Ordinarily, the delineation and segregation of responsibilities between management and the board is relatively straightforward. While boards ultimately carry the over- arching responsibility for the enterprise, management is tasked to manage the affairs of the business. In practice, this generally means that boards provide an oversight role, with responsibilities set out in board and committee mandates.
For example, while the audit committee is responsible for the oversight of the internal control environment and financial reporting in a public company, it generally doesn’t conduct its own detailed review of the internal control systems and processes. Instead, it relies on inquiry of management along with assessments by internal and external audit.
A similar approach applies to development, implementation and operation of an enterprise-wide risk management system. However, there are three areas of enterprise risk where it is necessary for the board to go beyond its customary oversight role because of bias or lack of objectivity. The first is strategic risk, the second, leadership risk and, thirdly, other self-inflicted exposures.
Strategy. Oversight of strategy and related risks is a prime responsibility of the board and centres on its review and approval of a strategic plan that has been developed by the CEO and senior executive team. However, the reality is that those executives will be so committed to their strategy that their assessment of its efficacy and their capability to execute it will be invariably biased. Accordingly, the board must roll up its sleeves in assessing strategic risk, both from a formulation and execution perspective. To assess the former, directors must examine the strategy development process, the reasonability of assumptions, competitive assessments and objectives as well as the efficacy of strategy. Assessing execution risk, meanwhile, looks at the processes to convert strategy into action, the sufficiency and deployment of resources as well as monitoring and reporting systems.
Leadership. An ineffective chief executive officer poses a significant risk to any organization. The incumbent cannot be expected to under- take an unbiased self-assessment. In addition to its customary annual review of the CEO’s performance, the board should also periodically evaluate the CEO’s suitability, competencies, track record, leadership and personal skills as well their scalability. The question to be answered is: If the incumbent was not the CEO today, would we hire he or she?
Self-inflicted risks. Management bias inherently exists in assessing or identifying certain types of exposures that fall into the category of self-inflicted risks. Read any public company’s disclosure materials and you will find no shortage of identified external exposures but seldom will you find extensive risks that are under the direct purview of management. Yet such risks are pervasive and, in many cases, pose a greater threat than those not under management’s control.
In its oversight role, it is important for the board to set parameters to determine which risks require its attention and those that can be properly assigned to management. One common approach is for boards to rigorously oversee and monitor all risks that could threaten the viability of the enterprise, materially destroy asset or shareholder value, or adversely affect long-term performance. For exposures below these tests, the board’s obligation is to satisfy itself that the executive-led risk management system is operating effectively.
Another common practice is to determine residual risk by rank-ordering exposures by severity and assessing their probability of occurrence. For example, natural disasters often fall into a high-impact category. However after applying a probability assessment, the resultant residual risk may fall below the board’s parameters. That being said, since it is difficult to determine the exact likelihood of occurrence, in my view, the board should actively review all high-severity risks regardless of probabilities.
A robust enterprise risk management system combined with rigorous board oversight not only can reduce exposures but also should result in overall improved performance.
John Caldwell is a veteran CEO and board member experienced in distressed situations and is the author of CPA Canada’s A Framework for Board Oversight of Enterprise Risk. E-mail: firstname.lastname@example.org.