CHAPTER 43
Directors and Risk: Whither the Best Practices—Evidence from Canada
DAVID W. KUNSCH, PhD, BSEE, LL.B., MSc
Associate Professor, St. John Fisher College
CHRIS BART, PhD, FCPA, FCIoD, CDir
Founder, The Directors College of Canada, Executive Chairman, Caribbean Governance Training Institute
INTRODUCTION
Risk management needs to occur at all levels of an organization because organizational risk is everywhere and it defines what might prevent an organization from achieving its objectives. Because of this, the board of directors, which exists at the very top of an organization, is expected to both exercise diligent oversight regarding an organization's principal risks and concentrate on those risk processes that, in turn, cascade throughout the organization, thereby managing and mitigating risk at the organization's lowest, operational levels. Accordingly, we have undertaken this study to survey the directors of several organizations about their organizational risk oversight practices to get a “view from the top.”
One of the ways in which directors can fulfill their duties with respect to risk oversight is to adopt a risk management/oversight framework. Frameworks supply directors with prescribed methods to use in exercising their duties as reasonable and prudent supervisors of the organization. The application of a framework not only gives directors reasonable assurance that they are meeting their required compliance guidelines in fulfilling their legal duties (i.e., duty of care and duty of loyalty), but also enhances their risk management practices for the betterment of the organization.
We begin this chapter by outlining the responsibilities of the board of directors. In particular, we review the legal duties imposed in the United States, Great Britain, and Canada to demonstrate the consistency and pervasiveness in Western capitalist society of these duties and to set the context of why risk management is important to boards, not just as good business practice but as a matter of legal responsibility. We then briefly describe our general thoughts on the development of risk management best practices and the use of frameworks in encouraging responsible risk management, with a specific focus on selected Canadian frameworks. Following this discussion are an outline of the survey we conducted and its results. We conclude with a discussion and interpretation of the results, with suggestions for pursuing additional avenues of research.
ROLE OF THE BOARD OF DIRECTORS AND DIRECTORS IN GENERAL
Directors are legally responsible for monitoring the operations of organizations. Part of this monitoring obligation necessarily requires directors to appreciate both the nature of the risks the organization faces and the organization's response to these risks. With monitoring risk being such an important aspect of directors' duties there is a need to better understand the role of the board of directors in relation to the risk and the compliance activities of the board (Nicholson and Newton 2010).
The general role of the board is to provide strategic input, identify performance objectives, make key appointments, and, finally, provide management oversight (Brown, Steen, and Foreman 2009). Part of its strategic input and management monitoring responsibilities is risk management oversight for the organization (Kiel and Nicholson 2002). “The board of directors has the ultimate responsibility for the enterprise risk of the company, being accountable to shareholders and other stakeholders” (Dickinson 2001, 365). The oversight of the risk profile and processes of the organization is becoming an increasingly more important duty of the board (De Lacy 2005). Corporate risk taking and performance are ultimately dependent on the quality, monitoring, and decision making of the board of directors (Ferrero-Ferrero, Fernandez-Izquierdo, and Munoz-Torres 2012). This monitoring requirement of the board requires directors to make sure they ask questions, demand answers, and identify, quantify, and manage all potential risks (Kleffner and Lee 2003). Practically, the board, management, and external and internal auditors must all work together to properly monitor and address risk in the modern corporation (Sobel and Reding 2004). From a corporate governance perspective the directors of an organization have a clear and leading role in understanding, defining, and managing the organization's risk.
To understand what is expected of directors when engaging in their risk management role, one can look to the directors' legal “duty of care” and the standard to which they must exercise this duty. This duty of care and its related standard are in many cases outlined by various statutes and court decisions promulgated by the various jurisdictions around the world as well as by corporate documents.
In the United States the role of the board of Delaware corporations (a favorite incorporating state) is stated thus: “[a] cardinal precept of the General Corporation Law of the State of Delaware is that directors, rather than shareholders, manage the business and affairs of the corporation” (Aronson v. Lewis 1984, 811). As a consequence, there is a “presumption that in making a business decision the directors of a corporation acted on an informed basis, in good faith and in the honest belief that the action taken was in the best interests of the company.... Absent an abuse of discretion, that judgment will be respected by the courts” (Aronson v. Lewis 1984, 812). Directors of a Delaware corporation must “use that amount of care which ordinarily careful and prudent men would use in similar circumstances,” and “consider all material information reasonably available in making business decisions” (In Re: Walt Disney 2005).
In Great Britain, directors' responsibilities are outlined in the UK Companies Act (Companies Act 2006). The director must “act in good faith…to promote the success of the company for its members as a whole…” (Section 172(1)) and they must “exercise reasonable care, skill and diligence…as that which would be exercised by a reasonably diligent person…” (Section 174(1)).
