New Approach to Risk Calls for Changes in Board Structure
All boards should use “risk mapping” to manage and
mitigate possible missteps.
June 14, 2011, www.directorship.com
by Herbert S. Winokur
Bad things happen to every organization. Some are unexpected, and some are catastrophic. The organization’s survival may depend on how well its board prepares for these “black swans.” But boards aren’t structured well to review and anticipate negative events and to prepare for them. “Risk mapping” is a vital function that every organization should undertake, and boards need to be properly organized to do so.
At present, boards are organized into standing committees (e.g., audit, compensation) and occasionally ad hoc committees. Some entities, particularly financial institutions, have standing risk committees, which generally concentrate on financial risk management. But boards’ agendas have become increasingly crowded with “check the box” activities, and committee and board meetings have expanded to make sure defensive processes are followed. As a consequence, board committee charters have become more “stove-piped,” which hinders board committees from ensuring that risks that cut across the organization are being considered and monitored appropriately. In addition, board members receive information up from within the organizational hierarchy, which is by definition limiting.
A new approach to risk management is needed. Risk mapping offers a substantially more productive method of defining risk than does current practice. Risk mapping requires an in-depth look at all types of risks that could affect the organization. It requires reviews of history, competitive practices, regulatory activities, approaches to personnel and compensation, corporate value systems, intellectual property, as well as brainstorming, simulations and “war gaming” about possible scenarios that could affect the organization.
Given the need to examine known risks and speculate about unknown ones, the board meeting structure and schedule are inadequate to the task. In addition, on most boards only a few independent directors are intimately familiar with the activities of the organization they are overseeing. (Other directors may be chosen for reasons of specific expertise, customer or supplier relationships or diversity.) Other individuals who are likely to have a deep understanding of risks would be senior (including recently retired) executives below the CEO/COO, and perhaps recently retired directors of the organization or of its competitors.
A group of people, perhaps five to eight, drawn from these ranks should be organized to form a risk mapping advisory committee. Outside counsel, brand consultants, enterprise risk management specialists and insurance experts are examples of potential staff that could be chosen to support the committee. Enterprise risk management processes, with the help of outside experts, can be a good complement or support to the advisory committee. It is important that the risk management process be separated from the time and experience limitations that any board faces, so that risks can be reviewed with adequate time from a 360-degree perspective.
This group should meet three or four times per year for part or all of a day, outside of the board meeting cycle. Its charter would be first to identify as many risks as possible, and measure them both by the likelihood of their occurring and by the consequences to the organization if those negative events were to occur. Second, the charter would empower the committee to determine what organizational units were responsible for addressing and mitigating these risks and, by default, which risks were not being addressed. The committee would be charged to report to the full board of directors once each year and to provide interim reports as would be helpful. The board would be then both better informed about the organization’s risks and about areas in which additional focus or mitigation would be required.
Some scenarios are worth considering. If, for example, a director of a large financial organization, home builder, insurance or building products company had asked, “What happens if housing prices decline nationally by 5 to 10 percent and stay lower for an extended period?” an interesting discussion might have ensued.
If, in another case, a director of a large financial institution, energy company or pharmaceutical firm had asked, “What is the trade-off between our current short-term profit-maximizing practices and the alternatives of building brand value over a longer period by tightening compliance, safety, and/or lobbying practices?” some important declines in market value might have been avoided. A director of a major research university might have wondered about the trade-offs in allocating endowment to increasingly illiquid investments and the resulting consequences to stability in faculty hiring and construction projects.
Most board meeting structures do not provide opportunities to address and debate the assumptions underlying an organization’s strategy and operations. Management, appropriately, is highly focused on opportunities and challenges in the short run, meeting their operating plan, dealing with problems of people and programs, etc. Spending time on what management may view as theoretical and lowprobability events may be seen as academic and unproductive. But identifying and mitigating risks early, which may involve strategy changes, organizational realignments or just better understanding, certainly should be worth the small investment in time and cost to experiment with this proposed risk mapping approach.
Identifying and mitigating risks early, which may involve strategy changes, organizational realignments, or just better understanding, certainly should be worth the small investment in time and cost to experiment with this proposed risk mapping approach.
Management should be encouraged to provide outputs of its internal risk management activities to the risk mapping advisory committee, and to coordinate those activities with this group over time. (The committee process should be designed to preserve “privilege” and to be sensitive to disclosure issues.)
After the risk mapping advisory committee reports to the board, a number of responses should occur.
- First, the board should ensure that all identified risks of consequence are being considered by one or more organizational units and appropriate steps for risk mitigation are being taken.
- Second, to the extent changes in strategy, processes or procedures are required, they should be taken.
- Third, the board’s nominating committee may want to consider the risks identified as a partial basis for determining what kinds of expertise would be beneficial to obtain from new directors.
- Finally, the board may want, with the help of a crisis consultant or other advisors, to explore possible responses to negative outcomes that might occur.
While it is unlikely that the negative outcomes being studied are the ones that will actually happen, crisis management preparation of any kind is likely to be helpful in any scenario. The new committee could be a potential source of advice should a crisis occur. By repeating this process over time, the organization is likely to reduce the impact of a large and negative surprise on its activities.