How should a board of directors be spending its time and energy? When I serve on boards, I make sure there is plenty of room on our agendas to regularly spend time on four key topics: finance, people, strategy, and risk. I refer to these collectively as The Savvy Director’s Focus.
Board directors don’t need to be experts in these areas, but we should all have at least a basic understanding of them. And so, today’s blog focuses on what a board director needs to know about risk.
For many of us, risk is top of mind these days as our organizations struggle with the impact of COVID-19. But the board's risk oversight role is not a one-time event. Thinking about risk management as a matter of course, in quieter times, gives an organization a leg-up when it comes to responding to an unanticipated event like a pandemic.
Risk is defined as the potential for uncontrolled loss of something of value. For an organization, a risk is something that could prevent it from achieving its goals. Taking an action in the face of uncertainty brings with it the potential for negative outcomes. But keep in mind that same action has the potential to bring rewards and opportunities. That is the upside of taking risks.
Every organization is exposed to and takes risks daily. It’s important to manage the balance of risk and reward. To do so requires identifying and minimizing the consequences of a negative occurrence to the extent possible. That is referred to as the risk management system.
Risk management is how an organization identifies, assesses and mitigates its risks. The sophistication of an organization’s risk management system depends to a certain extent on its size, complexity and resources, as well as on the industry it operates in.
The board of directors is not involved in day-to-day risk management. Instead, the board has a risk oversight role. In fulfilling that role, board directors should be able to satisfy themselves that effective risk management processes are in place and functioning effectively.
The risk management system allows management to bring to the board’s attention the company’s material risks and to assist the board to understand and evaluate how these risks interrelate, how they may affect the organization, and how they are being managed.
The board’s role in risk oversight is similar in some ways to the role of the audit committee. The audit committee does not prepare financial statements, draft disclosures, or maintain the system of internal controls. Rather, the audit committee bears responsibility for overseeing the financial reporting and related internal control processes.
- John E. Caldwell, CPA, CA. A Framework for Board Oversight of Enterprise Risk
The board needs to keep risk in mind at an enterprise-wide level, but also at a project level. When assessing and making decisions about a proposed course of action, a board director’s 'risk antenna' should be on high alert. The board director needs to look beyond the risks that management has identified and consider what additional unexpected risks might be out there.
This is an area where each board member’s unique background and experience becomes invaluable and where diversity of viewpoints pays off. Let’s face it, my view of risk is not the same as yours or anyone else’s. A robust discussion of risk strengthens the decision-making process and ensures that the board and management are forging ahead with a common view of the risk environment. Check out our blog post 'Where you stand depends on where you sit' for an in-depth exploration of this topic as it relates to COVID-19.
Categorizing risk into different “buckets” can really help when it comes to identifying risks that are less obvious. It is useful to consider risk in the following categories:
A typical risk assessment involves trying to pinpoint the probability, or likelihood, that it will occur, and the severity or impact that will result if it does occur. There are sophisticated ways of performing a risk assessment, but it almost always involves a high degree of personal judgement.
For instance, how would you assess the risk of a pandemic? If you were asked that question six months ago, your response would have been different that it would be today. And if you were affected by the 2003 SARS epidemic, your response would have been different from someone who did not.
Management usually possesses the expertise and intimate knowledge of the facts that allows them to properly assess the organization’s risk. Here, the board can play its oversight role by probing to ensure management’s opinions are objective and that their view is not distorted by rose-colored glasses. So, if the CFO says, “There’s nothing to worry about,” that’s an occasion for the board to trust but verify on the topic of risk.
An organization can deal with its risk is one of four ways:
This set of choices represents an additional lens through which the board can oversee risk.
When it comes to risk oversight, the individual director can best contribute by remaining objective and maintaining a healthy scepticism. This is one area where The Savvy Director™ Key Behavior Asking Great Questions comes into its own. To get you started, download our free PDF Ten Great Questions about Risk.
Scott Baldwin is a certified corporate director (ICD.D) and co-founder of DirectorPrep.com – an online hub with hundreds of guideline questions and resources to help prepare for your next board meeting.
Share Your Insight: How can you help your board improve its risk oversight?