WHEN YOU’VE SPENT close to two decades as a CEO, held more than a dozen positions on high-level boards, and have board or executive experience in four distressed situations, you’ve earned the right to the first word on risk.
“Risk has always been a big issue,” says John Caldwell, who retired earlier this year as president and CEO of SMTC Corp. (TSX:SMX). “I’ve been on a lot of boards over the years and every board I’ve been on struggled with how to deal with it.”
Caldwell led a turnaround at SMTC and, before that, at enterprise software maker GEAC Computer Corp. Among his directorships, he held a seat on the board at Stelco Inc., where he chaired the restructuring committee during the steelmaker’s complex bankruptcy in the middle of the last decade. He remains on four boards today and sits on three audit committees.
The insights gained during these experiences have served him well in his latest project: drafting a framework on board oversight of enterprise risk on behalf of the Canadian Institute of Chartered Accountants. Writing in the introduction to the 80-page document, Caldwell says that ongoing reappraisals of the role of the board in enterprise risk and the introduction of new rules on governance and risk disclosure since the crash have created a lot of uncertainty among directors. “For many boards, oversight of risk is a high priority, but is, to a great or lesser degree, uncharted territory.”
The very fact that the CICA asked Caldwell to write a practical, procedural guide for directors speaks to the need and to the priorities that risk and risk management have become. More proof: according to a global survey by management consulting firm Accenture, 98% of the 397 participating firms reported that risk management is a higher priority today than it was two years ago, with 60% saying it’s a higher priority “to a great extent.” Responsibility for risk management is also shifting to higher-profile positions within corporations, including a growing cadre of chief risk officers and even CEOs. Other research shows similar trends at the board level, such as Korn/Ferry International’s finding in a 2010 survey that the number of boards with risk committees, while still not large, has doubled in the past decade (to 13% from 6%).
A lot of impetus for rethinking has come from within boards and companies themselves. But a great deal more has been driven by external pressure from regulators and shareholders alike.
On the regulatory front, for example, the Canadian Securities Administrators announced new rules this summer regarding disclosure of risk management practices employed in determining executive compensation. In the U.S., meanwhile, provisions in the new Dodd-Frank Act requires public financial companies and bank holding companies with assets over $10 billion to form risk committees at the board level. Most recently, at the end of August, the UK accounting regulator, the Financial Reporting Council, announced new reporting rules that, if enacted, will require audit committees for all companies to file regular reports on key risks their companies face in terms of strategy and operations. “Audits used to be about making sure everything added up correctly,” Richard Fleck, chairman of the UK Auditing Practices Board, told The Telegraph. “Now it is more important to assess a company’s soft decisions.”
Shareholders, when not showing disapproval by selling shares or filing proposals for annual meetings, have stoked up the legal pressure as well. Manulife Financial Corp. (TSX:MFC) was a prominent Canadian target coming out of the crash in 2008, after it took a huge financial and reputational hit for being overexposed to the risk of a market meltdown. More recently, a federal court judge in New York in July gave the green light to a shareholder lawsuit against Lehman Brothers that claims, in part, senior executives and directors exaggerated risk-management practices at the now-bankrupt firm. Elsewhere in the U.S. northeast, activist fund managers—likely charged by the spectre of BP’s Deepwater Horizon oil spill in the Gulf of Mexico—have been filing shareholder resolutions with natural gas firms demanding greater transparency around environmental risk management and mitigation plans in relation to “fracking,” a process for extracting shale gas that critics have linked to groundwater contamination and other environmental damage.
While such pressures challenge executives in all aspects of operations management, they present a particular set of issues and challenges for boards. Namely, how do boards ensure proper oversight of the company’s risk management practices? Seeking some answers on this issue, Listed asked Caldwell and a number of other consultants, directors and experts for their advice. The insights break down loosely into two categories—understanding frameworks, systems and measurement techniques that help boards gather and stay on top of important variables, as well as broader governance measures that affect the workings of the board overall.
“Boards have always looked at risk,” says Eileen Mercier, whose titles include chair of the Ontario Teachers’ Pension Plan board and chair of CGI Group Inc.’s (TSX:GIB.A) board audit and risk management committee. At the same time, she says “shifts” are occurring in how boards approach risk oversight. The core skills remain the same—a combination of careful review of company data and strategy mixed with good judgment and experience. But boards are increasingly exploring and adopting processes and procedures that are becoming more formalized. “It’s getting to be more of a science in the sense that measurement techniques are getting more sophisticated,” Mercier says. “It’s becoming a discipline of its own.”
