The National Association of Corporate Directors (NACD) has established an advisory council on risk oversight and published a report on its second meeting that contains notable comments. It is available at
I advise reading the publication carefully and slowly because many points are made without elaboration.
Here a some of the more interesting pieces with my elaboration.
Directors should have a “real and thorough” understanding of the business to be able to effectively discuss strategy and risk with management.
- This is a known and significant problem. Other surveys have reported that as many as 70% of directors do not have a sufficient understanding of either the business or the strategies for delivering value. As discussed in the next quote, directors are part-time, often unable or unwilling to dedicate the time required to obtain the detailed understanding of the business and its operations to provide effective oversight of strategies, risk, or performance.
In the current era of board oversight, committee leadership demands a significant commitment of time and experience, which some directors may not have. One delegate noted that “fewer people are capable of chairing committees these days.”
As overseers of the company, it is necessary for directors to act as skeptics of management, questioning and even providing dissention if necessary. However, delegates noted that with lengthy tenures, it is possible that some committee chairs can become so comfortable with their respective management contacts that they risk losing sufficient skepticism. To promote fresh thinking and skepticism, the delegates suggested implementing methods of committee rotation, such as term limits. Additionally, conducting meaningful board and committee evaluations that consider director tenure can help to ensure that committee rotation is viewed positively by the whole board.
- It is interesting to note that the more recent governance codes, such in Malaysia and Singapore, consider that directors with long tenure are no longer independent.
In many cases, the board was simply unaware of the operational risks occurring at the company... The role of a director, by nature, is a part-time job. As such, directors are reliant upon the executive team to provide the information necessary to evaluate risks and corporate performance... “The definition and role of oversight has changed in the last five years... [but] management hasn’t realized that oversight has changed.” Indeed, the expanding gaps may stem from management not fully realizing the new, changed board oversight role... Directors should establish tolerance levels for the level of risk they are willing to bear, and look for signs of when this risk has become too high... Of course, communication is a two-way street. It is the responsibility of the board to communicate its expectations regarding information flow.
- This is where the council, in my opinion, missed the most critical ingredient to effective oversight: adequate processes for risk management that include appropriate communication to the board. The board should ask more questions about the adequacy of management's processes than about individual risks. If the processes are sound, new risks or changes to existing risks are likely to be handled well.
Delegates recommended the CRO meet quarterly with the committee(s) tasked with risk oversight.
- It is certainly desirable for the chief risk officer to have access to the board, and provide regular reports. But is that sufficient when we are living in such a turbulent world? Access should be as often as necessary. In addition, the onus for communicating changes in the risk environment should be primarily with executive management.
Internal audit can provide feedback on the various committees’ risk oversight performance. “Internal audit looks at all of our activities for the year and makes sure we have fulfilled the fiduciary duties in our charter. Did we do for our shareholders what we told them we would?”
- The board should require that internal audit assess and report on the quality of governance and risk management processes at least annually, using a risk-based approach. The discussion in the NACD report about comparing the internal audit plan to management's risk report is interesting; I would wonder why internal audit would work on areas not rated at the top of management's assessment, and why they decided not to address key risk areas.
Throughout the day’s discussions, the critical link between strategy and risk surfaced regularly. The board’s oversight of risk should begin with an assessment of the company’s strategy and the risks inherent in that strategy — which necessitates understanding and agreeing on the risk appetite, or the amount of risk the company is willing to accept. “Board members should not be involved in the detailed strategy setting... we need to connect management’s assertions to what the strategy is, then have them intelligently identify the risks.”
- This is good, but the selection of objectives and strategies should be based, in part, on risks in the business environment. Risks should not be left to be an afterthought.
Development of the risk appetite should be conducted in conjunction with management, as it should reflect the “overlay of strategy on risk.”
- It is true that the only risks that matter are those that relate to the achievement of objectives and delivery of value.
"We structure [risk committee meetings] so that no other committee meeting is going on so that other members can attend and hear about business unit risk."
- The discussion of whether the full board or a committee of the board should provide risk oversight is interesting. I like this idea that if there is a risk committee, all directors should be able and encouraged to attend.
I think this is a good piece of work that merits consideration and discussion by every board, management team, and risk and audit practitioners.
Some will say that there is little new. That may be true, but the points are made well and are from a credible and authoritative source.
I welcome your comments.