Until the explosions of Enron, Worldcom, Tyco, Sept. 11 and other seminal events in the early part of this decade, the expectations for this were more limited.
No small part of that fact was the go-go heyday of corporate performance during the 1990s and the outsized market returns that distracted many from a proper level of scrutiny over risks that now seem obvious. The perceived need for a greater level of scrutiny just didn't exist.
There have been many conversations that began with the same question in response to the call for a more disciplined and rigorous focus on effective risk management.
"Aren't we already doing that?" The answer was typically the same, "yes, but only to a limited degree." And thus the issue, "what degree of discipline, rigor and detail actually defines effective risk oversight by the board?"
To answer this question I reviewed some of the key writings on this subject. What I found was a set of common threads that well define what boards should care about most regarding risk and a secondary set of elements that should be of near equal concern.
I found six elements that seem to define the key criteria for keeping boards out of trouble through an appropriate focus on risk but yet don't impinge on management's responsibilities. So, here they are, in no certain order.
1. The board should maintain a clear and regular sight line over evolving risk management practices, both within the firm they oversee and from a best practices standpoint. This attention to the processes used to manage risk is essential to being informed enough about the "how" to understand whether there is sufficient control over the risk profile.
2. The board should understand and agree to the way risks are valued both quantitatively and/or qualitatively. Top 10 lists are very common and popular and are a useful construct in prioritizing the resources assigned and actions taken to achieve the needed level of understanding of these most significant risks.
3. The board should be enabled to assess and measure risks to the company strategy and its resulting performance. In other words, a risk is not a risk unless it threatens an objective. At the heart of risk management is a well designed, thoroughly understood risk appetite and tolerances framework.
4. Boards must understand, agree to and ideally, formally ratify this framework in order to ascribe any credibility to their role as risk overseers. Many companies have done this, yet many have not.
5. Boards also need to set guidelines for the company's risk-taking policy, enforcing an effective discipline and incentive strategy that balances risk taking with risk appetite. Assembled correctly and formally integrated, this set of processes is essential to effective risk oversight by governance.
6. Finally, a fully risk-engaged board should approve top risk-reporting strategy ensuring comprehensive, timely, forward looking, integrated, relevant, quantitative and qualitative measurement of the company's most significant risks.
These six elements define the core criteria necessary for a best-in-class governance system to keep management focused on the right risk culture and key elements for overall company success.
CHRIS MANDEL is principal of Excellence in Risk Management LLC and is a long-term senior risk manager and former president of RIMS.
September 15, 2010
Copyright 2010© LRP Publications