Introduction

The greatest tragedy would be to accept the refrain that no one could have seen this coming and thus find nothing could have been done. If we accept this notion, it will happen again.

—Financial Crisis Inquiry Commission

As disconcerted stakeholders questioned what the board was doing to govern risk when Lehman Brothers ignited the seminal event of the 2008/2009 global financial crisis, effective risk governance was the rally cry that echoed throughout the globe. With the perception that reckless risk taking underpinned the economic turmoil, the spotlight turned on board oversight of Enterprise Risk Management (ERM).

It has been a decade since the onset of the global financial crisis. Have directors learned how to more effectively govern risk? What does effective risk governance require? How does board demographics (such as gender and professional experience) influence effective risk governance in practice?

This chapter will explore these questions, unpacking leading practices with a roadmap to effective risk governance that all firms, not-for-profit, crown, public, and private can aspire to.

What Is Enterprise Risk Management and Risk Governance?

The Committee of Sponsoring Organizations (COSO) of the Treadway Commission defines ERM as:

The culture, capabilities and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.¹

In short, managing risk assists organizations to make informed decisions to enable enduring success, and is also fundamental to good governance.

Risk governance is the oversight process of the board that:

• Establishes the structure for governing risk
• Sets limits for acceptable risk taking in the pursuit of the organization's strategic plan
• Ensures robust risk management systems are in place to enforce and monitor risk limits
• Understands principal risks faced by the organization
• Provides confidence and guidance to management in its risk-based decision making

According to the National Association of Corporate Directors (NACD) 2018–2019 Public Company Governance survey, 70 percent of directors believe their understanding of risks and opportunities affecting organizational performance needs to strengthened.² This is amid a business landscape in 2019 that is deep-seated with industry apathetic disruptive risks.³

A 2018 study conducted by the American Institute of Certified Public Accountants (AICPA) found that directors of 62 percent of organizations are putting pressure on executives to increase their involvement in risk oversight, and these pressures are becoming harder for executives to ignore.^4,5 Despite this, today mature and robust risk oversight in publicly listed and not-for-profit firms in the United States is scarce.⁶

In 2017 a McKinsey & Company study found that boards only spend 9 percent of their time on risk management.⁷ From this I am convinced there is a lot of work to do to bolster risk governance.⁸

This begs the question: What do corporate governance regulations require of directors in relation to risk governance?

Corporate Governance Regulations: Risk Governance Expectations

Risk governance as a core element of corporate governance regulation is now ubiquitous in Anglo-American countries and across the globe.

Canada: The Canadian Securities Administrators 2005 Corporate Governance Guideline, National Policy 58-201, requires that boards adopt a written mandate explicitly acknowledging responsibility for:

• Approving, on at least an annual basis, a strategic plan that takes opportunities and risks of the business into account
• Identifying principal risks and ensuring implementation of appropriate systems to manage these risks⁹

In 2013, the Office of the Superintendent of Financial Institutions (OSFI) revised its Guideline on Corporate Governance, requiring that federally regulated banks, trust companies and credit unions:

• Ensure boards and committees have sufficient financial industry and risk expertise.
• Establish a dedicated risk committee and appoint a chief risk officer or equivalent.
• Develop a formal risk appetite framework to guide ERM.
• Periodically retain external parties to review board practices and oversight systems.¹⁰

United States: In 2010 the New York Stock Exchange revised Corporate Governance Guidelines, Section 303A.09, which dictates that:

• Large financial institutions must establish independent risk committees.
• Audit committees must discuss guidelines and policies to govern risk management processes.

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 requires that large financial institutions have a separate risk committee to oversee ERM.¹¹

The Securities and Exchange Commission rules requires that listed companies disclose the extent of the board's role in risk oversight in proxy and information statements.¹²

United Kingdom: Under the 2016 Financial Reporting Council UK Corporate Governance Code, the board is responsible to:

• Determine the nature and extent of the principal risks it is willing to take in achieving its strategic objectives.
• Confirm that a robust assessment of principal risks has been carried out (including those that could threaten the business model, future performance, solvency and liquidity), describing how risks are managed and mitigated in the annual report.
• Monitor risk management and financial, compliance, and operational internal control systems at least annually, reviewing their effectiveness and reporting on the review in the annual report.
• Disclose in the annual report whether it has reasonable expectations that the company will continue in operations taking principal risks into account.¹³

Australia: The Australian Exchange Commission Corporate Governance rules, principle seven, requires that the board of a listed entity:

• Establish a committee(s) to oversee risk, with a majority of and chaired by independent directors.
• Disclose committee charter, members and attendance.
• Disclose processes to oversee risk management where a committee is not in place.

