A majority of articles here on the blog focus on the process of ERM for anyone involved in their organization’s strategy-setting and day-to-day operations.
While learning about processes like risk identification, assessment, and reporting is important, there are other risk-related activities in the organization that are equally important, namely the oversight of risk by the organization’s Board of Directors.
Risk oversight has become increasingly important following passage of the Sarbanes-Oxley Act in 2002 and, more significantly, the 08/09 financial crisis. Examples include:
- Corporate governance rules at the New York Stock Exchange require, at minimum, that risk oversight be a part of the board audit committee.
- Legislation passed after the 08/09 financial crisis (commonly known as Dodd-Frank) requires large financial institutions to have a formal board-level risk committee. According the 2019 State of Risk Oversight report from NC State, 76% of financial services organizations have a formal board-level risk committee. Check out this example of a risk oversight committee charter for E*Trade.
- An organization’s risk control process is one of four major risk-related criteria Standard & Poor’s evaluates before assigning a credit rating.
Although rules like these and others only mention publicly-traded or financial companies, the expectation for the Board to take an active role in risk oversight is filtering down to all types of organizations, even non-profits.
Two scenarios that illustrate the importance of risk oversight by the board
I think the best way to demonstrate the importance of good risk oversight is with a couple of examples.
First, the good – Morgan Stanley
Former Managing Director Garth Peterson plead guilty in 2012 to evading internal accounting controls Morgan Stanley was required to maintain as part of the Foreign Corrupt Practices Act (FCPA). More specifically, Peterson encouraged Morgan Stanley to sell its interest in a Shanghai building to a Chinese state-owned entity. He falsely claimed that the shell company purchasing the real estate was controlled by a state-owned enterprise (Yongye) when in fact the firm was controlled by him, a Chinese public official, and a Canadian attorney.
Morgan Stanley sold its interest to the shell company at a discount, and as a result, Peterson and his fellow conspirers realized a $2.5 million profit, at least on paper.
Former Assistant Director for the FBI’s New York Field Office, Janice Fedarcyk, explains:
“The defendant engaged in a pattern of self-dealing and deception that perpetuated his unjust enrichment. He not only circumvented his employer’s internal controls; he violated the law.”
Although Peterson was sentenced to 9 months in prison for his involvement in the conspiracy, no charges were brought against Morgan Stanley due to their robust internal controls, training and risk oversight.
Employees were constantly trained on these internal controls and relevant corruption laws. Peterson himself received training on 7 separate occasions and was reminded of his obligations to comply with the FCPA at least 35 times according to Morgan Stanley.
Following Peterson’s sentencing, Morgan Stanley spokesman Matt Burkhard said:
“Mr. Peterson’s intentional circumvention of Morgan Stanley’s internal controls was a deliberate and egregious violation of our values and policies.”
Now, the bad – Wendy’s
Many locations of the iconic fast food chain are actually operated by franchises throughout the U.S. Starting in late 2015, over 1000 locations were affected by a credit card breach of a third-party payment services provider.
Wendy’s initially claimed the breach only affected 5% of its locations but later revealed the scope of the breach was much larger. The company placed blame for the breach on malware that was installed through compromised credentials from the vendor.
Outsourcing the management and upkeep of payment systems to third-party providers is pretty common.
However, due to lax risk oversight on its third-party vendors, Wendy’s became the subject of two class-action lawsuits, one from individual customers affected by the breach and the other from financial institutions. Wendy’s settled both lawsuits in mid-2018 and early 2019 respectively for significant sums.
One credit union involved in the lawsuit explained that had Wendy’s exercised better oversight, the breach could have prevented or at least the effects could have been reduced. CEO of the National Association of Federal Credit Unions explained that member institutions suffered far more losses than breaches affecting Target and Home Depot.
The impact of this breach on Wendy’s will be felt far beyond the money the company agreed to pay out in its settlements. Although no criminal charges were brought forward, the company will have to overcome damage to its reputation.
And while the breach technically originated from a third-party provider, this story brings to mind an important axiom that I’m always reminding my team and clients about, and that is:
Both of these situations show the necessity of good risk oversight by the Board. Things can happen regardless of how many controls are put in place. However, as we saw in the Morgan Stanley example, having good oversight can shield the organization from any criminal charges, lawsuits, or reputation impacts.
How Boards can ensure they fulfill their risk oversight responsibilities
Although regulations and other professional standards are placing more risk oversight requirements on Boards, it is becoming an expectation across-the-board (…no pun intended). Boards can no longer say they were not aware as the two scenarios above show. Why? Because if they say that, then they will be asked, “Why didn’t you know?! It is your responsibility as a board member to know.”
The following are a few points for ensuring robust risk oversight by the Board:
- Boards should include individuals from diverse backgrounds, skills, and ideas.
- Board members should be candid and transparent in expressing their opinions and ideas. They should challenge management’s assumptions to ensure any blind spots don’t get missed. Some questions the board could ask include:
- How do we know we are identifying the right risks?
- When something changes, how are we incorporating risk into our reactions to those changes?
- What are different scenarios that exist? Which is more likely to happen versus which one is more acceptable?
- Ideally, a separate Board-level risk committee should be established that works closely with the audit committee.
- On an enterprise level, the Board needs to foster a risk culture that encourages communication. Executives and even mid-managers and employees need to feel like they can bring their concerns forward without fear of rejection or censure.
- Work closely with management to determine not just the type of risk information required, but the best format as well.
- Avoid the tendency to go from a risk oversight role to a risk management role. Executives and business units are ultimately responsible for managing the risks.
As the Morgan Stanley and Wendy’s scenarios show, you can’t put a price on good risk oversight by the Board.
Also, you may have noticed how this article only begins the topic of risk oversight. Additional considerations for board oversight of strategic risks and opportunities will be discussed in a future article.
How engaged is your company’s board in risk oversight?
I’m interested to hear your perspective on this important topic. Feel free to leave a comment below or join the conversation on LinkedIn.
And if you are struggling to help your Board develop the best process for fulfilling its risk oversight responsibilities, please don’t hesitate to contact me to discuss your specific situation.
Sign Up For Our Newsletter
Sign Up For Our Newsletter
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.
Most Recent Posts
Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…Read More
As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…Read More
Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…Read More
Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…Read More
On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…Read More
Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…Read More
Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…Read More
One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…Read More
It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…Read More
If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…Read More