Boards Take the Lead on Risk Management

The Conference Board published a report this month about best practices in public company risk oversight. The report compiled interview insights from  20 members of U.S. public company boards, representing a variety of business sectors (including manufacturing, high tech, real estate, food services, retail, telecommunications, air travel, energy, health care, and banking) and ranging in size from $150 million to over $30 billion in revenues. The report ultimately demonstrates the need and desire of corporate boards to take the lead in improving risk oversight. The following ten insights are noted in the report with actual board member quotes in italics.

1. Assign the responsibility of risk oversight to the full board and the burden of risk oversight to the right committee(s). ("We are all collectively responsible for risk," said a board member, while another added: "Audit committees tend to have a checklist approach to risk oversight, which is dangerous; not enough prioritization, not enough of a business angle.")


2. Consider the full breadth of material risks that can impact the company. ("We benchmark against a range of companies to make sure we think.")


3. Push for a deep understanding of the key risks. ("We spend a lot of time reviewing the numbers and understanding risk processes: where the key numbers come from, how they get into the reports.")


4. Secure the right expertise on the board. ("Transformation of our risk approach was driven by two board members with risk experience elsewhere.")


5. Nurture a healthy tension borne by diversity. ("The biggest change we made in risk management over the last few years is focusing on having the most diverse board possible.")


6. Engage the broad management team. ("The board needs to interact with management in an open manner, not just hear what has been rehearsed three times.")


7. Embed risk discussions in all board processes. ("Every initiative presented to the board concludes with a simple page with three to four bullets on the key risks.")


8. Avoid the "bureaucratic trap"—more substance, less process. ("When you ask an executive to go in depth on a specific risk and you get a blank stare, you know risk management has become too bureaucratic.")


9. Make risk management actionable, not just an exercise. ("Follow-up is critical—managers come back to the board and are asked 'tell me what you have done'—it is more than just a plan.")


10. Take ownership of improving risk management in the organization. ("To make risk management a success at our company the board had to get involved—we never gave up.")

This represents the new shift by boards to become more risk focused.  How does your company stack up against these best practices?  What other insights should be included on the list?  How do you engage senior management to embrace practices such as these?  If you are interested in joining the discussion, email us at NavigateSuccessfully@WheelhouseAdvisors.com.