Public company boards have taken a bigger interest in risk governance as they try and get their businesses back to somewhat normal levels following the financial crissis. This focus on risk led the National Association of Corporate Directors (NACD) last fall to issue a Report of the NACD Blue Ribbon Commission – Risk Governance: Balancing Risk and Reward
That October 2009 report lists 10 principles of effective risk oversight, which the risk and business consultant Protiviti recently provided an analysis of in its Board Perspectives: Risk Oversight
that was published this spring. The top three principles are:
- Understand the company’s key drivers of success.
- Assess the risk in the company’s strategy.
- Define the role of the full board and its standing committees with regard to risk oversight.
Some of the key messages in the NACD risk report are that risk management and oversight is a team sport, the board needs to set risk tolerance and it must control information flow. In addition to the report, NACD President and CEO Ken Daly told me about five red flags that can tip off board members and executives to potential problems. They are:
- Unusual financial results: Sudden downturn or vast improvement in the financial performance
- Management is unable to explain any discrepancies found during financial stress tests
- Rationalization: Disparity from the business model and a disconnect between company strategy and risk
- Question of board member independence
- Company’s results are noticeably different than others in the industry. (i.e. WorldCom, Enron)
The Conference Board Governance Center later this year is due to come out with its annual Risk Oversight Handbook: Legal Standards and Board Practices
That handbook will include a comprehensive discussion of legal and self-regulatory developments as well as emerging board practices in this crucial area of corporate governance.
Recently, I spent some time chatting with Daly, who was also the former executive director of KPMG’s Audit Committee Institute, regarding these red flags and risk governance. That interview follows:
Earlier this year, the NACD recommended five key issues boards should make a priority. Undoubtedly, executive pay and risk governance were among them. How can a board get a handle on these two issues?
Let’s start with executive pay. The issue is very complex. Ken Feinberg [the U.S. Treasury’s pay master under the Troubled Asset Relief Program] said there is an unbridgeable gulf between Wall Street and Main Street. Directors can recognize this gulf, and be as transparent and descriptive as possible regarding their pay system.
How can boards make that happen?
It’s a matter of performance metrics. We [the NACD] are issuing a Blue Ribbon Commission on that in October at our annual conference. Many directors believe there is a lack of performance metrics around executive pay.
Tell me about this Blue Ribbon Commission.
We are addressing the conceptual framework to be considered by boards when evaluating performance. We expect to include examples and some leading practices.
What about risk governance?
We also issued a Blue Ribbon Commission on that last October. The topic is important because of the confusion surrounding it. Who is responsible? Risk oversight is a team sport. It’s not about the audit committee doing it or the risk committee doing it. Our recommendation is that somebody needs to be air traffic controller. Audit committees can function as that. But everybody’s got to be involved.
There’s a lot of knowledge that needs to be in place. The board needs to think about risk appetite. These are quality issues that are not so much quantifiable. The board has to be cognizant of risk tolerance – how much risk the company can take.
How is this done?
It’s a very disciplined approach, where the board is asking the right questions. There has to be efficient skeptical criticism. You need people with the chutzpah to stand up and ask the right questions.
Which elements of risk should a board and management be concerned about the most?
There’s something we call asymmetrical information risk [a condition where information is coming from one source]. Most of the information a board gets is from management. However, there are times when information is excessive. Too many times, management says it’s our desire to give board everything. When it comes to getting the information a board needs to understand an issue, it’s like asking someone to try and find a raisin in a bowl of oatmeal. Either you [the board] have management do it or you do it yourself.
There’s also the information architecture [how information is structured so it can be properly utilized] of a company. Companies need to think about the information they give to the boards. Information needs attention. It is about more than just getting the ‘right stuff’ to be in compliance.
Recently, the NACD listed five red flags that can tip off boards and executives to potential problems. Can you elaborate on those?
In all these problems, there is a pattern. Many times we aren’t smart enough or don’t have enough time to see the aberration. It’s something that requires real answers. What’s causing the observed matter?
In the recent financial crisis, there was a lot of [risk] modeling, and they were signaling that something was really wrong. If you look at the subprime [loan] issue, it was [full] of them. Many of the risk models were built for a time when banks underwrote, serviced and owned the loan. Now, they break it up into three pieces.
But with all that change, the risk oversight model didn’t change. Whether it’s a loan, investment or financial results, it has to pass the smell test. Here’s one example during the financial crisis. I asked people in board rooms how they thought a piece of paper worth 17 percent interest is AAA rated.
Are the red flags a sign of fraud, lack of competence or both? Please explain
It’s a sign that there has been a significant change in the risk profile of the business. It could be a sign of something nefarious going on or a sign that we’re taking on a lot more risk than before. The primary job of the board is oversight of management risk – whether management can’t or won’t manage risks. In the end, you need a lot of dialogue between the board and management.
[caption id="attachment_538" align="alignright" width="100" caption="Ken Daly, President and CEO of NACD"]