I congratulate Protiviti for its contribution to this difficult topic in
Board Perspectives: Risk Oversight (PDF).
Protiviti makes the very important point that boards and their committees have very little time and need to focus their attention on the issues that matter, leaving others for management to handle.
Do I agree with everything the authors say? As usual, the answer is "no." While they make some excellent points, I believe they miss the most important one of all.
First, let's review the excellent points.
- The board can add value by sharing its perspective and challenging management, but it should only spend its time on the risks that really matter . Protiviti doesn't say this, but I believe that includes asking management (and the chief risk officer) to distill their reports down to issues that merit the attention of the board — because the risk is considered high and management's acceptance should be reviewed by the board, the risk is outside levels approved by the board, or for other reasons, such as a significant level of fraud may be involved.
| As I have said elsewhere, internal audit should similarly be focused on the risks that matter and stop auditing ones that don't now and never will matter to the board or executive management.|
- "A focused risk oversight process is one that can be aligned more effectively with the rhythm of how senior executives manage and run the business." Protiviti does not explain this, but I see it as ensuring that the review and approval by the board (e.g., of changes in acceptable levels of risk or the consideration of new and emerging risks of significance) is
timely. Some matters simply should not wait until the next scheduled quarterly meeting of the board.
- As recommended by the National Association of Corporate Directors (NACD) (cited by Protiviti), the board should "own" certain risks, including risks related to the executive team and the board itself ("governance risks"). I am pleased to see Protiviti repeat and expand on the NACD's recommendation. This is an often-overlooked area of risk to the organization; too few boards are open and willing to discuss either the possibility that the executive team may not perform to their expectations, or that they themselves may lack discipline, process, or capability.
What did Protiviti miss?
While the board should spend some time on specific risks, I would prefer that their priority be placed on ensuring that management not only has effective processes in place for managing risk and executes them effectively, but embraces and embodies risk management (which I
wrote about in January).
The board cannot review and approve all risks and cannot be present to monitor risks every day. But risk changes every day, with every decision made in running the business.
As recommended by practically every corporate governance code around the world and, in the U.S., by the NACD (Blue Ribbon Committee on Risk Governance: Balancing Risk and Reward — the very same document cited by Protiviti), the board or committee of the board should obtain assurance that the daily management of risk by and across the organization is appropriate and effective.
- "Consider whether the company's risk management system — including people and processes — is appropriate and has sufficient resources." —
National Association of Corporate Directors.
- "It is the role of the board to set the risk appetite for the entity, to oversee its risk management framework and to satisfy itself that the framework is sound." — Australian Stock Exchange
Corporate Governance Principles and Recommendations.
- "The Board should, at least annually, review the adequacy and effectiveness of the company's risk management and internal control systems, including financial, operational, compliance, and information technology controls. Such review can be carried out internally or with the assistance of any competent third parties." — Singapore's
Code of Corporate Governance 2012.
- "The board should review the implementation of the risk management plan at least once a year." — South Africa's
King Code of Governance For South Africa, 2009
Not only should the board obtain assurance, preferably through an objective evaluation by the internal audit team, but test in every meeting whether the management team exemplifies risk management thinking — whether it embodies and embraces risk management. Proposals and forecasts should be accompanied by management's assessment of the likelihood of the assumptions inherent in those proposals and forecasts, as well as the actions management will take to improve their likelihood and potential impact. The options that were considered also should be discussed, with explanations for the selection management made.
A less significant issue, but still meriting discussion by every board, is how and where the management of risk is addressed by the board. I am not talking about whether the audit committee should own risk management, whether a risk committee should be established, or even whether the full board is the best place for a discussion of risk.
All the guidance says that the consideration of risk should be embedded in strategy-setting as well as in the monitoring of performance against strategy.
So why are board discussions of strategy and risk not integrated?
Some years ago, I heard a member of the board of the Hudson Bay Company say that his board has integrated discussions of risk and strategy. That makes a lot of sense to me!
Not only should risk be considered in setting strategy and in assessing how well the company is progressing towards achieving strategic objectives, but sometimes the best response to risk is to change the objective and/or strategy. If there is a brick wall between you and your objective, maybe you should stop ramming into it and find another objective!
I suggest that every board should consider the Hudson Bay model and combine its discussions of risk and strategy.
What do you think of this idea and the topic of board oversight in general?