Corporate boards are beginning to take ownership of risk management, according to a report released recently by The Conference Board.
The report, Director Insights on Emerging Risk Oversight Practices, is the most recent installment of The Conference Board Director Notes series. It was produced in collaboration with McKinsey & Company and the Global Association of Risk Professionals, and is based on a series of interviews with corporate directors on emerging board practices in risk oversight.
Interview participants included 20 members of U.S. public company boards, representing a variety of business sectors (including manufacturing, high tech, real estate, food services, retail, telecommunications, air travel, energy, health care, and banking) and ranging in size from $150 million to over $30 billion in revenues.
“The financial crisis underscored the importance of risk management in the pursuit of a business strategy,” says Matteo Tonello, Director of Corporate Governance Research at The Conference Board and founder of the Director Notes series. “Today, as companies recover from that turmoil, many corporate directors wonder if they and their boards are doing all they should to fulfill their fiduciary duty with respect to risk oversight.”
This Director Notes report summarises the most important insights obtained from the interviews.
In particular, it highlights a set of concrete, emerging best practices for boards in this important area of responsibility, with actual quotes from directors:
Assign the responsibility of risk oversight to the full board and the burden of risk oversight to the right committee(s). (“We are all collectively responsible for risk,” said a board member, while another added: “Audit committees tend to have a checklist approach to risk oversight, which is dangerous; not enough prioritisation, not enough of a business angle.”)
Consider the full breadth of material risks that can impact the company. (“We benchmark against a range of companies to make sure we think.”)
Push for a deep understanding of the key risks. (“We spend a lot of time reviewing the numbers and understanding risk processes: where the key numbers come from, how they get into the reports.”) Secure the right expertise on the board. (“Transformation of our risk approach was driven by two board members with risk experience elsewhere.”) Nurture a healthy tension borne by diversity. (“The biggest change we made in risk management over the last few years is focusing on having the most diverse board possible.”)
Engage the broad management team. (“The board needs to interact with management in an open manner, not just hear what has been rehearsed three times.”)
Embed risk discussions in all board processes. (“Every initiative presented to the board concludes with a simple page with three to four bullets on the key risks.”)
Avoid the “bureaucratic trap”—more substance, less process. (“When you ask an executive to go in depth on a specific risk and you get a blank stare, you know risk management has become too bureaucratic.”)
Make risk management actionable, not just an exercise. (“Follow-up is critical—managers come back to the board and are asked ‘tell me what you have done’—it is more than just a plan.”)
Take ownership of improving risk management in the organisation. (“To make risk management a success at our company the board had to get involved—we never gave up.”)
“While most boards have taken on the challenge of upgrading their risk oversight capabilities, there is significant diversity across companies in their approaches,” says André Brodeur, a co-author of the report and leader of McKinsey’s enterprise risk-management service line for non-financial companies. “This diversity does not appear to be connected to either business sector or company size. While financial institutions and energy companies in general have the longest history of developing the risk oversight capabilities of their directors, a number of corporate boards in other sectors have become equally attentive to risk issues.”
This Director Notes report also discusses three additional practices that until now have been detected almost exclusively in the financial sectors, but are expected to become increasingly influential among non-financial companies as well, especially as a result of increasing pressure from regulators: the use of stress testing techniques; the adoption of a “risk appetite statement;” and the analysis of the risk effects of executive compensation.