In Canada the general statutory duty placed upon a director is to “act honestly and in good faith with a view to the best interests of the corporation” (Canada Business Corporations Act 1985, s. 122(1)(a)). The general statutory standard of care expected of directors is to “exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances” (Canada Business Corporations Act 1985, s. 122(1)(b)). This is an objective standard whereby a director's standard of care is measured against what others in the industry are doing; this makes the utilization of a framework very important in determining if directors are adequately discharging their legal obligations. Canadian courts have effectively (if somewhat obliquely) affirmed the business judgment rule (Vanderpol and Waitzer 2012). The general duty of a director is to act as an overseer to the business operations and not as a day-to-day manager. Specifically, a board should supervise management by making sure there are policies and procedures in place ensuring that management is overseeing the business adequately, being involved in strategy at the earliest phases, and ensuring that the corporation has adequate internal controls (Torys 2009). Directors must satisfy themselves that management has implemented appropriate systems and policies to ensure that management and the board have all the information they need to manage the corporation and make informed judgments, as well as to ensure that any material positive or negative developments are immediately brought to their attention (Torys 2009).
In Canadian nonprofits, the board of directors' role is similar to their counterparts in for-profit corporations—to represent stakeholder interests when dealing with the organization's management and performing their other ascribed duties. Primer for Directors of Not-for-Profit Corporations (Broder 2002) indicates that even when the subjective standard of care applies, this does not mean that a director with few skills or little experience will escape liability.
The conventional wisdom is that such a director is required to act in accordance with conduct expected of a reasonably prudent person. This means that a director without the skills required to meet that standard is obliged to acquire at least some of them. A director who is not already knowledgeable must become informed (Burke-Robertson 2013).
In all three jurisdictions, the United States, Great Britain, and Canada directors are legally responsible for overseeing and monitoring the organization and must do so in a manner consistent with that which would be exercised by a reasonable and prudent person. One of the ways to demonstrate that they are acting reasonably is for a board to adopt and follow a recognized risk framework.
RISK MANAGEMENT
Every company and organization faces certain risks in the conduct of their affairs. Over time various methodologies for handling these risks have been developed to more effectively and efficiently minimize them so as to maximize the output of the organization.
Adopting a framework is an important function, especially when it comes to developing and implementing a process to be the most effective and efficient in the industry. There are several advantages to the use of a framework (Dervitsiotis 2000). These advantages include some assurance that the desired process has been tested or vetted by knowledgeable parties to carry with it a seal of approval as to how an organization may approach a particular function. The adherence to a framework would be evidence of discharging the legal duties that directors are under, and if for no other reason, should be utilized to the greatest extent possible.
Accordingly, in Canada, board directors are becoming more interested in and concerned about risk and how they should give diligent risk oversight in discharging their legal and corporate governance duties (Leblanc 2008). While risk management is complex, there are several sources for frameworks from which directors can draw direction on how to proceed, including Emerging Governance Practices in Enterprise Risk Management, (Tonello 2007) and, more directed to Canadian boards and directors, The Canadian Institute of Chartered Accountants' A Framework for Board Oversight of Enterprise Risk (Caldwell 2012) and The Canadian Institute of Chartered Accountants' 20 Questions Directors Should Ask About Risk (Lindsay 2006).
A Framework for Board Oversight of Enterprise Risk (Caldwell 2012, 1) is a detailed 80-page guide for directors on how to “better identify and address critical risks, understand how risks are interconnected and recognize the potential compounding of risks should unfavourable events occur at the same time.” This document aims to put in place a framework for boards to implement in order to achieve the goals as stated earlier.
20 Questions Directors Should Ask About Risk (Lindsay 2006, 1) alternatively is “designed to be a concise, easy to read introduction to [risk management]…The question format reflects the oversight role of directors…is not intended to be a precise checklist, but rather a way to provide insight and stimulate discussion on [risk].” Each question contains commentary as to why the question is important and what directors may expect in the way of answers from members of the organization or its retainers. An auditor could use these questions to ferret out how well an organization is meeting best-in-class practices with regard to risk management.
METHODOLOGY
In order to better understand how boards of directors view and handle risk, we conducted a survey of directors of various organizations in Canada. One of the purposes of this survey was to see how closely actual risk management practice followed certain risk management frameworking standards in Canada and if the adoption of a framework coincided with better risk oversight behavior in these organizations. We studied primarily one framework, 20 Questions Directors Should Ask About Risk produced by the Canadian Institute of Chartered Accountants (“20 Questions”), with supplementary questions from a second framework, The Canadian Institute of Chartered Accountants' A Framework for Board Oversight of Enterprise Risk (Caldwell 2012). While there may be other frameworks available to organizations and directors in Canada, we believed that using the 20 Questions was a legitimate starting point in that the Canadian Institute of Chartered Accountants is made up of the 72,000 chartered accountants in Canada and has been embraced by a leading director education/certification program in Canada, The Directors College, in its flagship Chartered Director Program. This survey uses the 20 Questions framework to test the nature and degree of directors' oversight of risk.
The 20 Questions are broken down into the following four general areas.
Strategic Planning and Risk
“Boards are responsible for approving the overall strategic direction of the company. As part of the planning process, boards must clearly understand their company's current business strategy, its critical success factors and related business risks” (Lindsay 2006, 3). Boards are responsible for approving the organization's strategy and monitoring the strategy's execution and therefore must have knowledge of organizational risk in order to perform their legal duties.
Risk Management Processes
Lindsay states, “The successful implementation of corporate strategic plans requires processes and procedures that guide the business planning of managers and the actions of individual employees. This requires direction, co-ordination and two way communications” (2006, 5). In order for the board to perform their monitoring role, they need to know what is going on and depend on those in the organization's hierarchy to inform them, as it is impossible in a large organization to have this information in any other way.