The fundamental challenge in developing processes for risk governance lies in the fact that companies face potential risks on so many levels. The potential for adverse and unexpected outcomes is vested in everything from strategic planning and financial management to operations, executive compensation and reputation. And it goes deeper. Global risk adviser and insurer Marsh & McLennan Cos. lists 17 categories under the “Risk issues” tab on its website, including categories such as environmental risk, cyber risk, supply chain and political risk. Certain individual companies, meanwhile, are known to have upwards of 200 risk variables feeding into their oversight.
It’s not the board’s role to be directly linked to monitoring variables. That’s management’s job. But it does have a central role in setting the parameters on which any monitoring and data gathering system is based, and later bases decisions on its reports. And that, to some extent, is where frameworks like the one Caldwell’s written (there are others), come in. They offer step-by-step processes for boards to follow, flagging key questions and action items at every interval. The CICA’s framework lays out a nine-stage path towards the formation and operation of an up-to-date risk oversight system. It starts with an evaluation of a company’s operating environment and risk appetite, moves on to the identification and prioritization of risk, all the way to plans for ongoing risk monitoring and updating (see sidebar at bottom).
As first steps in the increasing formalization of risk oversight, frameworks like these are a baseline for discussion. They are important in that they take a holistic approach to a subject that up until the last decade was typically dealt with in a piecemeal fashion. “Risk would be in the last few pages of a strategic plan identifying strategic risk,” Caldwell says. “You’d see it pop up on agendas from the audit committee. But seldom did you see it as a specific agenda item.” More significantly, frameworks open discussion and offer guidance for boards seeking to develop their own processes. Making use of analytic techniques such as “heat-mapping”—colour-coded graphics that rank severity and probability of individual risks as well as their interconnections—they also help visualize and quantify the challenges and scenarios a company may face.
Frameworks have their limits and are not a replacement for the experience and judgment on offer from a well-formed board. They even pose their own risks if treated as ends in themselves rather than a forum for careful analysis, notes David McAusland, a partner with the law firm McCarthy Tétrault who specializes in governance. But when properly executed, McAusland says they offer boards an opportunity to develop a broad, objective view of the risks facing their companies, as well as their severity.
The task of identifying and prioritizing risk appears daunting for boards in the early stages of formalizing processes. In part, that brings us back to the complexity factor. But it’s also a manpower issue; boards must devote considerable time and resources in order to have a process that’s aligned with their companies’ scale, sector, circumstance and culture.
Further complicating matters, says Chris Bart, a professor at McMaster’s DeGroote School of Business and founding principal of the DeGroote-affiliated Directors College, is that the standards and processes for formalizing risk oversight are still in their infancy. “We are not at a university level understanding of this,” he says. “We’re at an elementary school level. We don’t even know what the university curriculum looks like.” Indeed, another recently published survey by Korn/Ferry called “Calculated Risk?” identifies key areas where executives and directors are wrestling with issues of how to develop and implement oversight procedures. Among the top concerns are the boundaries around the board’s work. As one chief executive quoted in the study says, “There’s a lack of clarity as to what board oversight really means.”
It’s here where the lessons move beyond frameworks and monitoring and into the realm of governance and board independence. How far does board oversight extend? Caldwell throws down the gauntlet in the introduction to his framework, when he writes: “Boards must take a more active and direct role in risk assessment well beyond traditional oversight of typical risk management processes. Risks associated with leadership and strategy are prime examples where a board must assert itself more directly since management cannot always be expected to objectively assess its performance and capabilities from a risk perspective.”
Mercier is a strong advocate of boards showing leadership, although she acknowledges that it is a delicate subject. Oversight is not management, so it’s not the directors’ role to be down in the trenches talking up policy. That’s the job of the executive. At the same time, directors can and should set the tone of the company’s culture and risk appetite. It then falls to the CEO to ensure it’s embedded enterprise-wide, backed by board-defined controls. Done right, Mercier says, you’re helping to create a corporate culture in which employees can speak about risk and keep risk management a concern in their lives. “A culture of openness that allows people to question things, I think that’s the biggest bulwark against unexpected things happening.”
