It’s getting to be that time of the year when many organizations have major board meetings to finalize plans and budgets for the next year. Considering this year’s unprecedented volatility, many Boards will naturally want to discuss risks facing the enterprise.
While the topic of Boards and reporting risks have been peppered in past blog posts, enough people have asked me about it recently that I wanted to expand on it to ensure organizations can provide their respective Boards with risk information that is helpful and valuable.
Although Boards are increasingly required or simply expected to play an active risk oversight role, only around 25% of organizations are formally discussing top risk exposures in context of the strategic plan according to the 2020 State of Risk Oversight Report from NC State University. Too often, organizations will create risk reports for their Boards that simply list risks but have no context or are too high level to add any value to oversight of executive decisions.
Surveys like NC State’s annual report and others show significant room for improvement in the interaction between Boards and executives on the topic of risks.
The most important thing to remember about communicating risks to the Board is that it needs to be a two-way conversation.
Improving the quality of risk information so the Board can better fulfill its oversight responsibilities is a phased process that begins with dialogue. More specifically, management must do two things: 1) understand and improve the Board’s expertise through education and 2) talk with the board about both board and management expectations on how management communicates about risk.
- Understand the Board’s current level of expertise and provide further education
Many (…including myself in a past life) take risk oversight by the Board to mean compliance with rules or oversight of risks with the goal of preventing failure.
As Hans Læssøe and others emphasize though, effective risk management has to be about more than just preventing failure. The sheer amount of change and disruption in today’s world requires companies to take calculated risks in pursuit of objectives. Boards have an important role to play in ensuring executives are taking the right amount of risks and addressing other important risks.
To ensure that you don’t stay focused on the “compliance” aspects, you need to have a solid understanding of the individuals on the board – their professional and educational background, exposure to and experience with risk management and/or oversight, and strategic planning and execution experience. Once you have this information, you can tailor one-on-one or small group conversations to their “expertise” level, which could range from non-existent to moderate to expert.
As part of that further education to the board, let them know how the organization currently uses risk management practices, including how risk is explicitly linked to performance and strategy. (You are doing that, right?!)
Educating Board members to this fact is not one-size-fits-all.
Akin to a see-saw effect, the Board’s risk oversight role is not just about preventing bad things but increasing the likelihood of success through informed risk-taking. They need to:
- Know what the major risks are.
- Ensure the organization has the resources to address risks.
- Ensure the organization is not taking inappropriate risks.
Some members will have a greater understanding of this than others, which is why one-on-one communication is preferable. If you try and speak with the Board as a group, you may seem out of touch to Board members with more experience. For example, some may need a primer on the organization’s risk appetite and tolerances so they can confirm management is taking the right amount of risks in pursuit of objectives.
- Talk about Board members’ and management expectations of risk conversations
Once Board members are educated on what their oversight role entails, the next step is to understand their expectations and preferences on how the organization talks about risk.
Too often, risk managers and executives do not want to overwhelm their Boards with too much detail, so they instead deliver reports that are so high level that they’re useless for understanding the biggest risks to the organization’s success, much less whether executives are taking the right amount risks in pursuit of strategic objectives.
In the interest of providing the information they need in an effective manner, executives should be talking about goals and initiatives they’re working on and any risks around them in a language the Board understands instead of delivering a list of top risks separately.
As Norman Marks explains in his book Risk Management in Plain English: A Guide for Executives: “Discussion of risks should not be separate from discussions of performance – as they are two elements of the same conversation. It is only by discussing risks to each objective that the Board can assess whether the management team is likely to deliver on its targets.”
When discussing initiatives, executives need to explain the downsides, the potential opportunities, and the opportunity costs of their chosen course of action. They need to assure Board members that they are not taking risks willy nilly. Again from Norman Marks:
The Board will not only want to know that management has good processes for taking risks (i.e. making decisions) but is taking appropriate actions on the more significant risks to the organization’s success.
Simply giving the Board a list of risks or a stand-alone presentation, which is what many organizations still do, provides no context on the relation of risks to objectives. If the Board expresses a desire for a list of risks, they need to understand the time it will take to explain the business context for each risk. With executives providing their own reports, the extent of repeating conversations is quite high and wastes everyone’s valuable time.
Again, communicating risks to the Board has to be a two-way conversation – not only do risk professionals need to ensure the Board understands their role, the Board also needs to be up front about what they want to get from executives. And executives need to be transparent about how they went about their decision-making and progress towards the objectives.
Does your Board play an active oversight role regarding strategic decisions? How do they prefer to receive information about risks?
I am interested in hearing your thoughts on this important topic. Please feel free to leave a comment below or join the conversation on LinkedIn.
If you are struggling to communicate risk information so your Board can fulfill its role in ensuring executives are taking the proper level of risk in pursuit of objectives, contact me to discuss your specific situation and needs today!
Featured image courtesy of Toby Christopher via Unsplash.com
