While executive pay probably still commands the most public attention among hot-button governance issues, for the majority of directors and executives, risk is now its equal among top priorities. What’s more, identifying, tracking and mitigating risk will likely be the major focus for boards over the next decade and beyond.
Without question, as a group, the leaders in the field when it comes to tackling risk are Canada’s banks and insurers, who operate under detailed guidelines from the Office of the Superintendent of Financial Institutions. That body keeps a tight rein on risk, requiring issuers to outline their risk appetite frameworks and to outfit themselves with a chief risk officer and audit committee to oversee risk management.
“Financial institutions probably spend the most money, have the most people and sophistication in this area,” says Robert McFarlane, a corporate director on the audit and risk committees of HSBC Canada, insurer RSA Canada and InnVest REIT (TSX:INN.UN).
The Vancouver-based executive is something of a risk management pioneer. In the mid-1990s, he joined Clearnet Communications Inc. as its chief financial officer and soon thereafter created a risk management function. “There wasn’t one, because it was virtu- ally a startup,” he says. When Clearnet was acquired by Telus Corp. (TSX:T) in 2000, McFarlane became CFO of the Vancouver-based communications giant and similarly oversaw the creation of a risk function, including internal audit, employee ethics and insurance, while business continuity operations would report to him via a vice-president of risk. That top risk officer was also the telecom company’s chief auditor, “and as such he had a solid line reporting relationship to the audit committee.”
The Telus structure, in which management’s risk function has a clear and unfettered line of communication to the board, is a critical component of a successful enterprise risk management (ERM) structure. Yet while McFarlane established it some time ago at Telus, it’s still far from universally deployed at other Canadian listed companies. It’s not that most boards don’t have oversight responsibility for risk, but for many the risk reporting comes up to them via the CFO or CEO. And according to the experts, if you want state-of-the-art, bulletproof risk management and oversight, that’s not how it should be done.
“[Senior risk officers] should not report through management, they should report around management directly into the boardroom,” says Richard Leblanc, a professor of law, governance and ethics at York University in Toronto who also teaches a governance course at Harvard. “What this means is the CEO or CFO has administrative oversight over risk, compliance and audit, but not functional.” Leblanc offers the parallel example of how, since the advent of Sarbanes-Oxley regulations in the U.S., audit committees rather than than management now hire, fire and pay the external auditor. So it should be with risk.
Mind you, even aspects of the Telus structure described above are open to improvement, says Leblanc, in so far as the risk officer should not also be the head of internal audit. “Internal audit tests the design and implementation of the internal controls and the risk person, that’s that person’s job. So they have to be independent of each other and they have to report around senior management.”
If you’re not there yet, however, take heart. “Companies are just at the beginning of digesting this,” says Leblanc.
INDEED, WHEN IT comes to digesting risk and risk issues, management and directors can be forgiven if the world seems an intimidating, even scary place. The Internet has bred social media threats from within and without, there is the threat of cyberattacks, rising environmental and social activism and regulatory frameworks that can change with little warning.
“I think we are more aware of [risks], but where were the boards on Kodak, or Blockbuster, Massey Ferguson, that saw their companies dwindle and die?” says John Fraser, former chief risk officer of Hydro One Networks Inc. and currently an instructor in risk oversight at York and the Directors College at the DeGroote School of Business at McMaster University.
Process and structure aside, Fraser, whose background also includes ERM experience at Sun Life Assurance, Wood Gundy Inc. and Newcourt Credit Group Inc., believes a good start would be to have directors become more questioning of management. Canadian boards compare unfavourably to U.S. boards in this regard, he says, because the latter often feature retired military officers or politicians who have the skills to “peel the onion,” in his words. “They will really probe until they hit solid ground and I don’t see that in Canada.”
Fraser does not think that risk can be regulated away. In a soon-to-be-published chapter for a text book on governance, he writes that: “In heavily regulated industries, particularly the financial industry, compliance with regulations can become a prime objective, resulting in form filling, rather than a real focus on risk management. Boards may incorrectly assume that these compliance activities, which of course must be done as a priority, constitute real risk management and thereby look no further.”