In recent years, many Asian stock exchanges have also elevated risk governance rules, such as those outlined in Table 32.1.

African countries have also started to adopt rules, such as the Financial Reporting Council of Nigeria's National Code of Corporate Governance for the Private Sector, introduced in 2016. There is a clear theme from these global corporate governance rules.

Regulators expect that directors understand principal risks [unearthed by robust ERM systems], set risk limits, ensure transparent disclosure of principal risk mitigation, possess expertise to enable risk probity, and seek independent assurance that ERM practices are effective.

The unspoken reality of these regulatory expectations is that cultural barriers in certain parts of the world where risk management practice is less mature, such as certain Asian and African countries, cause veritable adoption to be challenged. I will address this later in the chapter.

These risk oversight expectations have spread beyond global stock exchange regulators. To illustrate, in Canada the Imagine Canada Standards Accreditation Program, launched in 2012 and revised in 2018, aims to strengthen public confidence in the Canadian charitable and nonprofit sector and include bolstered board risk governance requirements.¹⁷

Other sectors in Canada, such as colleges, healthcare institutions and credit unions have also adopted risk governance rules. This is profoundly edifying as risk governance is now simply deemed good for business.

This leads to another question: What do investors expect from directors?

According to the NACD's Advisory Council on Risk Oversight, investors are interested in whether the board has an inclusive, holistic understanding of the organizations risks and an equally comprehensive approach to risk oversight.¹⁸ This requires:

1. Clear risk oversight roles for the board, committees and management [defined in charters]
2. Reinforcement of accountability for risk oversight
3. Defined risk limits
4. Holistic definition of organizational risks
5. Integration of strategy, risk, and performance discussions [compensation adjusted risk]
6. Transparent and dynamic risk reporting
7. Assurance that mitigation has reduced risk exposure
8. Assessment of risk culture [open lines of communication about risk at all levels]
9. Contextual and relevant risk disclosures to make informed decisions

With these mounting expectations, what does it take to be an effective governor of risk? Leading practice offers a proven framework and methodologies, discussed next.

A Risk Governance Approach

James Lam, a pioneer and leading expert in the field of ERM, in his paper, “The Role of the Board in ERM,” offers practical guidance notably from his work as a chief risk officer at companies such as GE Capital Markets and Fidelity Investments; trusted board advisor and as a management consultant. Lam suggests that essential board responsibilities include three areas: governance structure and roles, risk policy and limits, and assurance and reporting: The Risk Governance Framework (Figure 32.1).¹⁹

I can attest to the practicality of Lam's framework, having successfully applied it in organizations of varying scales and sectors, profit and not-for-profit, accompanied by healthy risk culture.

How Should the Board Organize Itself to Oversee Risk?

The board organizational chart, together with committee and full board charters provide a clear sense of board roles, including who does what and why.

This is where the design of the risk governance structure should begin. The structure should consider the significant areas of business risk, and board committees best suited to oversee the risks, while enabling partnership with management charged to manage risk.

There are three structures that I have found to be quite effective.

The first is taken from a Fortune 500 global insurance firm. The board risk governance structure consisted of three components. First, a risk committee charged to oversee business, strategic, credit, market, insurance, liquidity and operational risk. Second, an audit committee that oversees operational risk. Third, a human resource committee charged to oversee compensation risk. The board reviews its risk governance structure annually in the context of organization objectives.

The board committees partner with management through executive risk committees accountable to manage risk. Each executive risk committee is chaired by a senior executive that reports to the global chief risk officer.

This approach is coined the Risk Area Governance Structure (Figure 32.2).

