What keeps you up at night? If you’re a corporate director, the answer to that question could be related to the risks your company faces—either the risks you’re aware of, those buried deep in a board book that haven’t emerged as major threats, or the risks that the board is totally unaware of.
Getting the right risk information at the right time is important, but only 29 percent of respondents to the 2017–2018 NACD Public Company Governance Survey indicated that their boards reviewed the effectiveness of their company’s risk information flow. How this information makes its way to the board is only part of the risk oversight picture, however. (Learn more about the role of general counsel in risk oversight and board oversight of a company’s risk culture.)
Just as important as the flow of risk information is the generation of insights relating to that information. To address this issue, the NACD, PwC, and global law firm Sidley Austin cohosted a meeting of the NACD Advisory Council on Risk Oversight—comprising Fortune 500 company risk or audit committee chairs—on April 25, 2018, in Washington, D.C. The meeting was held using a modified version of the Chatham House Rule, under which participants’ quotes (italicized below) are not attributed to those individuals or their organizations, with the exception of cohosts. A list of attendees’ names are available online.
Several key takeaways emerged from the meeting:
- Directors should demand open, frequent communications—not surprises.
- Management should be specific about risks; tailoring risk reporting to the business can uncover important insights, especially when opinions differ.
- Tone at the top matters when it comes to board-management interaction around risk oversight.
- Boards should consider how their companies can take advantage of technology to gain more insight from risk information.
Directors should demand open, frequent communications—not surprises.
“You never want to be surprised,” one director said. “I ask management, ‘what are the issues you’re worried about, and what do we need to do about it?’ Constant communication is critical.”
In fact, when public company directors responding to NACD’s Public Company Governance Survey were asked which risk oversight practices their boards had performed during the previous 12 months, 79 percent cited communicating with management about the types of risk information the board requires.
Participants at the council meeting observed that although it is important for the board and management to establish protocols about what information is escalated to the board and when, directors must emphasize that judgment is often more important than process.
“Risks always exist, but they can develop quickly, and not necessarily according to the board’s meeting schedule,” one director said. “I find comfort when management makes decisions about escalation that err on the side of earlier communication when things are in a gray zone.” Another director said, “We’ve experienced one or two issues that should have been brought to the board’s attention earlier. That’s caused us to revisit our escalation processes. These days, reputation and brand concerns might outweigh financial materiality thresholds.”
Practices shared by council members include:
- Off-cycle calls with management. “On one of my boards, the CEO has an [hour-long] optional call every two weeks with the board. It’s an update to let us know what’s going on with the company in general, and an opportunity for the CEO to share emerging issues,” one council delegate said. “Usually about half of the independent directors participate on any given call.…I find it quite effective.” At another director’s company, “the CFO and chief audit executive do a call every few weeks with the audit committee. Sometimes it only lasts 15 minutes, but it keeps us current on what’s happening in our highly regulated industry.”
- Regular, deep-dive reviews with business leaders. “Each business owner reports to the [board’s] risk committee about their business. They [periodically report on] what’s changed and what keeps them up at night. The end result is that we, as a board, have a better understanding of their business. We can actually contribute more effectively in discussions about what is being done to mitigate those risks.”
Management should be specific about risks; tailoring risk reporting to the business can uncover important insights, especially when opinions differ.
Delegates agreed that the directors should challenge management that the risk information reported to the board be specific.
“If the risks aren’t very specific and are things that would apply to any company, I don’t think that’s very effective,” one director said. “We have to set expectations that the board doesn’t want to see boilerplate risk lists; we want insights about risks in the context of our business and our company’s circumstances.”
Challenging the management team to get specific about risks can expose differences in perception that generate valuable information. Paula Loop, leader of PwC’s Governance Insights Center, shared a helpful practice for understanding how various groups within a company perceive business risks. “Ask members of the board, the senior executive team, and members of middle management to rank the organization’s top risks. Often, there will be fairly strong alignment between directors and senior management, but middle management may have a different view that can be eye-opening.”
Such exercises can raise questions and open up avenues for discussion about not only the risks themselves but also processes and culture: a meeting participant noted that if middle management has an understanding about a different risk, and that risk is not getting communicated up the chain of command, that can be problematic.
At one director’s company, “bringing different groups together to discuss risk issues was very powerful. We conducted surveys that asked people where they were from, and they voted anonymously [on perceived risks]. The U.S. employees thought they were fine, but that the global parts of the company were in trouble, and staff in global offices thought the real risk was in the U.S.”
Tone at the top matters when it comes to board-management interaction around risk oversight.
Insightful risk-related conversations between the board and management are undergirded by a healthy tone at the top—starting in the boardroom. “Directors need to be receptive to bad news and not punish the messenger,” one director said. For more in-depth recommendations on boardroom culture, see The Report of the NACD Blue Ribbon Commission on Culture as a Corporate Asset.
Meeting participants agreed that the board should set the expectation that the CEO and senior leadership are equally open to hearing about potential problems or emerging risk issues. They also emphasized the importance of intellectual curiosity as a characteristic of leaders who are able to successfully navigate risky and often volatile business environments: “We just went through a CEO succession plan, and we looked for someone who is able to stay up to date in a fast-moving environment,” one director said. “Our [candidate] questions have changed; they’re not only focused on experience and background. We want to know about how the individuals reacted in difficult situations and their personal approach to self-education and continuous learning.”
Boards should consider how their companies can take advantage of technology to gain more insight from risk information.
A council member pointed out, “Our entire conversation about risk is much more meaningful if we have reliable, quantitative data. Otherwise, it’s just qualitative information and directional [indicators]. How can we push management to be more specific [about risks]?” New technologies are assisting management teams and boards with the task of turning risk information into insight. But taking advantage of analytics tools and artificial intelligence, among other technologies, also can increase a company’s exposure to risk.
Seth D. Rosensweig, partner at PwC, said that companies’ use of data science should help directors think outside the box when it comes to risk. Rosensweig said he’s seeing more companies employ five key technologies: data analytics, robotic process automation, the cloud, blockchain, and artificial intelligence/machine learning. (Learn more about blockchain in the boardroom.)
He added, however, that there are challenges with using technology to enhance risk insight, particularly if a company implements a given technology but does not yet have the processes or controls in place to mitigate the risks associated with the technology, as well as the new data that may result from the analysis.
Questions directors can ask management include:
- How could new technologies improve our risk reporting and analysis? What questions are we trying to answer?
- How would new technologies interface with our legacy systems?
- What new data would be produced as a result of new analytical techniques? How would it be used, and how would we protect it?
For Further Reading
Translating Risk Information Into Boardroom Insights
- PwC, “How to Achieve Excellent Enterprise Risk Management”
- Holly Gregory, Sidley Austin, “Governing Through Disruption: A Boardroom Guide for 2018,” Practical Law (November/December 2017)