Risk Monitoring and Reporting
“The board's oversight role includes reviewing regular and timely information about the organization's performance and the risks that could affect the achievement of its strategic and business objectives” (Lindsay 2006, 7). If the board is successful in obtaining the necessary information, they need to review and act upon it in order to fulfill their statutory mandate.
Board Effectiveness
“The board should take its time to define its role in risk management. It should make sure it is organized to meet its responsibilities for ensuring that the corporation's risk management policies and programs contribute to sustainable value creation for owners and other stakeholders” (Lindsay 2006, 9).
There are 20 questions associated with these four general risk areas of the 20 Questions framework. The 20 Questions document includes subquestions that Directors should consider in order to properly answer the 20 questions of the 20 Questions framework. We have supplemented all these questions with additional ones based upon The Canadian Institute of Chartered Accountants' A Framework for Board Oversight of Enterprise Risk (Caldwell 2012) where we believed additional survey questions would help us understand the extent of the 20 Questions compliance. After this review of these two source frameworks our survey included 46 questions regarding risk processes of the organization, management, and the board. The survey also included 11 questions related to risk information provided to the board by the organization and management. These 57 survey questions were aimed at understanding the degree to which organizations and board members conducted activities in alignment with relevant Canadian frameworks related to risk management, primarily the 20 Questions framework.
The survey was conducted in the spring of 2013 during the Directors College's director education/certification program in Toronto, Ontario, Canada. Each participant was asked to identify the organization of which they were a member of the board and to answer the questions in relation to that particular organization and its board. The results were submitted either electronically or manually depending on the preference of the director. Directors were assured of anonymity, but, if they desired, they could provide their names and organizations. Directors were not required to complete this strictly voluntary survey.
RESULTS
We will report our results by first outlining some general demographics of the survey respondents then detailing how the respondents answered questions pertaining to the 20 Questions. The survey began with 31 personal and organizational demographic questions, followed by 57 questions related to risk frameworks, and ending with 28 questions on more personal and organizational risk attitudes and perceptions. In total there were 116 questions in the survey, which took about 40 minutes to administer, although the respondents were provided as much time as they required. There were a total of 63 respondents, of which 12 self-identified as being directors of organizations that followed the 20 Questions framework.
The directors were asked to pick only one organization they were currently a director of as the focal organization for answering the survey questions. This was to account for those directors who may sit on more than one board. The average board experience was 8.4 years and the average board experience of the directors for the focal organization was 4.5 years. Thirty-two percent of the respondents were female and 68 percent male. 15.3 percent of respondents were under the age of 40, 23.6 percent between 41 and 50, 40.3 percent between 51 and 60, and 20.8 percent between 61 and 70. 12.7 percent of responding directors had only a secondary school (high school) education, 33.8 percent a university undergraduate education, 45.1 percent a Master's degree, and 2.8 percent a PhD.
For these focal organizations the average number of directors was 10.5 and they had on average 7.1 board meetings a year. The average revenue for the focal organizations was $427 million and the median was $35 million (Canadian dollars). There were, on average, 2,100 employees at these organizations and the median was 150 employees. Average assets were $19 billion and the median was $26.5 million.
Directors rated their organization's performance versus those in their industry. Overall, 76.1 percent of directors rated their organization's performance above that of their industry and 25.4 percent of directors rated their organization's performance so much better than their industry that we found this difference to be statistically significant at the p < 0.05 level. The respondents also rated their satisfaction with their organization's performance at 9 percent extremely satisfied and in total 65.7 percent above average satisfaction. Finally, these directors described their organizations to be 11.9 percent international, 17.9 percent national, 44.8 percent regional, and 25.4 percent local.
The survey asked participants if they followed the 20 Questions framework advocated by the Canadian Institute of Chartered Accountants. The results were that 19 percent of participants followed this framework, 56 percent did not, and 24 percent did not know whether they did or did not. While we have collected and analyzed data from the 56 percent who specifically did not follow the 20 Questions separately from the 24 percent who did not know if they followed them, the results were in all cases consistent, so for this reporting we have combined these two results.
Interestingly, from a structural point of view, the 20 Question framework followers were more likely to have independent chairs of their boards, have lead directors, have orientation for board members, and have continuing education for board members compared to those boards that did not follow the framework.
The survey asked to what degree the directors understood their legal responsibilities related to opportunities and risks. We found that the directors who followed the 20 Questions framework had an average score of 5.6 on a 7-point Likert scale (1 = Not at All, 7 = Completely) and that those who did not follow the framework scored 4.4, which was statistically different at the p < 0.01 level. When the participants were asked if the assignment of risk oversight was clearly the responsibility of the board, those who followed the 20 Questions framework scored a 6.7 on a 7-point scale (1 = Not at all, 7 = Completely) while the nonframework followers scored a 4.7, which was a significant difference at the p < 0.01 level. Therefore, those who followed the 20 Questions were statistically more attuned to their legal responsibilities of overseeing the risks of the organization than those who did not follow the 20 Questions framework.
