As a corporate secretary or other governance professional, your plate is full. The same is likely true of your directors, and it makes sense when you consider the adage that, if you want something done well, you should ask a busy person to do it. This truism is attributed to more than a couple of individuals, and one of them, Lucille Ball, provided a corollary: The more things you do, the more you can do.
This latter perspective may well reflect your own governance career, as well as the progression of your skills and capacity to advise on all matters governance related. With the ongoing evolution of governance, your directors have also had to further develop their governance repertoires. If you'd like to test this, take a bit of time to compare your organization's board and risk oversight committee agendas, calendars and work plans from just a few years ago with those you develop today.
Risk oversight is a good example. Its scope has expanded beyond traditionally recognized strategic, operational, reputational and geopolitical risks. Cybersecurity, along with technological strategy and resources, is increasingly relevant to an organization's ability to succeed. It's not uncommon, should one organization share its learnings following a data breach, for sector peers to launch reviews of their own controls and then report the results and the related mitigation strategies to their own boards.
Organizations are also coming to grips with the realities of shareholder and stakeholder engagement and activism; directors and management alike are engaging in environmental, social and corporate governance (ESG). Just as a technology security breach would represent a potential risk to an organization's reputational and financial performance, the same is true of an organization's ESG underperformance.
How does a board in the year 2019 reconcile its directors' individual and collective views on environmental and sustainability matters with institutional investors' convictions and policy guidelines? If your board isn't currently monitoring the organization's ESG commitments and performance, do you think it will be long before ESG-related risks make their way onto your organization's risk registers or heat maps?
It's nothing new for boards to reflect and debate which priorities and goals should surface to the top of their lists. If a review of your board's risk oversight practices hasn't made it to the top of that list at some point in the last two or three years, you, as a governance professional, may want to recommend undertaking such a review in the months ahead. Boards would do well to assess whether their risk oversight practices, no matter how well they've served their respective organizations in the past, have kept pace with changing times and reflect emergent risks.
In the past, it may have been comfortable for board members to rely on – and perhaps defer to – a limited number of directors who had professional experience associated with risk management. Boards will want to maintain succession planning and recruitment practices that ensure the board can continue to rely on internal expertise. They can also benefit, though, by being intentional in providing board development that ensures that all directors understand and participate in risk management discussions and oversight.
Such committees will ask questions. They'll review narratives, graphs and heat maps. Members will consider each risk's current status in comparison with prior reporting periods. In addition to seeking information on controls, the committee will consider mitigation and management strategies for all the risks they review. Each committee will roll its feedback up to the lead committee, which will then consider and present its overall findings for board discussion and recommendations.
Nor is it only the board that requires education and development. Organizations succeed by taking risks, which means that employees outside the C-suite need a clear understanding of the types and degrees of risk-taking that are appropriate (or not). The board will want to know that senior management has established and communicated standards and expectations to those who execute the strategic plan. Do you have a board-approved enterprise risk management (ERM) policy that establishes shared understandings when it comes to risk vocabularies, appetite and tolerance? Does the policy articulate how the organization and its employees are to identify, communicate, mitigate and manage potential, inherent and emerging risks?
What is your organization's approach to identifying, communicating and acting on risks? Is it top down, or are employees empowered and tasked with responsibility for acting within the scope of their respective authorities? Management may have risk management standard operating procedures (SOPs) in place. These SOPs may be based on the International Organization for Standardization's ISO 31000 ' Risk Management principles and guidelines. While the board's role in risk management is one of oversight, directors will want to know that management effectively communicates the policy and SOPs to employees.
This leads to another aspect of risk oversight; does the board have a handle on organizational culture?
Boards rely on metrics and KPIs for many of their deliberations, but culture is not always so readily quantified. Routine reporting on whistleblower activity can help to some degree, and PwC has identified approaches to understanding culture and other risk management oversight challenges.
This latter perspective may well reflect your own governance career, as well as the progression of your skills and capacity to advise on all matters governance related. With the ongoing evolution of governance, your directors have also had to further develop their governance repertoires. If you'd like to test this, take a bit of time to compare your organization's board and risk oversight committee agendas, calendars and work plans from just a few years ago with those you develop today.
