After beginning as a requirement for financial firms, active Board oversight of risk management has increasingly become an expectation, even a necessity, for all types of organizations over the last 20 years.
The annual State of Risk Oversight report from North Carolina State University corroborates this. According to their survey, a high number of Boards, 68% of the full sample in fact, are asking executives to increase involvement in risk oversight. NC State’s surveys over the last few years have been consistent in their findings on this topic.
Boards at the forefront of risk oversight take a holistic view that balances short-term priorities with long-term value creation.
But despite this increased interest in risk-related matters, a significant number of Boards are not satisfied with their organization’s risk management processes and strategy. And while this has been confirmed to an extent in years past, one recent survey from E&Y pegs this dissatisfaction at 84%.
Let’s take a moment to let that sink in….
Reasons for this dissatisfaction aren’t entirely clear, but in general, many Boards simply do not know what they need or want from ERM…they just know they’re dissatisfied as Tim Leech explains in a recent LinkedIn post.
Some Boards simply don’t communicate their concerns while others do but don’t see the change they’re looking for. It’s possible that CEOs are defying their Board, but the more likely explanation is executives simply don’t know where to start.
Tim maintains that the single biggest culprit of this disconnect is refusal on the part of many auditors, executives, and risk managers to admit the inadequacy of legacy risk management and audit systems, which is a topic we’ve discussed here in the past.
But in addition to this overarching issue…
If the Board feels like the information it receives is insufficient or wrong, it could trigger them to say their organization does not have good risk management practices.
Communicating risks to the Board has been both a recurring and popular topic on this blog and amongst thought leaders like Tim Leech, who explains in this comment:
I believe that the majority of Boards today are not receiving high quality/relevant information on the true risk/certainty status linked to key objectives. Traditional/legacy risk management and internal audit methods are not equipped to do that.
In my previous article 5 Tips to Making Board Risk Reports Meaningful Tools for Decision-Making, I re-iterate the fact that many companies struggle to provide their Boards with actionable information in an easy-to-digest way. As COSO explains, there’s “…no single correct method for communicating with the Board,” but one of the most important steps executives and risk managers can take is to communicate risk information in a way the Board can understand it.
With that said, if the Board is going to play an active role in the organization’s risk management and strategic decision-making, parameters need to be set to determine what issues are ultimately brought to their attention. Risk managers and executives have the tendency to keep things so high level so as to not overwhelm their Boards with too much detail, but too high-level means you aren’t providing board members with valuable insights and actionable information.
If you find yourself in this situation, 3 factors that need to be present in a risk or opportunity to escalate it to the Board’s attention include:
- The risk or opportunity needs to be cross-departmental. If it’s only an issue within one department, like Marketing or Finance, that specific area should be able to take care of it. However, if the risk is pervasive and widespread, the Board may need to be involved, which requires more background information to make a decision or provide direction.
- Addressing the risk will require significant amounts of time, human, or financial resources to address. Again, if it’s an issue that can be resolved in 5 minutes without any or minimal financial outlay, then it’s safe to say the Board doesn’t need to be aware of it. The Board may need to be involved if the issue will require the company to divert resources from other priorities, especially when it impacts strategic objectives.
- The risk or issue could have significant impacts to the company’s reputation when viewed from the outside.
If at least two of these parameters are present, then it’s probably wise to go ahead and notify the Board of the situation so they can be aware and offer their insights on how best to proceed.
One important thing to keep in mind is the purpose of escalating this risk information to the Board. One way to share this information to the Board would be providing (at a minimum):
- Description of the risk/issue
- Facts currently known about the risk/issue (not assumptions)
- What is not known
- Description of potential or actual impacts to organization
- Potential solutions
Jeff Lovern, Chief Risk Officer of Principal International, says this about escalating risk information to C-suite executives and the Board:
The list of data points is, of course, a general idea that should be customized for your organization’s needs and Board’s background, preferred communication styles, and more.
In the end though, the real purpose of escalating risk issues is to promote further conversation and dialogue, but you must make sure you’re escalating the right issues. Through this process, Boards should be able to provide needed insights to ensuring the company is addressing the right risk issues in pursuit of strategic goals.
And the natural by-product of successful escalation is an improvement in the Board’s perception of the organization’s risk management practices.
Is your Board playing an active oversight role in your company’s management of risks and opportunities?
Do board members feel they have the information they need to adequately discharge these duties?
We welcome your thoughts and insights into how organizations can improve the information they provide to their Boards. Please don’t hesitate to leave a comment below or join the conversation on LinkedIn.
If your organization is trying to improve risk oversight and strategic decision-making by your Board or senior executives and don’t know where to start, click here to schedule a meeting to discuss your specific situation and needs.