We produce our results in Exhibits 43.1–Exhibit 43.17. Each of the 20 questions is indicated in the title of the table. Below each of these 20 questions are the actual associated survey questions meant to determine if the respondents' organizations actually conducted activities that would correspond to the 20 Questions framework. These actual questions are numbered within each table. The columns related to framework followers and nonfollowers refers to whether respondents had self-identified as following the 20 Questions framework or not. The column marked “Significance” indicates the statistical significance of any difference in the means of the answers between the followers and the nonfollowers. The column marked “Difference” is the subtraction of the positive percentage responses from the framework nonfollowers from that of the framework followers. The range of responses for those questions that used a 7-point Likert scale is included in Appendix 43.A. It should also be noted that a particular survey question may correspond to multiple 20 Question questions and we have endeavored to indicate these as footnotes to the tables. Furthermore, in two instances we ran t-tests to determine the significance of the difference in answers to a series of questions; these results are also indicated as footnotes.
Exhibit 43.1 Question 1: How do we integrate risk management with the organization's strategic direction and plans?
| Survey Question | Yes Score | No/Never Heard Score | Significance | |
|---|---|---|---|---|
| 1a. | Is risk management integrated into the organization's strategic direction and plans? | 5.83 | 4.16 | p < 0.01 |
Exhibit 43.2 Questions 2 and 16: What are our principal business risks?
| Survey Question | Benchmark Followers (%) | Non-Benchmark Followers (%) | Difference | Yes Score | No/Never Heard Score | Significance | |
|---|---|---|---|---|---|---|---|
| 2a. | Management has a robust framework and comprehensive process to assess risk | 5.75 | 4.20 | p < 0.01 | |||
| 2b.(a) | Which risks does the Board assess? | ||||||
| Strategic—Market | 92 | 61 | 31 | ||||
| Strategic—Performance | 100 | 75 | 25 | ||||
| Strategic—Competition | 50 | 47 | 3 | ||||
| Strategic—M&A | 50 | 20 | 30 | ||||
| Strategic—Ineffective Strategy | 42 | 43 | –1 | ||||
| Financial—Liquidity | 75 | 57 | 18 | ||||
| Financial—Availability | 67 | 47 | 20 | ||||
| Financial—Capital Structure | 75 | 47 | 28 | ||||
| Org.—Leadership Depth | 100 | 71 | 29 | ||||
| Org.—Leadership Quality | 92 | 73 | 19 | ||||
| Org.—Mgmt. and Labor Availability | 92 | 45 | 47 | ||||
| Org.—Mgmt. and Labor Costs | 58 | 59 | –1 | ||||
| Org.—Cultural Alignment | 58 | 35 | 23 | ||||
| Op.—Customer Satisfaction | 83 | 80 | 3 | ||||
| Op.—Product failure | 67 | 27 | 40 | ||||
| Op.—Capacity Constraint | 92 | 57 | 35 | ||||
| Op.—Vendor and Dist. Dependencies | 42 | 31 | 11 | ||||
| Op.—Input Quality and Pricing | 58 | 37 | 21 | ||||
| Ext.—Macroeconomic Volatility | 83 | 47 | 36 | ||||
| Ext.—Industry Structural Change | 83 | 61 | 22 | ||||
| Ext.—Industry Cyclicality | 75 | 41 | 34 | ||||
| Ext.—Political Risks | 83 | 57 | 26 | ||||
| Ext.—Cultural Risks | 58 | 31 | 27 | ||||
| Ext.—Technological Change | 83 | 53 | 30 | ||||
| Hazard—Tort Liability | 58 | 25 | 23 | ||||
| Hazard—Property Damage | 33 | 29 | 4 | ||||
| Hazard—Natural Catastrophe | 33 | 20 | 13 | ||||
| Hazard—Environmental | 58 | 39 | 19 | ||||
| Compliance Risk | 92 | 84 | 8 | ||||
| Reputational Risk | 92 | 86 | 6 |
(a) Paired samples t-test was run on the scores of the benchmark followers and the non-benchmark followers and it was significant at the p < 0.001 level (t = 9.158), the correlation between the two sets of data was 0.786.
Exhibit 43.3 Question 3: Are we taking the right amount of risk?
| Survey Question | Benchmark Followers (%) | Non-Benchmark Followers % | Difference | ||
|---|---|---|---|---|---|
| 3a. | Overall the amount of risk the organization is taking is: | Too little | 25 | 4 | 21 |
| Just right | 33 | 60 | –27 | ||
| Too much | 8 | 10 | 2 | ||
| Don't know | 25 | 10 | 15 | ||
| Haven't asked | 8 | 16 | –8 |
Exhibit 43.4 Question 4: How effective is the process for identifying, assessing, and managing business risks?
| Survey Question | Yes Score | No/Never Heard Score | Significance | |
|---|---|---|---|---|
| 4a. | Identifying risks | 6.00 | 4.19 | p < 0.01 |
| 4b. | Assessing risks | 6.00 | 4.08 | p < 0.01 |
| 4c. | Managing risks | 5.5 | 3.98 | p < 0.01 |
Exhibit 43.5 Question 5: Do people in the organization have a common understanding of the term “risk”?
| Survey Question | Yes Score | No/Never Heard Score | Significance | |
|---|---|---|---|---|
| 5a. | Our organization has a common understanding of the term “risk.” | 5.27 | 3.98 | p < 0.05 |
Exhibit 43.6 Question 6: How do we ensure that risk management is an integral part of planning and day-to-day operations of individual business units?
