As board members, we play a critical role in the oversight of strategy and management of the companies we help to govern. Effective risk management helps a company to seek out the highest and best uses of its scarce resources while appropriately controlling potentially damaging outcomes for the company. This article explores key issues that we as board members should address as we fulfill our responsibilities in the risk arena.
Goal of Risk Management
By their nature, businesses are designed to take a wide variety of risks to achieve their goals. Creative scientists explore the development of new drugs for weight loss; innovative engineers push the speed boundaries for chips used for artificial intelligence; proactive sales teams seek to develop new customers in foreign markets. All these activities require risk-taking. Consequently, effective risk management cannot seek to eliminate risks. That would completely tie the hands of virtually every team. Instead, effective risk management seeks to identify, understand and manage key risks including strategic risk, financial risk, operational risks and compliance and regulatory risks.
The Board’s Role in Risk Management
Effective boards ensure that the company has a robust risk framework that covers all key aspects of the business. Well-run firms have built risk management into the fiber of the firm’s culture and it is supported by a“tone at the top”that encourages and rewards proper risk-taking to create value for all of its constituents including shareholders, customers and employees and addresses the regulatory landscape the firm operates in.
Risk management frameworks for firms typically include four components that boards should have direct oversight of:
- Establishing the Risk Appetite. This work identifies all critical risks internal to the firm, as well as relevant risk factors that are external to the firm. These variables will likely include both quantitative and qualitative metrics that directly influence decision-making. The risk appetite can be high for some types of risks such as strategic risks where a company might be known for innovative and ever-changing product development. Whereas the appetite for other types of risk such as regulatory risk would generally be very low.
- Ensuring Effective Risk Management Process. The risk management process for a firm should demonstrate an understanding of big picture issues down to important nuances that can result in unanticipated material positive or negative outcomes for the firm. Importantly the process should include risk identification, risk assessment, measurement, mitigation, monitoring and reporting.
- Oversight of Risk Management. The responsibility of risk management needs to be broadly spread across the organization. A common approach used by many financial service firms is referred to as the“Three Lines of Defense” which refers firstly to line management; secondly the formal Risk Management and Compliance functions; and thirdly Internal Audit. Each“Line”has a designated responsibility for the management of risk. To ensure that the Risk function has the appropriate“teeth”and independence, the Chief Risk Officer frequently is part of the top-level Management Committee and reports jointly to the CEO and to the Board of Directors.
- Monitoring and Reviewing Risk Management Activities. In its oversight function the Board should regularly review major risk events and the health of the risk management activities, particularly in areas where risks are out of line with the defined risk appetite or in areas that require heightened attention, for example, cyber risk or the quickly evolving use of artificial intelligence by firms.
Challenges
No two companies are exactly the same, so each company needs to carefully design its risk management system to reflect
its unique needs. Furthermore, the risk landscape is constantly changing driven by factors such as technological change, evolving client needs and taste, the changing regulatory backdrop, and even geopolitical events. It is important that the risk management system is seen as a function that evolves as the company evolves.
Conclusion
Effective risk management is fundamental ingredient for consistent, long-term success and viability of any company. As members of the board of directors, we have a critical role in ensuring that our companies can take advantage of important opportunities. Having a well-managed risk environment in which all critical risks have been identified, clear risk appetites have been established, and a robust process is in place to appropriately mitigate and continuously monitor the risk landscape will help guide our organizations through uncertainty and toward sustained success.