice would seek the “wisdom of crowds,” as James Surowiecki puts it, through shareholder outreach, by having boards elicit and solicit risk concerns and insights from their shareholder communities.

These innovations in board practice would offer unambiguous benefits, and they could be put into place by boards today, without waiting for regulatory change. They would make exercising oversight easier, especially for independent directors (those who are not executives or employees). For shareholders, these innovations would promote transparency by offering greater visibility into how the board and management are operating. They would make companies more accessible, giving shareholders ways to reach board members and to share their concerns. (This is not so-called shareholder democracy, but simply a better form of communication among the board and investor constituencies.) And they would provide greater rigor for companies in proactively defining, assessing, and confronting the threats that are embedded in enterprise behaviors.

There’s also a message here for would-be regulators: Fiduciary oversight should be less about managing increasingly detailed “compliance checklists” than about enabling simple processes and practices: encouraging directors to collaborate on behalf of shareholder concerns. The most sweeping corporate governance reform in any country in five decades — the United States’ Sarbanes-Oxley Act (SOX) of 2002 — was overwhelmingly passed by an angry Congress in the wake of the Enron, WorldCom, and Tyco scandals and the popping of the Internet/telecom equity bubble. The act’s express purpose was ensuring diligent and responsible boardroom behavior. Yet SOX played no discernible role in anticipating or preventing the inappropriately risky behaviors that precipitated the global financial crisis that came just five years later. Quite possibly, the distractions of SOX made the 2007 crisis worse.

SOX failed not because boards and directors disobeyed its rules. In fact, very few firms have been accused of violating its provisions. But the act itself did not focus on the fiduciary fundamentals. Instead of more complex and costly regulatory oversight, corporations require nimble and cost-effective boardroom processes that will ensure both greater accountability and greater investor confidence. Governments (and companies themselves) could have a huge beneficial impact on the economy simply by giving boards the incentives they need to adopt some fundamental good governance practices. For example, the “business judgment rule,” consistently reaffirmed by the Chancery Court of Delaware (where most leading U.S. companies are chartered), assumes directors inherently make good-faith efforts to make the right decisions.

For simple regulatory compliance, this assumption may be reasonable. But it is possibly the biggest legal barrier to responsible and responsive risk management in the boardroom. Changing it to insist that directors transparently disclose how they assess and oversee enterprise risk would go a long way toward improving boardroom competence.

The purpose of the three risk oversight practices highlighted in this article — a risk manifesto, risk scenarios, and better shareholder outreach — is not to ensure institutional infallibility, or the illusion of it. No board of directors can reliably predict the future or avoid serious errors and external crises. Nor is the purpose to prevent or even lessen the amount of risk taken. Entrepreneurs and innovators are correct: Risks, including big risks, are necessary for a company’s growth, competitiveness, and survival.

But there is a need for better risk taking by making boards more effective, actively engaging management’s risk modeling and mitigation efforts without creating undue bureaucracy or discouraging experimentation. This requires a holistic approach to oversight. It should not be delegated to specialists, committees, or consultants, but embedded in the board’s mandate and ongoing processes.

The Risk Manifesto

As Deutsche Bank’s Chief Risk Officer Hugo Banziger told Risk magazine in July 2008, “If you do not set an explicit risk appetite for the firm, [risk management] is meaningless.” And as Booz & Company Partners Alan Gemes and Peter Golder put it, “Besides asking…how to prepare for the downside, corporate leaders should be asking how much risk they want — and how much capital they are willing to stake for how much potential gain.” (See “What Is Your Risk Appetite?” s+b, Spring 2010.)

A risk manifesto is a public exercise in articulating how the board aspires to assess and oversee enterprise risk. It is a boardroom mission statement aimed at individual shareholders and institutional investors to help them understand how their fiduciaries define their risk oversight obligations. Risk manifestos offer useful visibility into risk culture and corporate governance. They should be written by the board in collaboration with management.

The manifesto’s purpose is not to provide a comprehensive checklist of items for directors to collectively tick off as they review strategic acquisitions or capital expenditures. The goal is to define basic principles. These principles may be as vague as a pledge to make “best efforts” in overseeing existing risk management systems or as specific as a promise to disclose the results of risk assessment audits conducted by external reviewers.

