A version of this article appeared in the Summer 2020 issue of strategy+business.
Your company’s board of directors is charged with reviewing all kinds of risks to the corporation. But how well prepared are its members to do so? How ready are directors to evaluate, communicate, and act on risks — and thus to better ensure that their companies are doing a good job?
A great deal rides on the answers to these questions. Risk oversight of the boards themselves is what the Conference Board, a business membership and research organization, recently called the next frontier (pdf) in corporate governance. “If boards really understand how to take risks well, their organizations will do better,” said David Koenig, founder of the Directors and Chief Risk Officers Group (DCRO), an industry organization that formed after the 2008 financial crisis.
Responding to an overwhelming sense that boards didn’t accurately monitor risk in the time preceding the financial crisis, investors and directors themselves called for boards to up their game in overseeing organizational risk culture. Regulators let it be known that they would be looking over boards’ shoulders and taking them to task for lax risk oversight. Additionally, a growing number of index tools are tracking governance. In the decade since the crisis, boards have rushed to put risk monitoring mechanisms in place, boosting the enterprise risk management market to nearly US$4 billion in 2019, according to Transparency Market Research. But worries have lingered that many of these boards were asking for risk analyses solely as a box-ticking exercise. And a series of recent lawsuits has attempted to chastise directors for ignoring risks.
But risk oversight isn’t just a matter of avoiding a slap on the wrist or other sanctions. A widely cited 2004 study (pdf) by Institutional Investor Services, a proxy advisory firm, concluded that firms with good corporate governance were more profitable, had higher stock market returns and dividend payouts, and less risky investments than those with weak governance structures.
As expectations and pressures evolve, corporate directors have been taking action: adding risk committees, ensuring there is a critical mass of risk expertise on the board, measuring how much attention they pay to risks, and understanding how cultural dynamics affect risk decisions. A recent Spencer Stuart study found that 12 percent of S&P 500 companies had risk committees in 2019 — a small number, but up from 9 percent in 2014. Finance and utility companies were by far the most likely to have risk committees, in no small part for regulatory reasons.
But the vast majority — more than 95 percent — of S&P 500 companies assess the performance of their board of directors annually, as do 80 percent of companies in the Russell 3000, according to a 2019 report (pdf) by the Conference Board and data-mining firm ESGAUGE. There is evidence that boards are reacting to assessments. In PwC’s 2019 Annual Corporate Directors Survey, for example, an impressive 72 percent of directors said their boards made changes in response to the last board performance assessment — up from 49 percent just three years earlier. Still, 20 percent felt assessment processes were ineffective.
The most effective board risk oversight is not the result of regulation but rather happens because someone — a board member, an investor, the CEO — has had an earlier oversight experience and has seen that it’s helpful, according to DCRO’s Koenig. And often, a board is mindful of risk oversight because it has had a negative experience in which it failed to recognize and respond to a risk. “They don’t want to have that kind of experience again,” he said.
Risk assessment tools
New tools are evolving to help directors pay more attention to board risk dynamics, assess their skills and performance, and adjust processes and composition to make boards more risk-ready. DCRO, for example, has issued guidelines for recruiting risk-savvy directors and for building effective risk committees. Those guidelines describe risk skills such as conflict management, awareness of cognitive biases, the ability to challenge groupthink dynamics, and facility with communications to help build consensus around risks. Organizations such as the National Association of Corporate Directors and the Committee of Sponsoring Organizations of the Treadway Commission have detailed best risk practices for boards, which include asking hard questions of themselves. Do their processes and cultures for risk oversight work as intended?
One of the key questions and challenges is how to infuse risk readiness throughout the whole board. “We have tended to look at risk and other items of corporate governance in silos, and they need to be looked at in context,” said Susan Shultz, CEO of the Board Institute, which in 2018 launched a tool, the TBI Protiviti Board Risk Oversight Meter, specifically to help boards become more confident in their risk oversight processes. The tool assesses boards’ structure, composition, and leadership; directors’ roles in risk oversight assessment, monitoring, and response; alignment of risk and strategy; and the risk information provided to the board.
PwC’s 2019 Annual Corporate Directors Survey found that the percentage of directors participating in crisis management tabletop exercises doubled since last year, from 28 percent to 56 percent.
These kinds of assessments provide important insights that can improve processes, but only if directors take their information to heart. “It’s important to have these metrics, but it’s also important to know what’s going on inside the boardroom in terms of strategy and culture,” Shultz said. “Directors often don’t understand how to prioritize risks, what those risks are, and what their role is.”
Though aimed at company-wide processes, not just boards, the Institute of Risk Management’s Risk Maturity Model is a useful tool for identifying risks and evaluating risk–reward trade-offs, as well as for understanding how much leadership and staff embrace and execute their risk strategy. It suggests ways to encourage appropriate risk taking and challenges overly risk-averse or risk-seeking behaviors.
U.K. regulators require financial firms’ boards to issue risk-appetite statements describing the amount and type of risks an organization is willing to take in order to meet its strategic objectives. Like other tools, the statements’ effectiveness depends on how enthusiastically boards and companies embrace them. They can help to focus meaningful conversation, or they can be jumbles of words that a team assembled simply because it had to.
Understanding the risk attitudes of directors as individuals and as a whole can make all the difference if a risk materializes into a full-blown crisis. Davia Temin, founder of the New York–based crisis management firm Temin and Company, said it’s essential to understand and improve a board’s risk reaction dynamics during times of calm. “It’s better to fix the fissures on a board ahead of time because every fissure will explode in a crisis,” she said.
She recommends boards do an annual risk survey to determine how attuned different directors are to various risks. Crisis scenario games can shed light on differences among board members in their responses to stress and risks, and help board chairs to identify ahead of time which directors they might lean on most when — not if — a crisis hits. In fact, PwC’s 2019 survey found that the percentage of directors participating in crisis management tabletop exercises doubled since last year, from 28 percent to 56 percent.
Is it working?
There’s no question that dedicated risk committees, assessments of board processes and culture, risk appetite statements, and scenario exercises can help strengthen board risk culture. But it’s important not to presume that actions will be effective. The results depend on what boards do with the insight and data gained from these tools. Are they actually recruiting directors with risk skills and deploying them? Are they providing boards with the information they need to make decisions? Does the board consciously include a diversity of risk attitudes and understand the strengths and weaknesses of its composition for risk decision making?
These questions may not always be easy to answer. But if companies are going to be effective at managing risk — wherever it shows up — boards will have to rise to the challenge.