| Survey Question | Benchmark Followers % | Non-Benchmark Followers % | Difference | |
|---|---|---|---|---|
| 6a. | Business unit managers integrate risk management activities with business strategies. | 92 | 55 | 37 |
Exhibit 43.7 Question 7: How do we ensure that the board's expectations for risk management are communicated to and followed by the employees of the company?
| Survey Question | Benchmark Followers % | Non-Benchmark Followers % | Difference | |
|---|---|---|---|---|
| 7a. | The organization has a program of communication and training for risk for employees. | 50 | 41 | 9 |
| 7b. | Risk awareness and policy usage is constantly monitored by the organization. | 75 | 39 | 36 |
| 7c. | The organization's strategic and operational planning processes coordinate the risk management practices of line management and the departments that specialize in specific risks. | 58 | 37 | 21 |
Exhibit 43.8 Question 8: How do we ensure that our executives and employees act in the best interests of the organization?
| Survey Question | Benchmark Followers % | Non-Benchmark Followers % | Difference | Yes Score | No/Never Heard Score | Significance | |
|---|---|---|---|---|---|---|---|
| 8a. | Risk management is integrated into the organization's strategic direction and plans. | 5.83 | 4.16 | p < 0.01 | |||
| 8b. | Senior management has the capabilities to handle the risk environment we are in. | 6.00 | 5.00 | p < 0.05 | |||
| 8c. | Management has a robust framework and comprehensive process for risk. | 5.75 | 4.2 | p < 0.05 | |||
| 8d. | The Board plays an active role in reinforcing the organization's approach to risk. | 5.83 | 4.22 | p < 0.01 | |||
| 8e.(a) | The Board includes risk management as part of the criteria for executive compensation. | 100 | 47 | 53 | |||
| 8f.(a) | The Board meets with the staff one level below the CEO to discuss risk. | 92 | 65 | 27 | |||
| 8g.(a) | The Board ensures that management has a structured process for identifying, monitoring, and managing risks. | 92 | 53 | 39 | |||
| 8h.(a) | There is a comprehensive and well-articulated set of risk management policies and procedures for the management of risk in the organization. | 75 | 49 | 26 | |||
| 8i.(ab) | Business unit managers integrate risk management activities with business strategies. | 92 | 55 | 37 | |||
| 8j.(ac) | Business plans at all levels identify business risks and opportunities. | 67 | 51 | 16 | |||
| 8k.(a) | The Board reviews with management how the risk environment is changing and what, if any, modifications need to be made. | 100 | 86 | 14 | |||
| 8l.(a) | There is a process in place to incorporate learnings from the organization's past risk responses. | 83 | 43 | 40 |
(a) Paired samples t-test was run on the scores between the benchmark followers and the non-benchmark followers and it was significant at the p < 0.001 level (t = 6.754); the correlation between the two sets of data was 0.472.
(b) Same as survey question 6a.
(c) This is the same as survey questions 10a and 11e.
Exhibit 43.9 Question 9: How is risk management coordinated across the organization?
| Survey Question | Benchmark Followers (%) | Non-Benchmark Followers (%) | Difference | |
|---|---|---|---|---|
| 9a. | The organization's strategic and operational planning processes coordinate the risk management processes of management and the departments that specialize in specific risks. | 58 | 37 | 21 |
Exhibit 43.10 Question 10: How do we ensure that the organization is performing according to the business plan and within appropriate risk limits? And Question 11: How do we monitor and evaluate changes in the external environment and their impact on the organization's strategy and risk management's practices?
| Survey Question | Benchmark Followers % | Non-Benchmark Followers % | Difference | |
|---|---|---|---|---|
| 10a.(a) | The Board reviews with management how the strategic environment is changing and what if any modifications need to be made to the strategic plan. | 100 | 86 | 14 |
(a) This is the same as survey questions 8k and 11e.
DISCUSSION
This research leads us to some observations about risk management in organizations and in particular at the top of organizations. These observations come from our analysis of responses to 57 questions on risk management practices in a survey administered to Canadian directors. These directors are legally obligated to take action that is in the best interests of the organization and to act in a prudent and reasonable fashion, including the overseeing of the organization's risk management practices.
One risk management practice we tried to test was whether the directors of organizations that have adopted a framework, in our case The Canadian Institute of Chartered Accountants' 20 Questions Directors Should Ask About Risk, actually implement the practices that are indicative of, or recommended by, the framework. We believe that the 20 Questions is a useful risk framework for organizations and that the survey questions are reflective of the practices recommended by this framework. We further believe that this survey is suggestive of good risk practices at the organizational and board level.
Exhibit 43.11 Question 12: What information about the risks facing the organization does the board get to help to fulfill its stewardship and governance responsibilities?
| Survey Question | Benchmark Followers (%) | Non-Benchmark Followers (%) | Difference | Yes Score | No/Never Heard Score | Significance | |
|---|---|---|---|---|---|---|---|
| 11a. | Risk management processes and discussions have the support of the CEO. | 6.00 | 5.02 | p < 0.10 | |||
| 11b.(a) | The Board meets with the staff one level below the CEO to discuss risks. | 92 | 65 | 27 | |||
| 11c. | Risk awareness and policy usage is regularly monitored by the organizations. | 75 | 39 | 36 | |||
| 11d. | The organization's information systems incorporates reports on key performance targets and related risk factors | 75 | 51 | 24 | |||
| 11e.(b) | The Board reviews with management how the strategic environment is changing and what if any modifications need to be made to the strategic plan. | 100 | 86 | 14 | |||
| 11f. | The Board obtains timely briefings to confirm the public risk disclosures needed to meet current requirements. | 67 | 49 | 18 |
(a) This is the same as survey question 8f.