Likewise, there is the question of where responsibility for risk oversight lies within boards. Audit committees carry the ball in the majority of cases. Risk committees, on the other hand, are established features at boards of financial institutions, where the size of organizations and the complexity of risk profiles make full board participation at all phases impractical. Other experts say a risk committee is typically favoured when dynamic risk is a core part of a company’s business activities. Meanwhile, as some Korn/Ferry survey respondents noted, delegation is not the right solution in every instance. Resources available to individual boards are an issue. So is that fact that some companies may see greater benefits to their organizational culture by positioning risk as a full board concern. Or they have concerns that delegating responsibility to a committee may disengage other directors from the discussion.
In the end, however, responsibility must come back to the full board. “This is not an exercise for financial people on audit committees. It’s a board mission,” says Mercier. “Different pieces of it can be dealt with in different committees. But risk management writ large is a board matter. It can’t be delegated and it has to be owned by the CEO and all the way down the line in operations.”
One of the most interesting and unexpected perspectives to emerge from our interrogation into risk oversight is just how many of our experts stressed that risk management must not be mistaken for risk avoidance. In fact, the opposite is true: Good management facilitates rational risk-taking. “The whole area of risk needs to be viewed more positively,” says McAusland. “It’s about getting the best understanding of risk relative to performance.”
Without risk, you wouldn’t have much of a business. An executive’s or entrepreneur’s willingness to make a measured bet—based on market research, an idea, competitive intelligence, better salesmanship, proprietary technology, charisma, a hunch, or a hundred other factors—is what drives value creation. No risk, no reward.
Perhaps it’s not surprising that Caldwell, again drawing on his extensive board and CEO experience, has a well-formed view on the matter. “There are a lot of boards that say the oversight of risk is about the protection of assets and preserving the viability of a company. I actually think that’s not the biggest issue,” Caldwell says.
Ultimately, he says, there’s no more important lesson to be learned here than the fact that strong risk oversight equals improved bottom-line performance. “Most corporations survive. To me the issue is partly that, but it’s also underperformance. If you create a strong risk oversight environment, you actually go a long way to improving performance. For example, you’re going to be assessing the quality of your chief executive officer. You’re going to be assessing the quality of strategy. There are a lot of things that go in behind, that should actually drive better performance.”
Nine stages of risk response
How does a board conduct risk oversight? Here’s a summary of the process adapted from John Caldwell’s, “A Framework for Board Oversight of Enterprise Risk,” published by the CICA.
1. Establish context Risk oversight begins with an examination of the current conditions in which an organization operates. Factors include the macro-economic environment, the size and nature of markets, industry and competitors.
2. Identify risks A lengthy process that requires extensive input from management, risk identification covers multiple areas of potential risk, including strategic, financial, leadership, compliance, hazards, reputation, operational and external risks.
3. Analyze consequences Following the identification of risks, boards need to evaluate the likelihood of risks occurring and their severity, with severity taking precedence over likelihood. These assessments are somewhat subjective and boards may want to use tools such as “heat mapping” in their review.
4. Analyze interconnections Though complex, analyzing risk interconnections is an important element of oversight, as serious failures are often the result of interactions and combinations of factors. To make the task manageable, boards may wish to focus on higher risks.
5. Reanalyze consequences After reviewing the interconnectedness of risks, boards may choose to reanalyze their original assessments. The ranking of some risks may be reevaluated in light of interconnections.
6. Prioritize Rank the order of larger risks by severity in the context of the likelihood of occurrence. This allows boards to focus on critical risks, of which there not often more than five or six.
7. Assess risk tolerance Risk tolerance varies from company to company. It should be viewed in relation to company goals and positions in order to achieve an appropriate balance between risk and reward.
8. Choose a response strategy Develop plans to avoid, reduce, control or share risk. This may take several forms. Risk avoidance, for example, may include limiting the size of acquisitions or purchases while risks that can’t be mitigated may warrant the purchase of insurance.
9. Monitor Risk factors evolve and change constantly. Boards should be attuned to subtle changes that may have, or develop into, significant shifts in their company’s risk environment.