The Risk Intelligent Board
Viewing the World Through Risk-Colored Glasses

By Steve Wagner and Maureen Errity
Illustration By Eddie Guy

Recently, a colleague told us two offbeat and seemingly unrelated stories:

He said he just had his septic system repaired. Out in the yard, inspecting the work in progress, his contractor pointed to the walls of the freshly excavated pit. “That is some beautiful soil down there,” the contractor said.

He then recounted an experience at a recent medical exam. While drawing his blood, the nurse nodded toward his bare forearm. “Those are truly impressive veins you’ve got there,” she said.

We must admit, this coworker had us curious. What could possibly be the point of these strange recollections?

“The point is,” our colleague quickly told us, “that everybody has a view of the world that is shaped by their knowledge and experience. I looked down in that hole and saw rocks and dirt. He looked in and saw hydraulic gradients and soil permeability. I looked at my arm and saw a purplish line. She saw a protuberant median cubital vein with high productivity potential.”

Ah, we were starting to get it now. Two people can look at precisely the same thing and see something entirely different?

“Exactly!” he said. “And that same lesson applies to business. The perspective that you bring to an issue will influence your response to that issue. Your view of the world will profoundly affect your business decisions.”

“OK,” we said gamely, knowing we were being set up. “And exactly how do you look at business issues?”

“I look at all business issues through the same lens,” he said. “The lens of risk.”

Analyze the demographics of most corporate boards and you’ll find a heterogeneous collection of exceptional talent. The skills members bring to the table reflect a wealth of experience, knowledge and wisdom. Yet despite this extraordinary diversity of viewpoints, we believe that every member of the board should don a pair of risk-colored glasses.

We expect this tinted eyewear to become increasingly popular. These days, you can’t even sit on a public company board without giving at least cursory attention to risk. The New York Stock Exchange requires the audit committee of all listed companies to annually discuss the company’s financial risk exposures and understand how management addresses such risks. Several shareholder ratings services and institutional investors now include risk management in their corporate evaluations. And, of course, the potential for out-of-pocket settlements paid by board members or costly shareholder suits against the company have driven home the point in boardrooms across the land — risk has become personal.

But an annual chat (and perhaps a panicked wallet clutch) does not constitute what we consider a risk intelligent approach by the board. To meet their fiduciary responsibilities, directors must share a common vision of risk and adopt a framework to support their risk oversight activities. Unfortunately, today, these elements are lacking at many companies.

This is not to imply that boards are negligent when it comes to risk. Quite the contrary; most board members make careful deliberations and bring to bear their best judgment. They summon the chief risk, strategy and audit executives, along with the external auditor and others who manage exposures to risk and related policies, to appear before the board. They listen to presentations, ask tough questions, and review reports.

Laudable but, unfortunately, insufficient. What is lacking is a context for understanding the issues. The board has nothing to benchmark against; directors have no process or framework in place to allow them to take an independent, objective view. As a result, they are left grappling with risk on an almost intuitive level, an ad hoc approach that allows issues to slip through the cracks. And, as has been demonstrated countless times, when risks are not managed properly, bad things almost inevitably happen.

The buck stops … where?

Boards are under pressure — regulatory, legal, fiduciary, stakeholder — to oversee the risk management activities of the company. But many board members are unsure how to approach their risk-related responsibilities. They are uncertain about roles and delineation of responsibility. They wonder where to start and how to bring all the disparate pieces together.

In fact, many options are open to companies as they develop a framework for managing risk. One of the earliest questions that must be addressed: Where does risk oversight belong at the board level? Companies have tried myriad approaches, each of which offers pluses and minuses:

1. Keep risk responsibilities at the full board level. This approach gives risk issues a broad and thorough airing for the entire board membership. However, it can also be unwieldy and inefficient to get into detailed risk considerations with the full body.

2. Delegate overall risk responsibilities to the audit committee. This is a seemingly logical choice. But in the Sarbanes-Oxley era, the audit committee may be the most overworked of all board committees. Financial risk is already on its agenda, as is the less-clear-cut financial risk oversight required by NYSE listing standards. Piling on operational, strategic and enterprise-wide risks may present an undue burden that could result in insufficient oversight.

3. Create a risk management committee. This option represents a good choice for many companies (including our parent organization, Deloitte & Touche USA LLP, which recently created a risk committee of its own). Many financial services companies maintain dedicated risk committees; they are less common, but not unheard of, in other industries. Full boards with large memberships are more likely to spin off separate risk committees; smaller boards tend to retain risk oversight within their own ranks.