(b) This is the same as survey questions 8k and 10a.
Exhibit 43.12 Question 13: How do we know that the information that the board gets on risk management is accurate and reliable?
| Survey Question | Yes Score | No/Never Heard Score | Significance | |
|---|---|---|---|---|
| 12a. | Do you feel that the industry experience you have on the Board is adequate to conduct the Board's oversight role? | 4.67 | 4.2 | Not significant |
| 12b. | The Board retains experts to assist them. | 3.08 | 2.45 | Not significant |
| 12c. | Does the Board trust the judgment of the CEO with respect to risks? | 6.00 | 5.24 | Not significant |
| 12d. | Senior management has the capabilities to handle the current risk environment we are in. | 6.00 | 5.00 | p < 0.05 |
Exhibit 43.13 Question 14: How do we decide which information on risks we should publish?
| Survey Question | Benchmark Followers () | Non-Benchmark Followers (%) | Difference | |
|---|---|---|---|---|
| 13a. | The Board is satisfied that the reporting of risks meets current standards. | 92 | 67 | 25 |
| 13b. | The Board receives timely briefings to confirm that public risk disclosures meet current requirements. | 67 | 49 | 18 |
The survey analysis revealed in nearly all instances a significant positive difference in the good risk practices adoption rate between those organizations that adhered to 20 Questions and those that did not. This unsurprising result supports our contention that the adoption of a framework is indicative of preferred practices. It appears that the adoption of a framework is not just a hollow action. It is reflective either of a current practice in the organization or of newly adopted best practices, since the organizations that did not adopt the framework were less likely to utilize the best practices. This highlights the importance of the development and dissemination of frameworks or best practices in the risk arena. While there appears to be a correlation between the adoption of the framework and the use of its best practices, we feel there is room for further research to explore the causative relationship, if any, between these two activities. It is recommended that a framework related to risk be adopted by all organizations and, irrespective of the direction of causation, this adoption appears to correlate with best practices. We also suggest that an organization's adoption of a framework is evidence that directors are meeting their legal obligation to act in a reasonable and prudent manner in their oversight and monitoring role—this may be connected with the result that those directors whose organizations followed the 20 Questions framework were statistically more aware of their legal obligations and duties vis-à-vis risk.
Exhibit 43.14 Question 15: How do we take advantage of the organizational learning that results from the risk management program and activities?
| Survey Question | Benchmark Followers (%) | Non-Benchmark Followers (%) | Difference | |
|---|---|---|---|---|
| 14a. | There is a process in place to incorporate learnings from the organization's past risk responses. | 83 | 43 | 40 |
Those directors whose organizations followed the framework were statistically more satisfied with their risk identification, assessment, and management, and were more aware of their legal obligations regarding organizational risk. These results suggest a close correlation between directors' knowledge of their duties and the discharge of a director's legal duties with respect to risk. Ignorance of the law is no excuse, and the adoption of frameworks appears to go hand in hand with at least knowing what the law is. We would be supportive of the development of direct, straightforward frameworks such as The Canadian Institute of Chartered Accountants' 20 Questions Directors Should Ask About Risk that are understood and actionable to leaders who have the authority and responsibility for overseeing the risk appetites and processes of the organization. We suggest that an easily digestible best practices guide for directors be utilized to correspond to the directors' responsibility to the organization and its shareholders. The adoption of a framework in and of itself may require at a minimum the attention of directors to this vital area of responsibility and assist in the discharge of their legal duties. While we were unable to determine which occurred first, directors' knowledge of the law or the adoption of a framework, it seems that to begin with, directors may need a refresher on their legal obligations, which arguably will lead to better risk management practices.
Exhibit 43.15 Question 17: How does the Board handle its responsibility of opportunities and risks of the organizations? And Question 18: How does the Board ensure that at least some of its members have the requisite knowledge and experience in risk?
| Survey Question | Benchmark Followers (%) | Non-Benchmark Followers (%) | Difference | Yes Score | No/Never Heard Score | Significance | |
|---|---|---|---|---|---|---|---|
| 15a. | The assignment of risk oversight is clearly set out as a responsibility of the Board. | 6.67 | 4.67 | p < 0.01 | |||
| 15b. | The Board sets aside adequate time to carry on the oversight role. | 4.33 | 2.96 | p < 0.01 | |||
| 15c.(a) | Risk management is integrated into the organization's strategic direction and plans. | 5.83 | 4.16 | p < 0.01 | |||
| 15d. | The Board has an adequate framework to understand the interdependencies and interrelationships of risk. | 5.25 | 3.94 | p < 0.01 | |||
| 15e. | The industry insight you have on the board is adequate to conduct the risk oversight role. | 4.67 | 4.37 | Not significant | |||
| 15f.(c) | The Board retains experts to assist them. | 3.08 | 2.42 | Not significant | |||
| 15g.(b) | The Board includes risk management as part of executive evaluation. | 1 | 1.56 | p < 0.01 | |||
| 15h.(b) | The Board includes risk management as part of the criteria for executive evaluation. | 100 | 47 | 53 | |||
| 15i. | The Board has a dedicated committee for risk. | 42 | 26 | 16 | |||
| 15j. | Risk management is part of the Board's training program. | 67 | 25 | 42 |
(a) This is the same as survey question 8a.
