Advice to the Board
Knowing the Business is Critical to Effective Risk Oversight
In this article, the author shares excerpts of a speech he presented to board members regarding the importance of managing risk and sources of risk.
Those of you who know me or have been students of mine, know that I constantly rant about the supreme importance of knowing and understanding the clientâ€™s business to intelligently comprehend and appreciate the risks the business faces.Â Well, the same goes for the board of directors.
Obtaining an understanding of the clientâ€™s business is key to effective oversight, including enterprise risk management, and helps in building and maintaining a positive relationship with management.
Understanding the business and the space it operates in is an ongoing process.Â I suggest starting with understanding the business strategyâ€”where are we today, where are we going, and how are we going to get there?Â Then inquire about and understand the obstacles and hurdles the business may have to maneuver around or jump over.Â This simple exercise will help flesh out or clarify the key risks that need to be monitored and managed. Â In my opinion, Jim DeLoach, managing director at Protiviti, said it best: â€śRisk is often an afterthought to strategy, and risk management is an appendage or â€™side activityâ€™ to performance management.â€ťÂ He is right!
The National Association of Corporate Directors outlines five categories of risk facing every board,[i] but more importantly, they provide a context for boards and management to understand the scope of the boardâ€™s risk oversight; as well as the delineation of the boardâ€™s oversight responsibilities and managementâ€™s responsibilities for identifying, evaluating, managing, and monitoring risk.
Governance Risksâ€”These risks relate to directorsâ€™ decisions regarding board leadership, composition, and structure; director and CEO selection; CEO compensation and succession; and other important governance matters critical to the enterpriseâ€™s success. Â Often, these decisions require directors to weigh the pros and cons associated with alternative courses of action. Â While boards can periodically benchmark their processes for evaluating these matters by considering best practices employed by other boards weighing similar decisions, they often must rely on their collective business judgment, knowledge of the business, and information provided by third-party advisers, including search firms, compensation consultants, legal counsel, and accounting professionals.Â Key point: These matters are exclusively within the boardâ€™s domain.
Critical Enterprise Risksâ€”These risks are the ones that really matter, the top five to ten risks that can threaten the viability of the companyâ€™s strategy and business model. Â Certain risks require directors to [understand the business so that they] have the necessary information that will prepare them for substantive discussions with management about how these risks are managed. Â The criticality of these risksâ€”such as credit risk in a financial institution or supply chain risk in a manufacturerâ€”may require full board engagement as well as an ongoing oversight process.Â While management is responsible for addressing these risks, the board should consider its own information requirements for understanding managementâ€™s effectiveness in addressing them. Â For example, the board might require management to report on the impact and likelihood of the risk on key strategic goals, as compared to other enterprise risks, as well as the status of risk mitigation efforts with input from the executives responsible for managing specific risks. Â Other examples of relevant information useful to the board might include: the effects of technological obsolescence, changes in the overall assessment of risk over time, the effect of changes in the environment on the core assumptions underlying the companyâ€™s strategy, and interrelationships with other enterprise risks.Â Key point: These risks should command a prominent place on the boardâ€™s risk oversight agenda. The board should satisfy itself that management has, in place, an effective process for identifying the organizationâ€™s critical enterprise risks so that the boardâ€™s risk oversight is properly focused.
Board-approval Risksâ€”These risks relate to decisions the board must make with respect to approving important policies, major strategic initiatives, acquisitions or divestitures, major investments, entry into new markets, etc. Â Through careful consideration and timely due diligence, directors must satisfy themselves that managementâ€™s recommendations regarding these matters are appropriate to the enterprise before approving them. Â Therefore, such matters may prompt the board to ask questions regarding the associated rewards and risks, and even request further analysis before approving managementâ€™s recommended actions.Â Key point: The matters requiring board approval are often specified in the corporate bylaws and various charters of the board and its respective committees. Â That said, changes in the business may necessitate that the board and executive management remain on the same page as to what requires board approval. Â It is important that the board approve major strategic and policy issues on a before-the-fact basis.
Business Management Risksâ€”These are the risks associated with normal, ongoing day-to-day business operations.Â Every business has myriad operational, financial, and compliance risks embedded within its day-to-day operations.Â Because the board simply does not have sufficient time to consider every risk individually, it should identify specific categories of business risk that pose threats warranting attention and determine whether to oversee each category at the board level or delegate oversight responsibility to an appropriate committee.Â For example, the Audit Committee traditionally oversees financial reporting risks.Â Other business risks might include: operational risks associated with internal processes, IT, intellectual property, customer service, obsolescence, manufacturing and the environment, financial risks such as excessive leveraging of the balance sheet, compliance risks such as non-compliance with a new complex law, and reputational risks such as those that threaten the companyâ€™s brand image.Â With respect to all of these risks, it is managementâ€™s responsibility to address them.Â If any of them are critical enterprise risks, they warrant the boardâ€™s full attention (as noted earlier).Â Key point: The boardâ€™s committees may oversee many of these risks in accordance with their chartered activities.Â Typically, periodic reporting coupled with escalation of unusual developments requiring board attention will suffice.
Emerging Risks and Nontraditional Risksâ€”These include: cyber, climate change, slowdown in foreign markets, disruptive technological innovation, demographic shifts, and other external risks outside the scope of the first four categories.Â While management is responsible for addressing these risks, directors may need to understand them.Â Key point: The board needs to satisfy itself that management has processes in place to identify and communicate emerging risks on a timely basis.Â Such processes enable management and the board to be proactive.
The above risk categories provide a useful context for boards and executive management to ensure the scope of the risk oversight process is sufficiently comprehensive and focused.
Understanding the business is essential and will allow you to be a better board member because it will enable you to provide more valuable feedback on the risk management process, the internal control structure, the financial statements and disclosures, and other areas. Â It will also fine-tune and help calibrate your degree of skepticism when evaluating the reasonableness of the answers received to the questions we ask.
Do not be fooled; do your homework!
This article was previously published in Marcum Valuation and Litigation Advisor, July 2018, and is republished here with permission.
[i] Report of the NACD Blue Ribbon Commissionâ€”Risk Governance: Balancing Risk and Reward, National Association of Corporate Directors
Jonathan Marks, CPA, CFF, CITP, CGMA, CFE, is a partner in Marcumâ€™s Philadelphia office and is a member of the firmâ€™s Advisory Services Division. He has almost 30 years of experience working closely with clients, their boards, senior management, and law firms on fraud and misconduct investigations, including global bribery and corruption matters. Mr. Marks assists his clients in mitigating potential issues by conducting root cause analysis, developing remedial procedures, and designing or enhancing governance, global risk management, and compliance systems, along with internal controls and policies and procedures. Mr. Marks has educated and advised individuals, law firms, and some of the worldâ€™s largest companies in these and other areas, including complex accounting, auditing, disclosure, and internal control issues related to financial reporting, and regulatory compliance with the Securities Act of 1933, the Exchange Act of 1934, the Foreign Corrupt Practices Act of 1977 (FCPA), the Sarbanes-Oxley Act of 2002 (SOX), Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, and the United Kingdomâ€™s Bribery Act (UKBA).
Mr. Marks can be reached at email@example.com or at (215) 297-2370.