In a second structure, based on a Forbes 2018 Top 100 Digital firm, the board has a risk and strategy committee that the chief risk and strategy officer reports to. This approach compels the highest order of stewardship to oversee risks embedded in strategic goals. Management in turn is accountable for managing risks to specific strategies. For instance, the CEO and chief sales officer are accountable to risk assess revenue growth goals, with oversight of the board risk and strategy committee, while other strategic goals are risk assessed by different executives, with accountability to the full board or other committees.

This approach, conceptually depicted in Figure 32.3, is coined the Integrated Strategy and Risk Governance Structure.

In the third structure, the chief risk officer of a private firm reported to the board risk committee charged to oversee principal risks to the global business. The board risk committee is an excellent venue for focused risk dialogue, unencumbered by a tight board agenda. Similar approaches are used by not-for-profit boards.

Underpinning the board risk committee, the chief risk officer chaired a cross-functional executive risk committee. This venue enabled rich interdisciplinary insight and solving of critical business problems amongst the management team. To avoid redundancy, the executive risk committee should be integrated into existing executive committee structures, particularly for smaller organizations. Where this is done, it is important that sufficient agenda time is provided to discuss risk topics.

Executive risk committees are common today as suggested by AICPA's 2017 study that found that 59 percent of firms have a committee in place.^20,21

While standalone board risk committees are growing in popularity in North America, it is still common practice today for boards to delegate risk oversight to the audit committee.²²

Whatever structure is employed, it is imperative that it collectively orchestrates the full board, board committees, and management to fulfill the board's risk oversight obligations. Reporting lines, decision structures, and information flows must be clear. Moreover, the structure must acknowledge that risk oversight obligations cannot be relegated to a single committee, as the full board is ultimately accountable for risk oversight.

What Should the Charter of the Board Include Regarding Risk Oversight?

The charter of each committee should clearly set out its risk oversight accountabilities—areas of risk oversight, meeting cadence, standing meetings with executives (in-camera or otherwise), reporting frequency, authority to engage experts, alignment to management, and continuing education requirements.

In addition, the charter of the full board and board risk committee should include responsibility to:

• Periodically review the board risk governance structure.
• Cascade risk oversight accountability to the chief executive officer.
• Approve a risk-informed strategic plan.
• Monitor principal risks and mitigation strategies.
• Approve and monitor risk appetite/limits and key risk policies.
• Obtain assurance on ERM effectiveness.
• Assess board risk oversight effectiveness.
• Review the charter annually.

What Skills Should Directors Possess to Fulfill the Board Risk Oversight Charter?

Directors should possess both industry and technical expertise in the risk area they are charged to oversee commensurate to the size and scale of the organization. Where a director understands potential outcomes from first-hand experience, true risk probity is achieved and risk-informed decisions are made.

The board risk committee chair should be competent in connecting professional experience to what is happening in the world, and to diverse sources of information and perspectives to inform risk assessment and risk-based decisions.

This philosophy should inform board risk committee appointments. Time and time again corporate debacles unfold that point to director experience that is not appropriately aligned to the organization, a key finding of the Financial Stability Board 2008–2009 financial crisis investigation.

Emerging Role of the CRO

The board in hiring the chief executive officer is entrusted with the affairs of the organization, which includes managing risk. The reality is that agency theory rears its head where the interests of the chief executive officer [to propel organizational success] intrinsically conflict with risk taking, making it challenging for the board to govern risk effectively.

To avoid this, the chief risk officer should have an independent reporting relationship to the board [including standing in-camera sessions and risk committee and/or full board participation] and unfettered access to the chief executive officer.

This reporting relationship should be articulated in a charter that includes standing in-camera meetings with the chief executive office and the board risk committee.

The chief risk officer has a tall order to fill, as he or she in many respects is the “eyes and ears” of the board inside the organization, charged to unearth risk insight and foresight.

That said, this job can only be done by someone that possesses deep organizational knowledge, gained through broad stakeholder engagement, business experience, tenacious curiosity, and deep risk management expertise.

It is also important that the chief risk officer work closely with the head of strategy. Organizations that do so remain ahead of disruptive, emerging, and principal risks simultaneously.

The chief risk officer has strong relationships with organizational leaders pivotal to risk insight. I have certainly found that the best information is often unveiled over coffee with executives!

