All of us, regardless of title or status, are subject to expectations whether they are borne out of legal precedent or just plain social norms.
Take driving, for example.
Besides observing the laws of the road, there is a societal expectation that you as a driver are considerate of the safety of those around you.
In the case of company boards, there have been growing expectations around how they provide sufficient/adequate risk oversight. There are multiple drivers of those expectations, including the ever-increasing uncertainty around business, credit ratings, court rulings, and SEC disclosures for publicly-traded companies.
As a forensic and litigation accountant by training, Tim Leech has a unique perspective on how board expectations connect to enterprise risk management (ERM).
He frequently talks about ‘duty of care’ in both his LinkedIn posts and in an upcoming book we are eager to see in print.
Before we get into the “how” of ERM supporting the Board in fulfilling their oversight expectations, let me talk about some court rulings Tim explains as the legal basis for more robust risk oversight by boards.
At a high level, it is no longer sufficient for boards to receive a list of top risks and/or oversee how controls are being handled from a distance.
This may have been sufficient when standards for risk oversight were first being established – known as the Caremark standard, which was actually a court ruling handed down in 1996.
This guidance stated that board members could only be held liable if they failed to establish any reporting or if they deliberately ignored ‘red flags.’
But after two decades of various scandals, corporate malfeasance, and the 08/09 financial crisis, to name a few, courts began to wonder if companies were really staying on top of their most dangerous vulnerabilities.
The Marchand v. Barnhill ruling in 2019 is considered to be the catalyst, from a legal perspective anyway, for greater expectations of Board risk oversight. The specific case was prompted by a fatal listeria outbreak at Blue Bell Creameries where the court ruled that food safety was a ‘mission-critical compliance risk’ to the company.
Additional cases involving McDonald’s, Boeing, and Wells Fargo (to name a few) have led to the expectation that the board’s failure to understand the status of mission-critical objectives, whether positive or negative, is a failure of good faith oversight.
Tim illustrates this shift when he explains:
The modern interpretation of fiduciary duty has quietly shifted from oversight of risk controls to oversight of the conditions that determine whether the organization will survive, comply, and perform. (emphasis added)
And on a slightly chilling note, Tim ends this thought by stating bluntly:
Most boards are not prepared for this shift.
This does NOT mean boards have to be guaranteed an outcome or guarantee a specific outcome to the stakeholders. Board members are protected through what is called the “business judgment rule.” If decisions are informed, made in good faith, and systems/processes for detecting and responding to mission-critical objectives are in place, the board members are not liable.
But when there is no structured oversight of mission-critical objectives, clear red flags are being ignored, and there is no follow up or discussions, directors can be held liable.
Which brings us to the heart of today’s topic, and that is…
How does ERM help boards be confident that they are fulfilling their oversight responsibilities?
There are two avenues to consider when answering this question, which include:
- Full board oversight
- Board committee established to oversee risk (typically Audit Committee or Risk Committee)
Full Board Oversight
For the full board, ERM should exclusively play a behind-the-scenes role.
Remember, ERM does not own risks – risk ownership is the responsibility of management and the business. This role should be clear to those companies practicing objective-centric ERM. If the goal is managing risk around business and strategic objectives, then talking about risk with the board needs to be the responsibility of business leaders, who should integrate risk into their conversations and presentations about goals, outcomes, initiatives, and projects.
After all, business leaders are the people who are going to know the most about risk(s) to their objectives.
What should that conversation/presentation to the board look like?
As with any conversation, the business leader should discuss what they are trying to achieve, potential opportunities and potential obstacles to achieving these goals. Discuss those potential obstacles (a/k/a risks) that are outside acceptable bounds, what is currently being done to address them, and how they are being monitored. This discussion should also include any risks that the business cannot address.
Again, ERM should play a supporting role in this situation by helping the business create reports, slides or talking points, providing data and insights on risk tolerance and so on. ERM should not – I repeat, should NOT – be appearing before the board in this situation.
Board Committee Delegated Authority to Oversee Risk
The other area where ERM can help the board fulfill its oversight expectations is a board committee with delegated authority to oversee risk.
Unlike the full board, ERM will interact with this committee directly with some support from the business in certain circumstances.
The first component is discussing the activities of the risk function, which include:
- Activity Report: What activities have been done, are being done now, and upcoming activities
- How you are engaging with business
- Potential changes to practices and why
- And more.
The second component of working with the board committee is providing statistics on actual risks, which can include:
- Risks that have been identified (total and broken down by objective statements)
- Number of risks being monitored
- Number of risks with action plans
- The status of these action plans (on time, delayed, etc.)
- Risks that are within acceptable ranges and ones that are outside.
- Among other statistics and trends
If needed, deeper dives can be provided on a specific objective and a key risk. It is at this point where ERM should involve the business or risk owners.
To be clear, this is not a risk register, but rather statistics and high-level trends. Further digging is done as needed.
This type of reporting and communication to the committee keeps the board committee informed and aware of what Risk is doing within the company and how the trends associated with strategic & business objectives are looking for the company as a whole.
Again, it’s clear just from casual observation of the world around us that boards have to step up to the plate to ensure their companies are doing everything they can to achieve objectives in an ethical way. ERM is there to support this oversight, and in so doing, will deliver value to the company beyond compiling lists and reports.
How robust is board oversight at your company and how does ERM help?
Please join the conversation on LinkedIn to share your thoughts on this important topic.