Risk oversight is a good example. Its scope has expanded beyond traditionally recognized strategic, operational, reputational and geopolitical risks. Cybersecurity, along with technological strategy and resources, is increasingly relevant to an organization's ability to succeed. It's not uncommon, should one organization share its learnings following a data breach, for sector peers to launch reviews of their own controls and then report the results and the related mitigation strategies to their own boards.
Organizations are also coming to grips with the realities of shareholder and stakeholder engagement and activism; directors and management alike are engaging in environmental, social and corporate governance (ESG). Just as a technology security breach would represent a potential risk to an organization's reputational and financial performance, the same is true of an organization's ESG underperformance.
Board of Directors' Risk Oversight Responsibilities
The PwC 2018 Annual Corporate Directors Survey results illustrate some challenges on this particular front. PwC noted that institutional investors perceive financial risks when a company doesn't account for environmental issues. Yet, the same survey found that 32% of directors said that their companies had taken no action to respond to sustainability/environmental risks ' and a full 29% of the surveyed directors believed that shareholders give too much attention to such issues.How does a board in the year 2019 reconcile its directors' individual and collective views on environmental and sustainability matters with institutional investors' convictions and policy guidelines? If your board isn't currently monitoring the organization's ESG commitments and performance, do you think it will be long before ESG-related risks make their way onto your organization's risk registers or heat maps?
It's nothing new for boards to reflect and debate which priorities and goals should surface to the top of their lists. If a review of your board's risk oversight practices hasn't made it to the top of that list at some point in the last two or three years, you, as a governance professional, may want to recommend undertaking such a review in the months ahead. Boards would do well to assess whether their risk oversight practices, no matter how well they've served their respective organizations in the past, have kept pace with changing times and reflect emergent risks.
In the past, it may have been comfortable for board members to rely on – and perhaps defer to – a limited number of directors who had professional experience associated with risk management. Boards will want to maintain succession planning and recruitment practices that ensure the board can continue to rely on internal expertise. They can also benefit, though, by being intentional in providing board development that ensures that all directors understand and participate in risk management discussions and oversight.
Risk Oversight Best Practices
Effective risk management oversight is more than periodic reviews of management's risk registers or heat maps and securing management's attestations of compliance. Nor do all boards task a single committee with complete responsibility for risk oversight. For, while audit (or other) committees may take the lead, some boards have also charged other committees with routinely reviewing and monitoring the organization's risk profile specific to risks that are relevant to individual committees' mandates and areas of expertise.Such committees will ask questions. They'll review narratives, graphs and heat maps. Members will consider each risk's current status in comparison with prior reporting periods. In addition to seeking information on controls, the committee will consider mitigation and management strategies for all the risks they review. Each committee will roll its feedback up to the lead committee, which will then consider and present its overall findings for board discussion and recommendations.
Nor is it only the board that requires education and development. Organizations succeed by taking risks, which means that employees outside the C-suite need a clear understanding of the types and degrees of risk-taking that are appropriate (or not). The board will want to know that senior management has established and communicated standards and expectations to those who execute the strategic plan. Do you have a board-approved enterprise risk management (ERM) policy that establishes shared understandings when it comes to risk vocabularies, appetite and tolerance? Does the policy articulate how the organization and its employees are to identify, communicate, mitigate and manage potential, inherent and emerging risks?
What is your organization's approach to identifying, communicating and acting on risks? Is it top down, or are employees empowered and tasked with responsibility for acting within the scope of their respective authorities? Management may have risk management standard operating procedures (SOPs) in place. These SOPs may be based on the International Organization for Standardization's ISO 31000 ' Risk Management principles and guidelines. While the board's role in risk management is one of oversight, directors will want to know that management effectively communicates the policy and SOPs to employees.
This leads to another aspect of risk oversight; does the board have a handle on organizational culture?
Boards rely on metrics and KPIs for many of their deliberations, but culture is not always so readily quantified. Routine reporting on whistleblower activity can help to some degree, and PwC has identified approaches to understanding culture and other risk management oversight challenges.