It’s getting to be that time of the year when many organizations have major board meetings to finalize plans and budgets for the next year. Considering this year’s unprecedented volatility, many Boards will naturally want to discuss risks facing the enterprise.
While the topic of Boards and reporting risks have been peppered in past blog posts, enough people have asked me about it recently that I wanted to expand on it to ensure organizations can provide their respective Boards with risk information that is helpful and valuable.
Although Boards are increasingly required or simply expected to play an active risk oversight role, only around 25% of organizations are formally discussing top risk exposures in context of the strategic plan according to the 2020 State of Risk Oversight Report from NC State University. Too often, organizations will create risk reports for their Boards that simply list risks but have no context or are too high level to add any value to oversight of executive decisions.
Surveys like NC State’s annual report and others show significant room for improvement in the interaction between Boards and executives on the topic of risks.
The most important thing to remember about communicating risks to the Board is that it needs to be a two-way conversation.
Improving the quality of risk information so the Board can better fulfill its oversight responsibilities is a phased process that begins with dialogue. More specifically, management must do two things: 1) understand and improve the Board’s expertise through education and 2) talk with the board about both board and management expectations on how management communicates about risk.
- Understand the Board’s current level of expertise and provide further education
Many (…including myself in a past life) take risk oversight by the Board to mean compliance with rules or oversight of risks with the goal of preventing failure.
As Hans Læssøe and others emphasize though, effective risk management has to be about more than just preventing failure. The sheer amount of change and disruption in today’s world requires companies to take calculated risks in pursuit of objectives. Boards have an important role to play in ensuring executives are taking the right amount of risks and addressing other important risks.
To ensure that you don’t stay focused on the “compliance” aspects, you need to have a solid understanding of the individuals on the board – their professional and educational background, exposure to and experience with risk management and/or oversight, and strategic planning and execution experience. Once you have this information, you can tailor one-on-one or small group conversations to their “expertise” level, which could range from non-existent to moderate to expert.
As part of that further education to the board, let them know how the organization currently uses risk management practices, including how risk is explicitly linked to performance and strategy. (You are doing that, right?!)
Educating Board members to this fact is not one-size-fits-all.
Akin to a see-saw effect, the Board’s risk oversight role is not just about preventing bad things but increasing the likelihood of success through informed risk-taking. They need to:
- Know what the major risks are.
- Ensure the organization has the resources to address risks.
- Ensure the organization is not taking inappropriate risks.
Some members will have a greater understanding of this than others, which is why one-on-one communication is preferable. If you try and speak with the Board as a group, you may seem out of touch to Board members with more experience. For example, some may need a primer on the organization’s risk appetite and tolerances so they can confirm management is taking the right amount of risks in pursuit of objectives.
- Talk about Board members’ and management expectations of risk conversations
Once Board members are educated on what their oversight role entails, the next step is to understand their expectations and preferences on how the organization talks about risk.
Too often, risk managers and executives do not want to overwhelm their Boards with too much detail, so they instead deliver reports that are so high level that they’re useless for understanding the biggest risks to the organization’s success, much less whether executives are taking the right amount risks in pursuit of strategic objectives.
In the interest of providing the information they need in an effective manner, executives should be talking about goals and initiatives they’re working on and any risks around them in a language the Board understands instead of delivering a list of top risks separately.
As Norman Marks explains in his book Risk Management in Plain English: A Guide for Executives: “Discussion of risks should not be separate from discussions of performance – as they are two elements of the same conversation. It is only by discussing risks to each objective that the Board can assess whether the management team is likely to deliver on its targets.”
When discussing initiatives, executives need to explain the downsides, the potential opportunities, and the opportunity costs of their chosen course of action. They need to assure Board members that they are not taking risks willy nilly. Again from Norman Marks:
The Board will not only want to know that management has good processes for taking risks (i.e. making decisions) but is taking appropriate actions on the more significant risks to the organization’s success.
Simply giving the Board a list of risks or a stand-alone presentation, which is what many organizations still do, provides no context on the relation of risks to objectives. If the Board expresses a desire for a list of risks, they need to understand the time it will take to explain the business context for each risk. With executives providing their own reports, the extent of repeating conversations is quite high and wastes everyone’s valuable time.
Again, communicating risks to the Board has to be a two-way conversation – not only do risk professionals need to ensure the Board understands their role, the Board also needs to be up front about what they want to get from executives. And executives need to be transparent about how they went about their decision-making and progress towards the objectives.
Does your Board play an active oversight role regarding strategic decisions? How do they prefer to receive information about risks?
I am interested in hearing your thoughts on this important topic. Please feel free to leave a comment below or join the conversation on LinkedIn.
If you are struggling to communicate risk information so your Board can fulfill its role in ensuring executives are taking the proper level of risk in pursuit of objectives, contact me to discuss your specific situation and needs today!
Featured image courtesy of Toby Christopher via Unsplash.com
Sign Up For Our Newsletter
Sign Up For Our Newsletter
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.
Most Recent Posts
Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…Read More
As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…Read More
Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…Read More
Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…Read More
On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…Read More
Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…Read More
Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…Read More
One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…Read More
It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…Read More
If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…Read More