(b) These questions are the same as 8e.
(c) This question is the same as 12b.
Exhibit 43.16 Question 19: How do we, as a board, establish the “tone at the top” that reinforces the organization's values and promotes a risk-aware culture?
| Survey Question | Yes Score | No/Never Heard Score | Significance | |
|---|---|---|---|---|
| 16a. | The Board plays an active role in reinforcing the organization's approach to risk. | 5.83 | 4.21 | p < 0.01 |
It should be noted that failure to adopt the framework is not associated with not performing some of the best practices enunciated in the framework. In fact, the non-framework followers did utilize many of the specific processes and actions in their organizations, although at a significantly lower uptake than those who followed the framework. One can surmise that many of the best practices enumerated in the framework are just good management practices and so are adopted by many directors in any event (although at a statistically lower rate than framework followers) and separate from the framework. To the extent this is true, it further supports the position that the risk practices set out in the framework are above and beyond standard good management practices and hence are of use to every organization in its management of risk. It is arguable that general management practices may not be enough in fulfilling a director's legal obligations where it can be shown there are readily available best practices in the form of accepted frameworks. The adoption of a framework and its attendant practices are further evidence of meeting the subjective standard that directors in Canada are to uphold.
While we believe our results are very suggestive of framework adoption being associated with the actual adoption of best practices, this survey also produced a very curious and unexpected result. Despite answering more than 50 questions that directly dealt with good organizational risk process and information practices, the directors who did not follow a framework, and who scored statistically below those who did follow good risk processes, were nonetheless far more satisfied with the risk their organizations were taking by a margin of 2:1. Conversely, the more robust the risk practices, the less comfortable directors were with the amount of risk taken by their organizations. It appears the more directors knew about the risk their organizations were taking, the more uneasy they were. Less knowledge appears to be correlated with much more satisfaction with the risk taken by the organization, and therefore, at least in this survey of organization directors respecting risk, ignorance is bliss. We believe there is room for further research to understand why this interesting, somewhat counterintuitive, result was achieved. The more questions directors ask about risk, the more uneasy they should be prepared to feel about the risks their organizations are taking. Educating directors (and others) about risk management best practices should include warnings about the sleepless nights that can result from their concern about the level of risks their organizations are taking. If organizations adopt risk frameworks they should be prepared to uncover aspects of risk in their organizations that were previously unknown, ignored, or forgotten. Once these risks become known they will have to be considered and dealt with as well.
Exhibit 43.17 Question 20: How satisfied is the Board in doing what it should in overseeing risk?
| Survey Question | Benchmark Followers (%) | Non- Benchmark Followers (%) | Difference | Yes Score | No/Never Heard Score | Significance | ||
|---|---|---|---|---|---|---|---|---|
| 17a. | I am satisfied that the Board is doing what it should in overseeing risk. | 5.08 | 3.82 | p < 0.05 | ||||
| 17b.(a) | Overall the amount of risk your organization is taking is: | Too little | 25 | 4 | 21 | |||
| Just right | 33 | 60 | –27 | |||||
| Too much | 8 | 10 | –2 | |||||
| Don't know | 25 | 10 | 15 | |||||
| Haven't asked | 8 | 16 | –8 |
(a) This is the same question as 3a.
CONCLUSION
In conclusion, we have studied and reported on risk management practices in organizations in the context based primarily upon a specific Canadian risk framework. We have results suggestive of adoption of a framework being associated with best practices. We also have results that there is a strong association between better risk practices and unease by directors in the amount of risk their organizations are taking. However, there exist nuances and unanswered questions regarding how those at the top of the organization view and manage risk. We hope that this research will help inform the discussion about leadership perceptions and management of risk.
APPENDIX 43.A
All these questions were on a 7-point Likert scale.
Question 1.a: (1 = Not at all, 7 = Completely)
Question 2.a: (1 = Strongly disagree, 7 = Strongly agree)
Questions 4.a, b, and c: (1 = Not at all effective, 7 = Completely effective)
Question 5.a: (1 = Not at all, 7 = Completely)
Questions 8.a and b: (1 = Not at all, 7 = Completely)
Question 8.c: (1 = Strongly disagree, 7 = Strongly agree)
Question 8.d: (1 = Not at all, 7 = Completely)
Question 12.a: (1 = Not at all, 7 = To the greatest extent possible)
Question 13.a: (1 = Very inadequate, 7 = More than adequate)
Question 13.b: (1 = Never, 7 = Too often)
Questions 13.c and d: (1 = Not at all, 7 = Completely)
Questions 17.a and c: (1 = Not at all, 7 = Completely)
Question 17.b: (1 = Not enough time, 7 = Too much time)
Question 17.d: ( 1 = Completely inadequate, 7 = Completely adequate)
Question 19.a: (1 = Not at all, 7 = Completely)
Question 20.a: (1 = Not at all, 7 = Completely)
REFERENCES
- Aronson v. Harry Lewis. 1984. 473 A.2d 805. Delaware Supreme Court. Broder, P., ed. 2002. Primer for Directors of Not-for-Profit Corporations. Ottawa, Canada: Industry Canada.
