Risk management
Save

How to Talk to Your Board About Risk

by Mary Driscoll

Board members and company managers today need to have a clear and informed view of risk. The business world is fraught with risks to strategy that emerge more quickly and pack a bigger punch than ever before. Moreover, there are new sources of risk—for example, fast-moving innovations in technology (think: Blackberry versus the iPhone), scientific breakthroughs, and the ever-evolving realm of social media.

The quality of conversations about strategic risk among business leaders and operating mangers makes all the difference. New research from the American Productivity and Quality Center (APQC) on enterprise risk management (ERM) shows that the more mature organizations—those with well-established risk assessment, reporting, and training processes—have been taking steps to boost the quality of such conversations, especially those involving boards of directors or board committees. For example, their leaders take care to structure the agenda of board-level risk discussions so that there is ample time to focus on the question of “what’s not visible now that could hit us?” Spending adequate time on that sort of inquiry uncovers overly confident strategic assumptions.

“The point is to kick off creative brainstorms,” one ERM leader told us. This leader has developed an exercise that prompts company managers to have practical discussions. “We…talk about the resiliency of [managers’] strategic plans,” he says. “We can ask, ‘What have you done to fold the risks that have been identified into your plan in a way that allows you to win the must-win battles?’” In contrast, a board-level conversation at a far less-mature company would involve a rote recitation of risks that surprise nobody—for example, what do we do if the price of energy rises next year?

Smart managers also work to educate board members on the concepts and language of ERM. When everybody shares a common understanding, people can easily come to consensus about what issues deserve deeper examination or highest priority. They can then proceed to prioritize their strategic responses given a risk’s likelihood of occurring and its speed of change.

For example, at one best-practice organization, leaders and operating managers alike are trained to use a risk prioritization model (which is shared with the board). The slow-moving risks with a low likelihood of happening get parked (but not forgotten). The slow risks with high likelihood are items the managers will have to adapt to. Then there are risks with low likelihood that would nonetheless quickly become a big challenge if they materialized. These need contingency planning and careful monitoring. Finally, there are the emerging risks that are most likely to materialize and that can accelerate quickly. These are risks that that have the potential to seriously disrupt the business unit’s strategy.

Finally, when conversations about risk are well structured and meaningful, managers gain a clearer sense of the board’s appetite for risk and ability to tolerate it. Board members, meanwhile, get a good feel for the organization’s level of ERM maturity.

At some companies however, board members don’t recognize the value of such conversations. They want to do what they’ve always done: sort risks into neat categories (financial, operational, compliance) and dictate that more rules be drawn up for employees to follow. Such boards look at company managers and say, “We pay you to worry about risk. We worry about ROI!”

Indeed, APQC research indicates that ERM is still in its nascent stages at many firms. Survey findings from nearly 100 large global companies point to a worrisome process weakness: 43 percent do not have an ERM process owner who updates the board regularly about the evolving mix of risks and efforts to address them. In contrast, the 57% that do have such a person and process in place feel confident in their ability to identify new types of risks that could send strategic initiatives careening. The confidence comes from steady exposure to the board’s evolving views on risk versus reward. And when an ERM leader can say to other managers, “Well, here’s what the board thinks about that,” the board’s clout is in the room. Operating managers tend to perk up and engage in truly thorough discussions about potential risks.

The first step in having meaningful conversations with the board about risk is collecting the right information to share. At best-practice companies, gaining risk intelligence starts with some version of this mantra: “Everybody’s a risk manager. The business decision makers own the strategy; therefore, they own the risks.” When leaders set the tone that risk management is everyone’s business and put structures in place to support it, the data emerges effectively.

An example comes from Exxaro, the large South Africa–based diversified resources group, with interests in the coal, mineral sands, ferrous, and energy commodities. Exxaro has a highly structured ERM reporting process. Business units meet quarterly to go over their risk profiles, as does the operations committee. The board then receives a quarterly operational risk profile, and the ERM team has an annual process with the board wherein board members use the business units and operations committee’s risk profiles as input to compile their own risk profile.

The point is not for the board to re-rank or develop their own views on specific risks. Rather, it is to ensure that risk owners throughout the organization participate in risk management in a genuine manner—one that fully engages the board in conversation.

 

Republished with permission from strategy+business, a publication of PwC Strategy& LLC. ©PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see pwc.com/structure for further details. strategy-business.com 

MORE ARTICLES

Board composition +
Refreshing Your Board of Directors
Patrick R. Dailey, Ph.D. and Joel M. Koblentz
Battle For the Boardroom
Ludo Van der Heyden and Chris Howells
Night of the Living Board
Matt Palmquist
Strategy & innovation +
The "Third Team" Approach to Board Effectiveness
Denis Mowbray and Coral Ingley (both from Auckland University of Technology)
Tapping The Strategic Potential of Boards
Chinta Bhagat, Martin Hirt, and Conor Kehoe
Board supervision +
Best Practices: Non Profit Governance
McDermott Will & Emery
Value-Focused Corporate Governance
Christian Orglmeister, Marcos Aguiar, and Daniel Azevedo
The Trouble With Too Much Board Oversight
Olubunmi Faleye, Rani Hoitash and Udi Hoitash
Culture +
Team building +
Collaborate Better
Leigh Thompson
Five Things Every CEO Must Do in the Next Era of Globalization
Hans-Paul Bürkner, Arindam Bhattacharya, and Jorge Becerra
Outgoing CEOs Shouldn't Pick Their Replacements
David F. Larcker, Stephen A. Miles, and Brian Tayan
Compliance +
Leadership +
Risk management +
Exec. evaluation & comp +
Surviving the Sophomore Slump: Moves That Matter The Most
Roselinde Torres, Judy Johnson, James M. Citrin, and Susan S. Hart
Leapfrog Succession: Trend in Appointing CEOs
Roselinde Torres, Gerry Hansell, Kaye Foster, and David Baron
Cyber security +
Why Senior Leaders Are On The Front Line Against Cyberattacks
Tucker Bailey, James Kaplan, and Chris Rezek
Are You In the Dark about Shadow IT?
Ryan Shadle and Brian Turley
Corporate Governance in the Age of Cyber Risks
In collaboration with RANE (Risk Assistance Network and Exchange)
The Board’s Role in Managing Cybersecurity Risks
Ray A. Rothrock, James Kaplan, and Friso Van Der Oord
Featured +
Planning Ahead – The Board’s Role in Crisis Management
M. Hill Jeffries, Kyle G. Healy, Marshall M. Chalmers
Agitators and Reformers: How to Respond to Activist Investors
Josh Hinkel, Henrik Poppe, Martin Toner and Chuck Whitten

Your library is currently empty. Browse the Boardspan Library to get started.