In short, the chief risk officer must know the business, be a credible part of the executive team and business operations, and be able to gauge and influence the risk tone at the top and bottom of the organization.

These ingredients are paramount for the chief risk officer to be credible to both the board and executives.

According to a 2018 AICPA study, 67 percent and 63 percent of large and public companies respectively have a chief risk officer (or equivalent)²³ compared to 48 percent in 2017.²⁴

Table 32.2 outlines leading research on key factors to successfully position risk governance from the board to management.

These factors position the chief risk officer as the linking “spoke” between the board, chief executive officer, and executive leadership (Figure 32.4).

Table 32.3 illustrates leading practice for cascaded risk accountabilities from the board to management.

Policy

Surrounding risk governance structure at the core is sound risk policy.

Risk policy is intended to set out board expectations and standards for risk management practice, and should include four core elements.

First, the policy should set out a visionary statement of the organization's attitude toward risk in the context of the business mission.

Second, the policy should articulate the risk governance structure, including roles and responsibilities of stakeholders.

Third, risk limits should be clearly defined and articulate the amount of risk the organization is willing to accept in the pursuit of value, tied to business decision drivers. To be effective, risk limits must be underpinned by a risk appetite framework whereby management systems and processes work together to enable risk limit compliance, which is not easy to accomplish.

Fourth, the policy should state the methodology employed by the organization for risk management. There are two widely used risk management methodologies today, notably:

• ISO 31000
• COSO ERM

International Standards Organization Risk Management Principles and Guidelines (ISO 31000), in Figure 32.5, provides principles for managing risk, a framework setting out foundational infrastructure required for organizational risk management and a process for the management of risk. This methodology is fashioned as a management system, providing a structured and systematic approach for risk management.

COSO ERM, in Figure 32.6, focuses on aligning strategy with risk and performance, by bringing mission, strategy, and performance together with risk governance, risk culture, strategy setting, and execution; coupled with risk communication, reporting, and monitoring.

Whichever methodology is used, risks today are rapidly changing, highly interdependent, and faced with an ambiguous external environment that can bring forth both unforeseen opportunities and risks.

I encourage you to delve deeper into what these methodologies entail. While I understand that you are not in a management role, directors need to know that management has established a systematic and comprehensive process to evaluate a broad spectrum of risks. The risk policy should be approved by the board and reviewed annually.

Assurance

How will the board know that the risk governance structure is effective? This is the ultimate purpose of assurance, the outer layer of the risk governance framework.

Assurance is provided in two forms. First, through board reporting, ideally provided quarterly. Reports delivered by the chief risk officer should be crisp and focus on what the board needs to know, at the point in time, to effectively govern risk—including simplified facts and well-articulated impacts. For global firms, reports should address principal risks in each geographic region the firm operates in.

The content will also vary, from briefing notes on principal risks, to scenario analysis supporting deal recommendations, to emerging risks, to outcomes of risk mitigation strategy, and is driven by board expectations.

As it relates to risk mitigation strategy outcomes, it is just as important to set and execute risk mitigation strategy as it is to measure whether desired outcomes are achieved. From this standpoint it is prudent that boards ask management to report the intended ROI and risk mitigation outcome for mitigation investments, and how the outcome will be measured. The board should in turn hold management accountable to report outcomes.

Boards should also ask for information to gauge transparency and risk culture. For instance, looking for signs of “green scorecards” and “red faces,” such as client satisfaction that reveals issues purportedly unknown by management. Or employee surveys that indicate employees are not comfortable to bring risk issues to management attention without fear of reprisal.

Second, it is critical that an independent party validate the effectiveness of risk governance structure and policy. This can take many forms, from a rating agency evaluation to an internal audit.

Risk Governance Framework Implementation

Implementing the Risk Governance Framework can be a challenging task. Table 32.4 provides five key steps to aid in successfully doing so.

Demographic Influencers of Effective Risk Governance

Before concluding this chapter, there is one important issue that should be addressed: How do board demographics (gender and professional experience) influence effective actualization of risk governance theory?

