Skip to contentSkip to navigation

How to Talk to Your Board about Risk

New research reveals a better way to engage with board members on this critical business issue.

(originally published by Booz & Company)

Board members and company managers today need to have a clear and informed view of risk. The business world is fraught with risks to strategy that emerge more quickly and pack a bigger punch than ever before. Moreover, there are new sources of risk—for example, fast-moving innovations in technology (think: Blackberry versus the iPhone), scientific breakthroughs, and the ever-evolving realm of social media.

The quality of conversations about strategic risk among business leaders and operating mangers makes all the difference. New research from the American Productivity and Quality Center (APQC) on enterprise risk management (ERM) shows that the more mature organizations—those with well-established risk assessment, reporting, and training processes—have been taking steps to boost the quality of such conversations, especially those involving boards of directors or board committees. For example, their leaders take care to structure the agenda of board-level risk discussions so that there is ample time to focus on the question of “what’s not visible now that could hit us?” Spending adequate time on that sort of inquiry uncovers overly confident strategic assumptions.

“The point is to kick off creative brainstorms,” one ERM leader told us. This leader has developed an exercise that prompts company managers to have practical discussions. “We…talk about the resiliency of [managers’] strategic plans,” he says. “We can ask, ‘What have you done to fold the risks that have been identified into your plan in a way that allows you to win the must-win battles?’” In contrast, a board-level conversation at a far less-mature company would involve a rote recitation of risks that surprise nobody—for example, what do we do if the price of energy rises next year?

Smart managers also work to educate board members on the concepts and language of ERM. When everybody shares a common understanding, people can easily come to consensus about what issues deserve deeper examination or highest priority. They can then proceed to prioritize their strategic responses given a risk’s likelihood of occurring and its speed of change.

For example, at one best-practice organization, leaders and operating managers alike are trained to use a risk prioritization model (which is shared with the board). The slow-moving risks with a low likelihood of happening get parked (but not forgotten). The slow risks with high likelihood are items the managers will have to adapt to. Then there are risks with low likelihood that would nonetheless quickly become a big challenge if they materialized. These need contingency planning and careful monitoring. Finally, there are the emerging risks that are most likely to materialize and that can accelerate quickly. These are risks that that have the potential to seriously disrupt the business unit’s strategy.

Finally, when conversations about risk are well structured and meaningful, managers gain a clearer sense of the board’s appetite for risk and ability to tolerate it. Board members, meanwhile, get a good feel for the organization’s level of ERM maturity.

At some companies however, board members don’t recognize the value of such conversations. They want to do what they’ve always done: sort risks into neat categories (financial, operational, compliance) and dictate that more rules be drawn up for employees to follow. Such boards look at company managers and say, “We pay you to worry about risk. We worry about ROI!”

Indeed, APQC research indicates that ERM is still in its nascent stages at many firms. Survey findings from nearly 100 large global companies point to a worrisome process weakness: 43 percent do not have an ERM process owner who updates the board regularly about the evolving mix of risks and efforts to address them. In contrast, the 57% that do have such a person and process in place feel confident in their ability to identify new types of risks that could send strategic initiatives careening. The confidence comes from steady exposure to the board’s evolving views on risk versus reward. And when an ERM leader can say to other managers, “Well, here’s what the board thinks about that,” the board’s clout is in the room. Operating managers tend to perk up and engage in truly thorough discussions about potential risks.

The first step in having meaningful conversations with the board about risk is collecting the right information to share. At best-practice companies, gaining risk intelligence starts with some version of this mantra: “Everybody’s a risk manager. The business decision makers own the strategy; therefore, they own the risks.” When leaders set the tone that risk management is everyone’s business and put structures in place to support it, the data emerges effectively.

Gaining risk intelligence starts with some version of this mantra: “Everybody’s a risk manager.”

An example comes from Exxaro, the large South Africa–based diversified resources group, with interests in the coal, mineral sands, ferrous, and energy commodities. Exxaro has a highly structured ERM reporting process. Business units meet quarterly to go over their risk profiles, as does the operations committee. The board then receives a quarterly operational risk profile, and the ERM team has an annual process with the board wherein board members use the business units and operations committee’s risk profiles as input to compile their own risk profile.

The point is not for the board to re-rank or develop their own views on specific risks. Rather, it is to ensure that risk owners throughout the organization participate in risk management in a genuine manner—one that fully engages the board in conversation.

Mary Driscoll

Mary Driscoll is a senior research fellow at the American Productivity and Quality Center.