Let’s say that you have taken your car in to your dealer for a routine service and check-up. How would you feel if the mechanic came back and gave you this report?
“Your speedometer registers zero, which is correct because the car is not moving. The compass is pointing due north, which is also correct. The engine oil is full and the tires are at the correct pressure.”
Would you prefer this report?
“The speedometer and compass are working well. The engine oil is full and there is no leak. We took the car for a test drive and checked for leaks and also for any issues with the tires, which remained at the correct pressure.”
The second report provides you with valuable information that gives you comfort that the car is safe to drive and will get you to your destination. The first report is correct but of limited value.
Let’s turn to boards and risk management oversight.
If you listen to the consultants, of whom there are many, board members should ask about the top risks facing the organization and quiz management on how they are being managed. Perhaps the board can go further and ask how these risks are being considered in strategy-setting.
In this scenario, the board members are provided a report (perhaps prepared by the risk officer) as a basis for discussion.
That is a list of the risks that management and the risk officer prepared and reviewed prior to meeting with the board.
That is a list of what used to be the risks at the time it was prepared.
That is a list of risks the organization faced when it was standing still and pointing north.
It is not necessarily the risks and risk levels facing the company at the time of the board meeting, and not necessarily the same risks and risk levels that the company will face next week.
Risks change in our dynamic business and regulatory climate.
I am not saying that it is not a valuable exercise to discuss the most significant risks facing the organization. It is.
What I am saying is that is simply not enough, for two reasons:
– Any list of risks is a point-in-time report and is probably already out of date
– The list of risks probably omits some of the most critical risks
Let me explain what I mean by the last bullet point.
The kind of risks that are generally included in the report to the board are “strategic” in nature. They are “big” risks affecting strategy, possibly involving litigation or the loss of key executives – they are what I would call risks on or beyond the horizon.
But the kind of risks that can cause immense damage are those that are taken every day as a normal part of running the business.
If you are focused only on the horizon, you will trip and fall as you walk.
Managers and staff are taking significant risks all the time. Think of the contracts they are entering into for the supply of critical components needed in manufacturing; comments they post on social media; decisions they make to defer or accelerate plant maintenance; and the people they hire.
So what do boards need to do?
This is what I would do as a member of a board:
- Ask the CEO and the CFO for their opinion, their assessment, of whether the consideration of risk is an integral part of how they, their management team, and managers at all levels run the organization.
- Ask them what they understand by “risk” and “risk management”, and who has responsibility for the management of risk. (This will be a real test!)
- Quiz the top executives on how they make decisions: how they obtain the information they need, including how they determine the risks they face (upside and downside) and the actions they ensure are taken to address them and optimize outcomes.
- Require the CEO and CFO to provide the board with at least an annual assessment of the adequacy of risk management. That assessment should include whether they believe that the management of risk is effective and suitable for the organization now and into the immediate future. If not, what actions are being taken to upgrade it?
- Require the internal audit department to provide at least an annual assessment of how well the organization manages the more significant risks to the organization; this will include consideration of the controls relied upon to manage those risks.
- Ask the CEO to describe the relationship between the executive leadership team and the risk function.
- Ask internal audit and the risk officer to describe how they work together.
- Ask the external auditor for any input they may have on the management of risk, not limited to financial risk, based on their interaction with leadership and management across the organization.
What do you think of the above? Are there two more questions you might ask to bring the list to 10?