But investors, regulators, executives, or employees reading the manifesto can come away with a clear sense of how the board will hold management accountable for risk assessment and management. The manifesto establishes how the board and management reconcile differences in risk appetites. Most importantly, the manifesto creates expectations that reassure investors. Good governance means directors won’t take key risk assessments for granted.

For example, the board’s manifesto might commit the board to regularly review the key assumptions of the most profitable segments of the company’s business. The board might then set up a committee to monitor the progress of the firm’s most important new product initiatives. Such an effort might, for instance, have helped both Boeing and Airbus better anticipate and deal with the delays in their Dreamliner and A380 introductions. A manifesto might also include a commitment to retain an outside risk advisor in the event that more than three independent directors disagree with a managerial risk assessment.

No single provision can offer a panacea, but manifestos can create legitimate expectations for how fiduciaries will constructively confront risk. When major events — acquisitions, divestitures, key hires, huge capital investments — materialize, the board with a manifesto is compelled to exercise more attentive judgment routinely and to deliberately seek alignment between risk principles and firm behavior. If essential principles require revision, the manifesto can be altered accordingly. If the manifesto is constantly changing, that reveals something important about the board’s risk perceptions; if the manifesto never changes, that’s revealing, too.

Talent-driven Risk Scenarios

Boards have traditionally depended on top management’s representations of risk. Business history suggests that this tradition often represents a problematic overdependence or unhealthy codependence. This was undeniably true for the financial-services industry between 2007 and 2009. The directors of many companies — including UBS, Royal Bank of Scotland, Citigroup, AIG, Bear Stearns, and Lehman Brothers — were demonstrably dependent on how their managements described the risks they faced. The UBS directors’ report, the Citigroup congressional testimony, and the Chapter 11 examiner’s report on Lehman Brothers (also known as the Valukas report) all have one factor in common: Independent directors played only a marginal role in providing either risk insight or oversight.

Fortunately, the board’s primary role in executive succession — selecting and approving new senior decision makers — and the increasing use of executive sessions can help create important opportunities for improving both risk oversight and professional development. Lead directors and other non-executives should ask the CEO and other senior management to organize three to five teams made up of the firm’s high-potential talent. Perhaps 15 to 25 “fast trackers” might be involved.

The teams’ brief is to present risk scenarios of possible futures they believe their board needs to take seriously. These could include high-impact financial “black swans,” such as a currency collapse or a run on financial instruments; geopolitical and demographic changes; disruptive technologies; and constricting regulations. The teams’ ability to create and consider compelling, realistic stories of plausible (but generally unrecognized) future challenges will become a test of their business judgment and acuity. This is not a casual exercise; it might take a team two or three months to prepare a usefully provocative 50-minute boardroom briefing, and the briefing should be delivered to the board in an executive session, so that questions may be posed, and topics explored, independent of the C-suite.

The non-executive directors on the board tend to benefit most from this practice. They gain insight into the analytical and presentation skills of the firm’s top talent. Poor presentations are as revealing as superb ones; dull and conventional scenarios indicate a need to raise the bar on the imagination and clarity at executive levels. If the scenarios present unexpected shocks, then the board members come away with multiple risk perspectives on potential enterprise challenges. They now have multiple contexts within which to evaluate how top management articulates and assesses risk. They can detect which risk themes are sensitive or are organizational taboos. They can observe the balance between rigidity and independence of thought.

Presenting before the board is also an important professional development opportunity for talent. The firm’s future leadership gains a more direct appreciation of the board’s role and concerns.

Some could argue that risk scenarios represent an ingeniously pernicious form of board micromanagement. But there’s nothing in this proposal for directors to manage, except the decisions they are already mandated to make. This practice should be designed to scrupulously adhere to the aphorism that effective overseers (in this case, board members) “put their noses in but keep their hands off.”

Tapping the Wisdom of Investors

Boards typically have awkward relationships with institutional investors. During difficult or uncertain times in particular, non-executive directors are torn between supporting the strategic aspirations of management and responding to the impatient unhappiness of shareholders.

The relationship is further complicated by the often contradictory rules and regulations governing communications between boards and shareholders. The U.S. Security and Exchange Commission’s regulation on fair disclosure (adopted in 2000 and commonly known as “Reg FD”) places constraints on public disclosure; corporate counsels are thus wary of anything that would promote communication between activist investors and non-executive directors, especially on issues of strategic import.

The irresistible rise of digital media, however, has transformed the economics of, and opportunities for, structured information exchange among shareholders and the board. Risk solicitation and elicitation provide a powerful means for boards to reach out to their investor communities; the imperative of risk oversight gives them a rationale for doing so.

