Boosting Your Risk I.Q.
A critical issue on the agenda for most directors these days is determining the board's role in overseeing risk. That was the topic of a recent peer-to-peer discussion hosted by Directorship and Deloitte. A group of leading board directors and industry professionals explored risk-related issues in the aftermath of the economic crisis, which most agree was a catastrophic failure, particularly on the part of finance institutions, to recognize and rein in excessive risk.
"When we talk to senior stakeholders about risk, it's really about finding a balance across the entire organization. This balance refers to addressing the sensitivities between strategic, operational, and compliance risk, and ensuring the right information and transparency exists," said Henry Ristuccia, partner and U.S. leader of governance and risk management at Deloitte.
"However, in many organizations, candid and open interaction is not happening as often as it should. In order for directors to fulfill their fiduciary responsibility to shareholders, this should be present. While there is some evidence of real change in many boardrooms, there are still cases where we've seen some hesitancy among directors to cross that line with management."
David Meachin, chairman and CEO of Cross Border Enterprises, a New York-based investment bank, agreed that boards need to push hard and question management often on the topic of risk. "When financial services firms were queried about the risks they were taking, did the board ask forcefully enough?" Meachin wondered. "The board needs to keep asking until they get an answer they are satisfied with." It's the board's job to think about the what-ifs, added Meachin.
Debra Perry, who serves as a director at Conseco and Korn/Ferry International, said there were three fundamental causes of the financial crisis. "There was a prolonged period of very low interest rates that prompted investors and lenders to lower standards in search of yield. Second, there was lax oversight of our financial system on the part of regulators who had an excess of confidence in self-regulation; and third was the emergence of securitization as a financing paradigm. Securitization enabled the transference of risk in ways that distanced the end investor from the point of origination and obscured the character of the risks taken by originators."
"Short-termism"—or the propensity for shareholders and managers to act on immediate pressures and motivations—also surfaced as a driver of the crisis. "How do we measure, as a society, what's important?" asked William Parrett, director for Blackstone Group, Eastman Kodak, Thermo Fisher Scientific, and UBS. Against the backdrop of investor short-termism, management's focus on immediate outcomes was not surprising. Parrett added, "There's no question in my mind that companies were focused on the short term while trying to manage around the risk. This contrasts with the public response to the swine flu, which is a great example of something that could have become unmanageable if longer-term thinking was not in place."
Maureen Errity, director of the U.S. Center for Corporate Governance, Deloitte LLP, pointed out that the board's role is to assess how to balance short- and long-term performance goals: "Risk just isn't about threats; it also has a positive upside when managed properly. Then, it's also about value creation."
Ristuccia challenged roundtable participants to prepare what he called a "master list," a summary of the key things directors need to know about their company's top risks. "What we're seeing is that all directors around this table are saying, 'How do we simplify risk management, and create value by taking certain kinds of risks? We need to look at the process and understand what is spent on risk management, compliance, and governance. Also, we need to know how we rationalize controls to reduce what is a significant byproduct of risk management—cost.' Usually when I talk to directors like you, I want to talk about how to integrate the management of risks into common frameworks and processes."
Francis Byrd, managing director of corporate governance and practice co-leader at The Altman Group, a proxy solicitation firm, suggested that directors need to be asking themselves what is keeping them awake at night: "Do you know what the top five risks for your company are? If you have a grasp on those, then that goes a long way toward getting to the 'master list.'"
Based on his long experience in counseling management, Robert Dilenschneider, the former chief executive of Hill & Knowlton who now runs his own public relations firm, said most CEOs with whom he has interacted privately believe their board members don't fully understand risk, Wall Street, or their company. "There are still board directors whose purpose in serving on the board feels like a 1950s approach—prestige, compensation, perhaps the 'good ol' boys' network," he asserted. "In some cases, they lack a serious understanding of what is needed, which is a serious defect."
Perry countered that she was "disappointed to hear that when CEOs push back, it's usually because they don't want to hear any objections. It's code for, 'I know where I want my risk appetite and it may not be where you folks think it should be.' I'm not sure how we get around that."
One way, said Nicole Sandford, a partner at Deloitte's U.S. Center for Corporate Governance, may be to solicit information from sources other than management: "Historically, most of the information that the board receives comes from management. You can learn a lot about the company's risks from analysts' reports and industry journals. Even institutional investors are generally happy to share their thoughts about risks and opportunities if the board is willing to listen."
Deloitte's Ristuccia posed the following question: "If you tested all these good ideas, would the same mistakes have been made, or would the outcome be different? Are we seeing a legitimate change in governance? What are some of the specifics that can prove the company's culture is changing?"
Essential to achieving risk intelligence is a culture that not only balances short- and long-term perspectives, but also supports open discussion about uncertainties, encourages employees to express concerns, and maintains processes to elevate concerns to appropriate levels—including to the board level. Some of the more obvious changes are around transparency and the ability of the CEO to "know how to assess the risk factors," added Ristuccia. "All cultural change needs to start with management."