In decades past, boards could rely solely on management to oversee and manage risk. The 2008 financial crisis, also known as the global financial crisis, was considered to be the worst financial crisis since the Great Depression. Harsh economic times hit boards of directors squarely, as they came face to face with complex legal issues and failing businesses. The financial downfall, along with the subsequent fallout, was an abrupt wake-up call for boards of directors to delve deeper into their organization’s risk management practices.
The pervasiveness of risk in the workings of everyday business means that boards must factor risk as an integral part of organizational strategy. Technology has increased the pace of business transactions globally, which has increased the volume and speed of product cycles. Today’s businesses are wrought with complexities and litigiousness like never before—issues that hold the potential to destroy organizations overnight.
Increased Scrutiny Over Risk
In addition to management, boards are increasingly being held accountable for managing risk. Corporate governance rules and credit rating agencies are taking a stronger role in corporate risk by forming policies that address risk management policies. These emerging trends are forcing boards to assess past organizational exposures to risks. Economic trends also demand boards to be forward-thinking with regard to overseeing current financial risks and exposures to minimize the impact of financial crises.
Since the 2008 financial crisis, the New York Stock Exchange’s corporate governance rules now require that risk assessment and risk management be included in audit committee discussions. Corporate credit ratings now include an assessment of commercial risk management processes, as required by commercial credit rating agencies, such as Standard and Poor’s. These changes mean that risk management items are becoming staples of board agendas.
Potential Loss Areas
Exposures to financial loss can include real and personal property, as well as property that is tangible and intangible, and personnel losses. Revenues can be lost by profit margins or expense increases. Poor risk management exposes organizations to civil and statutory offences, which can result in fines or other legal complications. The result of not managing risks can quickly deplete an organization’s reserves. Examples of risks with financial impact include:
- Retained losses—insurance deductibles, retention amounts, or exclusions
- Net insurance proceeds
- Costs for loss control measures
- Claim management expenses
- Administrative costs to manage programs
Finding the Balance Between Taking and Managing Risks
Board members, executive directors, managers, and stakeholders know that there are strategic advantages to taking risks and that realizing growth requires some degree of risk. While managing complex business transactions, managers struggle to strike a balance between adding value while managing risks.
Development of Policies, Procedures, and Awareness
The board should not take a direct role in managing risks. The board’s role should be limited to risk oversight of management and corporate issues that affect risk. Without becoming directly involved in managing risk, boards can fulfill their role in risk oversight by:
- Developing policies and procedures around risk that are consistent with the organization’s strategy and risk appetite.
- Following up on management’s implementation of risk management policies and procedures.
- Following up to be assured that risk management policies and procedures function as they are intended.
- Taking steps to foster risk awareness.
- Encourage an organizational culture of risk adjusting awareness.
Areas of Risk Management Oversight
Boards should be looking at areas that either may be subject to risk or may be out of compliance with established best practices on risk management, from a domestic and global standpoint. Specific areas that boards should review include:
- Fiduciary duties
- Federal and state laws and regulations
- Stock exchange listing requirements
- Established and evolving best practices—domestic and worldwide
Risk management may fall under more than one committee, which may be the risk management committee or the audit committee. To effectively cover all areas of risk, committees should be coordinated so that communication between them regarding risk occurs horizontally and vertically. Committees report back to the board regarding the adequacy of risk management measures so that the board has confidence that management can support them.
Risk Management Oversight from a Broad Perspective
Board members need to have a good understanding of risk management, even when they lack expertise in that area. Boards may lean on the expertise of outside consultants to help them review company risk management systems and analyze business specific risks. Boards should perform a formal review of risk management systems, annually.
As part of the annual review, boards should review risk oversight policies and procedures at the board and committee levels and assess risk on an ongoing basis. It’s helpful to familiarize the board with expectations within the industry or regulatory bodies that the organization operates in by arranging for a formal annual presentation on risk management best practices. The annual risk management review should include communication from management about lessons learned from past mistakes.
Risk management issues have been at an all-time high. Boards can continue to expect risk management to be an increasingly challenging part of board decision-making. There is a lot at stake with poor risk management practices. The impact will be felt from the top to the bottom and transcend across the board, management, and stakeholders. Taking a focused approach to risk management should be more than a compliance mechanism. Risk management needs to be an integral part of the organization’s culture, strategy, and day-to-day business operations. Of all the risk management challenges that boards face, the greatest challenge is in navigating organizational growth while protecting the organization from unnecessary risk, so that it doesn’t impact the business negatively. Today’s commercial and economic climate demands that boards step up their game with an intense focus on risk management.