- Brown, I., A. Steen, and J. Foreman. 2009. “Risk Management in Corporate Governance: A Review and Proposal.” Corporate Governance: An International Review 17, 546–558.
- Burke-Robertson, J. 2013. Primer for Directors of Not-for-Profit Corporations. Ottawa, Canada: Industry Canada. https://www.ic.gc.ca/eic/site/cilp-pdci.nsf/vwapj/Primer_en.pdf/$FILE/Primer_en.pdf.
- Caldwell, J.E. 2012. A Framework for Board Oversight of Enterprise Risk. The Canadian Institute of Chartered Accountants.
- Canada Business Corporations Act. 1985. R.S.C., 1985, c. C-44. Canada.
- Companies Act 2006. UK Public General Acts 2006 c. 46.
- De Lacy, G. 2005. How to Review and Assess the Value of Board Subcommittees. Australian Institute of Companies Directors.
- Dervitsiotis, K.N. 2000. “Benchmarking and Business Paradigm Shifts.” Total Quality Management 11, 641–646.
- Dickinson, G. 2001. “Enterprise Risk Management: Its Origins and Conceptual Foundation.” The Geneva Papers on Risk and Insurance 26, 360–366.
- Ferrero-Ferrero, I., M.A. Fernandez-Izquierdo, and M.J. Munoz-Torres. 2012. “The Impact of the Board of Directors Characteristics on Corporate Performance and Risk-Taking Before and During the Global Financial Crisis.” Review of Management Science 6, 207–226.
- In re: Walt Disney Co. Derivative Litigation. 2005. 907 A.2d 693. Delaware Chancery.
- Kiel, G., and G. Nicholson. 2002. “Real World Governance: Driving Business Success through Effective Corporate Governance.” Mt. Eliza Business Review 5, 17–28.
- Kleffner, A.E., and R.B. Lee. 2003. “Stronger Corporate Governance and Its Implications on Risk Management.” Ivey Business Journal, May/June.
- LeBlanc, R. 2008. “Risk Management Oversight: Is Your Board at Risk?” NACD—Directors Monthly. Washington, DC: National Association of Corporate Directors.
- Lindsay, H. 2006. 20 Questions Directors Should Ask about Risk. 2nd edition. The Canadian Institute of Chartered Accountants.
- Nicholson, G., and C. Newton. 2010. “The Role of the Board of Directors: Perception of Managerial Elites.” Journal of Management & Organization 16 204–218.
- Sobel, P.J., and K.F. Reding. 2004. “Aligning Corporate Governance with Enterprise Risk Management.” Management Accounting Quarterly 5, 29–37.
- Tonello, M. 2007. “Emerging Practices in Enterprise Risk Management.” The Conference Board Research Report No. R-1398-07-WG, revised 2009.
- Torys. 2009. Responsibilities of Directors in Canada—A Business Law Guide. Toronto, Canada: Torys LLP.
- Vanderpol, S., and E.J. Waitzer. 2012. “Director's Duties and Shareholders' Rights.” Osgoode Hall Law Journal 60, 177–210.
ABOUT THE AUTHORS
David Kunsch, PhD, BSEE, LL.B., MSc, received his PhD from the Richard Ivey School of Business at Western University, where his thesis was based on corporate governance failures. His research centers on the cognitive biases, processes, and critical thinking of directors and executives and how this impacts decision making in the boardroom. Dr. Kunsch focuses on mistakes, misperceptions, omissions, deviance, and other suboptimal behaviors in the boardroom from both an individual and group decision-making perspective. His research has recently centered on how risk is perceived and acted upon in the boardroom. Dr. Kunsch is an Associate Professor of Management at St. John Fisher College in Rochester, New York, a Lead Facilitator at the Directors College at McMaster University, and has taught at the EMBA, MBA, and undergraduate levels in Strategy and Corporate Governance at the DeGroote School of Business at McMaster University, the Richard Ivey School of Business at Western University, Ryerson University, and St. John Fisher College. Before receiving his PhD he obtained his BSEE at GMI in Michigan, his LLB at Osgoode Hall in Toronto, and his MSc at Wayne State in Michigan, and has extensive legal and business experience in private practice and with large multinationals, including a Dow 30 firm.
Chris Bart, PhD, FCPA, is one of the world's leading experts on organizational mission statements and how companies can use them more effectively to become mission-driven organizations. He is currently the Co-Founder and Executive Chairman of the Caribbean Governance Training Institute and the Caribbean Institute of Directors. He is the also the Founder of The Directors College of Canada (2003 to 2013), where he served as its inaugural Principal and Lead Professor. Dr. Bart has authored the 10-year Canadian business best-seller A Tale of Two Employees and the Person Who Wanted to Lead Them as well as six other widely acclaimed publications. He has published over 190 strategy- and governance-related articles, cases, and reviews. Dr. Bart currently serves as Associate Editor of the International Journal of Business Governance & Ethics as well as a Research Fellow of the Asian Institute of Corporate Governance at Korea University. He is currently listed by the Social Sciences Research Network as being in the top 10 percent of author downloads. Dr. Bart has been invited to lecture at numerous institutions in the United States, South Africa, Egypt, Greece, the Caribbean, Switzerland, the United Kingdom, Australia, the Czech Republic, and China.