In the beginning of the chapter I stated that demographics can influence risk governance theory put into practice. So I set out to prove it, beyond my own experience. I interviewed seasoned executives and directors with significant board risk oversight experience to understand their experiences. Directors represented 20 Canadian boards of financial institution, Big Four professional services, professional association, real estate investment trust, crown, health care, securities regulator and not-for-profit organizations. Directors served on risk committees, audit committees, and held board chair and risk committee chair roles. Directors also had several years of C-suite and 30 or more years of business experience working in various parts of the globe, including North America, South America, Asia and Africa.

I asked about:

• Their personal risk tolerance
• What influenced their personal risk tolerance
• How their professional background and tolerance for risk impacts decisions in the boardroom

What I found was eye opening.

• Of the 20 boards, only 9 percent of directors were ethnic minorities and 30 percent of directors were women. Research suggests that diverse boards are less prone to take excessive risks and are prudent in decision making. The reverse is also true. The male-versus-female dynamic and diverse professional backgrounds also creates healthy decision-making tension in the boardroom.
• The culture of the board directly impacts risk-based decision making. Board culture can encourage sound risk oversight or hinder it. Where consequences of a risk decision gone wrong are met with a “big hammer,” directors will fear making a mistake and succumb to groupthink. Where the board culture does not foster authentic inclusivity, directors are at the table, but their voice is not heard. Global organizations are also challenged by cultural norms of the jurisdictions they operate in.
• The personal tolerance for risk of directors influences boardroom decisions and the collective risk tolerance of the board. Personal experiences shape a person's risk compass. A director whose personal risk compass does not align with the risk philosophy of the organization may jeopardize risk governance effectiveness. Directors acknowledged that board decisions are made based on facts and what feels right, one's personal compass.
• All directors interviewed were professional accountants. Accountants are known to have a strong sense of ethics, emphasize accuracy, and have a high aptitude for constant learning. These characteristics are conducive to prudent risk taking, supporting why many firms relegate risk oversight responsibility to the audit committee.

These findings have convinced me that director demographics influence risk taking. I also firmly believe that having insight to a director's risk compass is a critical consideration for board risk committee appointments.

Conclusion

I have shared with you what I believe is the formula for more effective risk governance in today's business climate.

It starts by instituting sound risk governance methodology, enabled by a solid partnership between the board and management, deep industry and business knowledge, alignment of the risk compass of individual directors and collective board to the organization's risk philosophy, keeping a pulse on risk culture, and a diverse board mindset [breadth of experience, gender, and ethnicity].

It is also important that boards understand what a sound risk management system looks like and that risk governance effectiveness is periodically assessed.

Above all,

There is no passion to be found in playing small—in settling for a life that is less than the one you are capable of living.

—Nelson Mandela

As directors aim to drive organizations forward to build stakeholder value, it is paramount that they fall forward or see what barriers the organization may hit so that barriers are averted and success is achieved. This is important as we continue to see examples of organizations falling backwards.

In closing, I leave you with a few tips in Table 32.5 to achieve this.

About the Author

Ingrid Robinson is the former principal and managing director of Enterprise Risk Management for BGIS Global Integrated Solutions [a global commercial facility management firm] where she instituted the company's global ERM program from the ground up and led business continuity, internal audit, and insurance functions.

Ingrid is a Thought Leadership executive for the Canadian Public Accountability Board [audit regulator that protects capital markets interests] and professor of ERM for the York University [Toronto, Ontario] Master of Financial Accountability program.

Over her 23-year career, Ingrid has provided corporate governance, ERM and internal controls consulting to large-scale firms in various sectors and countries.

Ingrid is on the board of the Charitable Impact Foundation, and served as finance and risk committee chair for Hospice Palliative Care Ontario and human resources and governance committee chair for the Community Development Council of Durham, Ontario.

Ingrid earned a Master of Financial Accountability [with distinction] from York University and Bachelor of Commerce from the University of Windsor. She is a graduate of the Institute of Corporate Directors (ICD) directors education program [diversity scholarship recipient] and the Harvard Business School corporate risk leadership executive program.

Ingrid is a Certified Public Accountant, Certified Internal Auditor, and Certified Risk Management Assurance Professional.

Ingrid is also a recognized thought leader in her field, as a published author in highly recognized professional journals (Directors Journal, Corporate Risk Canada magazine, and the ISACA Journal), and a frequent speaker at professional conferences.