Companies seeking to improve a less-than-robust enterprise risk management process are further handicapped because the ranks of potential director candidates who have ERM are still tiny. “In risk we are sounding the call for experienced people and yet we don’t have a plethora of educated people to supply the demand,” says Stephen Mallory, president of Directors Global Insurance Brokers Ltd. of Toronto and an adviser to boards on establishing risk management processes. That rare individual who can lead a risk or audit committee needs to have experience in implementation of an ERM and, having worked with a risk management standard such as ISO 31000 or COSO ERM framework, knowledge of how to protect directors (including advising on director conduct, creation of personal indemnity agreements and an understanding of directors insurance). Finally, the third area of expertise a chief risk director should have is commercial insurance.
For Mallory, who is also a director and chair of the governance, risk and strategy committee at VIA Rail Canada, protecting the corporation from catastrophic financial losses, legal liabilities or lost revenue is not an academic exercise. The now-defunct rail company behind the Lac Mégantic disaster carried just $25 million in liability insurance, a paltry sum to cover estimated damages of $400 million suffered by the Quebec town and its citizens, meaning that directors failed in their duty to maintain proper levels of insurance.
Several years ago, Mallory oversaw the revamping of VIA’s risk management process that included the appointment of a first-ever chief risk officer and the establishment of direct, unfettered lines of reporting to the board. “It is great to have all sorts of managers running around doing the steps that maybe a consultant suggests be done, but if there is no board engagement, which is your holy grail, then it is all for naught.”
Directors can be overwhelmed by the “huge volume of pages that consulting firms are able to deliver on risk management that nobody understands,” necessitating having one director dedicated to overseeing risk with direct lines of reporting to risk managers “to make it understandable and exercisable by board people.”
SO WHAT STEPS do companies need to follow to create an effective enterprise risk management system? Because few boards boast an in-house ERM veteran, bringing in outside advisory firms from the accounting or consultancy fields typically kicks off the process. Experts in the area generally identify a five-step system: identification, assessment, treatment of the risk, monitoring of the treatment, and reporting to the board. The rest of this article walks through each, with extended emphasis on reporting to the board.
Identification: Before directors and executives sit down to create an ERM structure, they need to determine what they need to protect against, which can run the gamut from bankruptcy, to the loss of a key supplier, to the company’s reputation. Large or small, every corporation needs to first identify, then manage their unique set of risks so that they do not impact stakeholders. The length of the list may vary, but experts such as Leblanc suggest no more than 10.
Risks can affect the short, medium and long term and may be related to operations, tactics and strategy, respectively, notes the UK’s Institute of Risk Management. Strategy sets out the long-term aims of the company, and the strategic planning horizon will run for three, five or more years. Tactics define how a company intends to achieve change and tactical risks are typically associated with projects, mergers, acquisitions and product developments. Operations, and operational risks, are the routine activities of the company.
In the case of VIA Rail, a Crown corporation which, as part of its risk management revamp decided to move risk monitoring out of the board’s audit committee and into its own dedicated risk committee, the list of potential risks was extensive. “At that time we had about 80, 85 risks,” says Denis Lavoie, VIA’s director of risk, insurance and claims. VIA, whose ultimate risk is passenger safety but faces everything from terrorism to reputational threats, eventually boiled its risk list down to just seven risks and associated sub-risks that comprise its current ERM program. Those risks include safety, revenue, IT and cybersecurity, equipment and infrastructure.
Assessment: Once directors and management have settled upon just what risks to the company need to be regularly monitored, some boundaries or limits need to be placed on risk taking, often termed the risk appetite. Or, as PwC defines it: “the amount of risk an organization is willing to accept in pursuit of strategic objectives.” In the case of VIA, the board approved a formal set of risk appetites for its identified risks. To establish its appetite for acceptable risk in safety, for example, it examined its own safety and operations data for the past 15 years as well as that of international passenger rail companies to “look exactly at the risk profile in terms of derailment, collision. So the risk appetite that we have I think is pretty solid,” says Lavoie.
Treatment of the risk: While the board of directors has ultimate responsibility for oversight of risks, daily, weekly and monthly treatment of risk falls upon companies’ staff. In the case of Saskatoon-based uranium miner Cameco Corp. (TSX:CCO), the key risks it monitors fall under the categories of regulatory, environmental and operational hazards and many employees are part of the ERM function. “We want to make sure that risk is embedded within the organization in a more substantive way,” says Nancy Hopkins, an independent director who chairs Cameco’s nominating, governance and risk committee. “It is not just this little silo sitting there off to the side. It needs to be integrated with strategy and it needs to be thought about throughout the organization. The same group that also works on strategic planning handles the miner’s risk-process management. “Because risk and strategy absolutely impact on each other and should.”
