Directors sometimes don’t understand the meaning of risk. Boards undertake ERM (enterprise risk management) as making sure there is regulatory compliance, sound accounting and reasonable cyber protection. These are important to address but are NOT the key elements of risk that boards must engage, according to an expert panel convened today by National Association of Corporate Directors of New England.
Risk was defined as the occurrence of events that could deeply harm your organization and which you do not plan for. Risk thus is mostly another word for how you manage your strategy, how you define and are guided by your risk appetite. Sixty percent of failures are strategic in nature, thirty percent are operational and only ten percent are based in financial control failures. As one panelists stated it: risk management is the same thing as running your business.
In for-profit business, one suggested risk definition is the avoidance of unexpected earnings volatility. That informs us that you need not avoid risk, and indeed in a rapidly changing world it was emphasized that you must undertake risk to remain competitive. ERM is not eliminating risk; it is balancing the hoped-for benefits against the negative impact of getting it wrong.
One panelist emphasized use of metrics; define your risk appetite in terms of what is an acceptable quantum of risk. Risk measurement must be quantitative (do not drive over 60 mph) and not qualitative (drive carefully). That raises the issue of the quality of metrics, and whether the board is getting only internal metrics or market metrics. Good checks on whether the board is getting the true picture: reviewing outside data, bringing on new directors, talking to junior employees, talking to customers, exit interviews, anonymous whistle-blower procedures.
Take-aways for directors: ask what is the risk of what you are not doing; approach risk on a portfolio basis, accepting different levels of risk for different products or services or initiatives; hire the right people to drive the strategy; make sure you are not getting a uniform response from everyone, as that is a sign of lack of healthy awareness; keep the pressure on management for being accountable for strategy that reflects risk management and mediation.
Most interesting perspectives (paraphrased): When I interview new board candidates I ask two gating questions: first, are you healthy enough to do this job; second, is your life style dependent on the income from this directorship (if the answer is “yes” to the latter, you will be too compliant with the common wisdom). When I join a board I ask the following questions: do I want to fire the CEO; is there institutional buy-in on strategy; is that strategy fully funded.
Final key question to ask management: how do you know that your risk management program is working effectively?