Coordinating with management, boards could invite shareholders to answer surveys or questionnaires about the risks that most concern them. In the financial sector, for instance, investors might express concerns about companies being too reliant on proprietary trading, too slow to move into some lucrative areas, or too exposed to innovative financial instruments, even if they are rated AAA. Interested investors could submit “risk alerts” to a website that would collate and rank them for later review. In effect, boards could use digital networks to creatively canvass shareholders and tap “the wisdom of investors.” Corporate governance specialist and Weil Gotshal attorney Holly Gregory believes that such surveys could become an important medium for creating shared risk awareness.

The overall goal is to give investors clearer insight into a company, and to give the company’s leaders a better sense of the priorities of all investors, not just the most vocal. Transparency of this sort is generally seen as an option exercised at the discretion of the CEO. But it is more appropriately viewed as a prerogative of the shareholder and a beneficial constraint for management. Openness of this sort would also make litigation or regulatory investigation less likely, because directors would probably think twice before giving casual assent or vociferous dissent on significant issues.

Another method for providing better transparency might be producing special reports in which boards make some of their deliberations available to shareholders. Non-executive directors might issue their own messages, summarizing those areas in which they enthusiastically supported management initiatives, decisions to which they merely assented, and decisions with which they disagreed. Investors might have the opportunity to respond in online forums. The particular design of the colloquy matters less than the fact that the company keeps moving toward more transparency. A non-executive directors’ declaration that included responses from the CEO and CFO would provide important information to investors and stakeholders alike. These reports would also bring to light concerns or problems and show shareholders that boards were going beyond compliance in their oversight efforts, and why.

A profound governance transformation can become possible when technology creates virtual proxies. That is, elicitation, solicitation, and participation efforts are such that shareholders become risk assessment partners. Should unhappy surprises occur, boards might rightly ask their investors, “It’s your company, too; why didn’t we get any early warnings from you?”

Playing a Different Tune

Although boards could enact each of these three practices separately, collectively they will reinforce each other’s impact. Risk manifestos support internal risk scenarios; shareholder risk assessments can inform risk manifesto revisions; internal risk scenarios suggest external shareholder polling.

Each of these core risk oversight practices can be made as visible, accessible, and transparent as the board desires. They push management to explicitly address the critical risk factors that deserve to be challenged. They don’t require extensive investment, burdensome compliance measures, or disproportionate expenditures of time. They are flexible and resilient. They build accountability and trust.

Would implementing such processes have prevented Citigroup’s collapse, the $40 billion losses at UBS, the Boeing Dreamliner delays, or the Deepwater Horizon explosion? That’s impossible to know. But if a financial-services chairman and CEO publicly declared his or her intent to “get up and dance as long as the music is playing,” he or she would surely be reprimanded by the board and shareholders for violating the principles of the firm’s risk manifesto. Cavalier risk assessments would be less likely to survive if boards challenged fast-track employees to present serious risk scenarios and invited institutional investors to nominate risk factors. Of course, losses and mistakes would still occur. But they would be less likely to reflect poor judgment. They would result from the reality that not all risks pay off.

In an ideal world, recommendations like these wouldn’t be necessary. Boards would engage with management and constructively challenge the company’s risk assessments. Management would accept challenges to its assumptions as intrinsic to good governance. Shareholders would naturally be assured that the board’s risk oversight would minimize multibillion-dollar surprises.

But corporate governance, whether mandated by regulation or by the best interests of corporations themselves, lives in the unpleasant real world. It must avoid the false perfectionism of perfunctory compliance. It should weaken — or, better yet, eliminate — the presumptions of good faith and competence that discourage directors from asking hard questions that matter. In short, the best way to make governance better isn’t to put more rules in place, but to keep close to fundamental principles, such as transparency and engaged management, that have been demonstrated to work over time.

Author profile:

  • Michael Schrage, a contributing editor of strategy+business, holds appointments at MIT’s Sloan School of Management and London’s Imperial College. He was previously a Washington Post reporter and a columnist for Fortune and the Los Angeles Times.
Get s+b's award-winning newsletter delivered to your inbox. Sign up No, thanks
Illustration of flying birds delivering information
Get the newsletter

Sign up now to get our top insights on business strategy and management trends, delivered straight to your inbox twice a week.