Monitoring of the treatment and reporting to the board: John Caldwell, Listed’s Risk columnist and an experienced CEO and director, authored A Framework for Board Oversight of Enterprise Risk in conjunction with CPA Canada several years ago. In that, he states that directors and management need a process to monitor risks “continuously.” He also advocates creating an “early warning system” that would measure critical risks such as “key performance or other leading indicators (including operational and financial metrics), regular customer satisfaction assessment, including new customer win/loss analysis, competitor benchmarking and industry analyst reports, updated financial stress testing, current executive succession planning.”
At Cameco, the ERM process has created a “heat map” of risks that have both high likelihood and high impact in the red section of the heat map with cooler colours for less likely or dangerous risks. “The major risks, the ones that get over the Cameco-defined threshold for higher level oversight, actually then end up being allocated among committees of the board depending on the risk,” explains Hopkins. Spreading out responsibility for oversight of risks among a number of board committees makes sense for companies that face a wide variety of risks and have a large enough board to allow the creation of a number of committees. At Cameco, risk oversight can be spread to the five standing committees, which include safety, health and environment, risk and governance, and audit.
Cameco’s standing committees receive regular risk reports and a smaller, select number of those are shared with the entire board. “To have a risk come forward to the board indicates that this is a risk that one of these groups, the committee or the chair, believes that the entire board should be aware of,” says Hopkins. “I would expect that the board would receive in-depth reporting on maybe two or three enterprise risks a year,” along with regular risk reporting via such channels as the CEO’s report to the board.
Those regular committee risk reports would not include a crisis at the mining company. Instead, such an event could involve Cameco’s business continuity plan, which is also part of the risk management process. That business continuity plan includes strategies to deal with major disruptions such as natural disasters, terrorist attacks and pandemics.
Measuring success when it comes to ERM is tricky. A lack of bad things happening is clearly a measure, but not one to necessarily rely on, says Hopkins. “We measure success by what we believe is the robustness of the process. We think that we have got a good process. When we talk to people in the organization we get the impression that they are on the same page looking at risk.”
One side benefit of having independent directors fully engaged in the enterprise risk management process is that it affords them with an unfiltered view into the company that they would otherwise not have. “We get the risk owners directly [reporting] to the committees or the board….and you get a chance to see the rising stars of the organization at the committee level,” says Hopkins, who also chairs the governance committee at the Canada Pension Plan Investment Board.
It’s an observation shared by McFarlane, the former Telus CFO. “I just think it is a very healthy dynamic for a board to receive an unfiltered assessment of what different levels of the organization perceive as higher risk.” He notes that officers higher up in the company typically identify and worry about strategic risks while those lower in the organization focus much more on operational risks. “So it is a great check and balance in the system. And if you think about it, if management knows that is going on, it takes away the whole [reason] to camouflage it. So it breeds a better culture of reporting and relationship with the board.”
McFarlane joined the board of InnVest Real Estate Investment Trust last year as chairman of the audit committee and one of his first acts was to rename it the audit and risk committee and create responsibility for risk management oversight. “There wasn’t a great process. Management hired a big four firm at the encouragement of the board to consult to them on establishing a risk management process and then making it more of a recurring process.” At InnVest, the responsibility for managing risk falls on the CFO who reports to the audit and risk committee—technically a no-no by the best practices playbook, but Innvest’s small management group makes having a standalone risk officer impractical, says McFarlane.
IN A CURIOUS twist, while implementing a risk management process fortifies a company’s overall protection against damaging risks, it doesn’t necessarily ease directors’ worries. At least that’s the conclusion of a recent survey of 63 Canadian directors by Christopher Bart, founder of the Directors College. Bart found that while those who followed the framework of a recommended risk management process scored higher on “best-practice risk oversight questions” which measured their due diligence vis à vis risk compared to those who did not follow a risk framework, the directors who did not follow a risk oversight framework actually had greater peace of mind. By a margin of two to one, the latter were more likely to say they felt they and their firms were operating with an appropriate amount of risk.
Ignorance may not make for good governance, but it’s still bliss.
Photography: Jimmy Jeong; David Stobbe