• Categories: Role of the board
  • Published: Aug 25, 2024
  • share on linkedin
  • share article

Board Works, Issue 3, June 2010

Regulators and commentators alike periodically exhort boards to examine their risk management practices more closely—usually after some sort of economic bubble burst and company failure. Why wait? All boards should do this from time to time. 

A useful starting point might be a report released in late 2009. Its publisher, the US National Association of Corporate Directors (NACD), described it as a ‘how-to for directors who are recommitting to corporate governance excellence’. The NACD’s 2009 Blue Ribbon Commission Report was based on evidence from recent company failures and input from real boardrooms. It provides detailed solutions and practical advice for directors on risk oversight. [1] 

For example:

  • Risk is a team sport. Various recommendations have been made that boards develop risk committees. Many have done so, most often by extending the brief of existing audit committees. The report found that delegating to a committee is part of the problem. The whole board should take ownership of risk and provide collective oversight. 
  • The board needs to help set risk tolerance. The board should consider its risk appetite and the potential risk/reward equation. It should consider how much tolerance it has for variances from its risk appetite, depending on changing operating conditions. 
  • Boards must control information flow. They may not have enough information to do their jobs properly. Boards should consider whether new or different information could result in changed conclusions about the company’s risk profile or the adequacy of its systems. 

The NACD’s then President, Ken Daly, identified six alarm bells that can alert directors to potential risk problems and should never be ignored. [2] These bells are relevant to not-for-profit boards as well as commercial entities:

1. When financial results are unusual 

These can be positive or negative. A sudden downturn or vast improvement in a company's financial performance should prompt its directors to probe management about the reasons. Directors should make sure the answers they get are both plausible and acceptable.

2. When ‘stress tests’ on accounting estimates don't hold up

Daly suggested that various accounting estimates are good places for boards to stress-test by looking at the underlying management assumptions. (We suggest other non-financial performance metrics may be just as important). He used credit cards as an illustration. Credit card losses/delinquencies may be tied to unemployment rates. If unemployment has jumped in a region from 7% to 9%, a credit card issuer should ask how this has affected its estimates of delinquencies and resources allocated to collections. Directors should listen to management's explanations to see if they have adjusted the numbers—in a way that makes sense—or if the underlying assumptions might be suspect.

3. When rationalisations don’t add up

This relates to circumstances where there is a significant discrepancy between what happened and what was expected, and explanations of the difference don't make sense. When results dramatically differ from what the board has been led to believe, directors naturally question whether management has an adequate handle on the business. Surprises should also cause directors to explore whether they understand well enough. Is there something going on they haven't been told about?

4. When there are conflicts of interest

Another red flag is a lack of director independence. Conflicts of interest are not confined to when a board member might stand to benefit personally. There may also be a conflict of loyalty, such as when an affiliation/commitment to another organisation might sway a director. Both are pointers to reputational risk, if nothing else.

5. When there is a lack of knowledge about what others are doing

This mainly concerns a lack of knowledge about other entities in the same sector/industry. When a company’s results differ notably from those of others in the industry, what has caused it to be significantly better? Is it brilliant management, better products, or something else? For example, has the company made much higher risk/reward trade-offs than competitors? 

6. When there is an apparent disconnect between strategy and risk

Daly asserts that most of the key risk factors affecting a company relate to its strategy. However, many directors seem not to understand the strategy fully, nor have they been sufficiently engaged in strategy development and review to give them a good understanding of some of the risks that may go with that strategy. [3] 

Next steps?

• Schedule a board discussion on the way it goes about risk management

In particular, discuss the NACD Blue Ribbon Commission’s conclusions. For example, has your board delegated too much of its basic thinking about risk to a ‘risk committee’?

• Conduct an annual discussion about risk

Schedule into your annual agenda a solid discussion of the risk factors facing the business—as seen from the board’s perspective. While there may be a high degree of alignment between the board and management, we should expect the respective perspectives to be somewhat different. Remember, at the end of the day, it is the board’s judgement that is on the line.

• Ask plenty of questions

Besides being alert to potential red flags of the type identified by Ken Daly, a director’s best approach is to ask questions and keep going until genuinely satisfied with the answers. You should not jump to negative conclusions. There may be perfectly good (and acceptable) explanations for some of the issues that don’t seem, at first glance, to add up.

• Keep an ear open for the ‘sound’ of the six alarm bells

And anything else that might not quite sound right.

 

• Seek independent verification

If answers from management don’t seem to stack up, it may be time to initiate an independent external review. Bringing someone in from the outside to look at the situation with a fresh perspective (and perhaps greater experience/ knowledge/ understanding) is likely to help you (board and management alike) conclude whether there is a real problem. Either way, you will be better off by knowing. It will also demonstrate to various stakeholder groups that your board is on its toes and looking after their interests.

 


Notes

[1] NACD (2009) Risk Governance: Balancing Risk and Reward. 

[2] Beverly Behan. ‘Six Alarm Bells for Corporate Board Members.’ Bloomberg Businessweek, April 9, 2010. 

[3] In the 2009 NACD public company governance study, strategic planning and oversight were rated the top issue of importance to board governance, yet less than 20% of respondents ranked their boards as highly effective in this area (Behan, 2010, op cit.).