Ingrid Robinson MFAC BCOMM CPA CIA CRMA
Director Thought Leadership, Canadian Public Accountability Board, Board Director at Charitable Impact Foundation (Canada), Former Principal and Managing Director, Enterprise Risk Management, BGIS Global Integrated Solutions
The greatest tragedy would be to accept the refrain that no one could have seen this coming and thus find nothing could have been done. If we accept this notion, it will happen again.
—Financial Crisis Inquiry Commission
As disconcerted stakeholders questioned what the board was doing to govern risk when Lehman Brothers ignited the seminal event of the 2008/2009 global financial crisis, effective risk governance was the rally cry that echoed throughout the globe. With the perception that reckless risk taking underpinned the economic turmoil, the spotlight turned on board oversight of Enterprise Risk Management (ERM).
It has been a decade since the onset of the global financial crisis. Have directors learned how to more effectively govern risk? What does effective risk governance require? How does board demographics (such as gender and professional experience) influence effective risk governance in practice?
This chapter will explore these questions, unpacking leading practices with a roadmap to effective risk governance that all firms, not-for-profit, crown, public, and private can aspire to.
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission defines ERM as:
The culture, capabilities and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.1
In short, managing risk assists organizations to make informed decisions to enable enduring success, and is also fundamental to good governance.
Risk governance is the oversight process of the board that:
According to the National Association of Corporate Directors (NACD) 2018–2019 Public Company Governance survey, 70 percent of directors believe their understanding of risks and opportunities affecting organizational performance needs to strengthened.2 This is amid a business landscape in 2019 that is deep-seated with industry apathetic disruptive risks.3
A 2018 study conducted by the American Institute of Certified Public Accountants (AICPA) found that directors of 62 percent of organizations are putting pressure on executives to increase their involvement in risk oversight, and these pressures are becoming harder for executives to ignore.4,5 Despite this, today mature and robust risk oversight in publicly listed and not-for-profit firms in the United States is scarce.6
In 2017 a McKinsey & Company study found that boards only spend 9 percent of their time on risk management.7 From this I am convinced there is a lot of work to do to bolster risk governance.8
This begs the question: What do corporate governance regulations require of directors in relation to risk governance?
Risk governance as a core element of corporate governance regulation is now ubiquitous in Anglo-American countries and across the globe.
Canada: The Canadian Securities Administrators 2005 Corporate Governance Guideline, National Policy 58-201, requires that boards adopt a written mandate explicitly acknowledging responsibility for:
In 2013, the Office of the Superintendent of Financial Institutions (OSFI) revised its Guideline on Corporate Governance, requiring that federally regulated banks, trust companies and credit unions:
United States: In 2010 the New York Stock Exchange revised Corporate Governance Guidelines, Section 303A.09, which dictates that:
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 requires that large financial institutions have a separate risk committee to oversee ERM.11
The Securities and Exchange Commission rules requires that listed companies disclose the extent of the board's role in risk oversight in proxy and information statements.12
United Kingdom: Under the 2016 Financial Reporting Council UK Corporate Governance Code, the board is responsible to:
Australia: The Australian Exchange Commission Corporate Governance rules, principle seven, requires that the board of a listed entity:
In recent years, many Asian stock exchanges have also elevated risk governance rules, such as those outlined in Table 32.1.
Table 32.1 Select Asian Stock Exchange Risk Oversight Expectations
Stock Exchange | Corporate Governance Rules |
Singapore14 |
|
Hong Kong15 |
|
Japan16 |
|
African countries have also started to adopt rules, such as the Financial Reporting Council of Nigeria's National Code of Corporate Governance for the Private Sector, introduced in 2016. There is a clear theme from these global corporate governance rules.
Regulators expect that directors understand principal risks [unearthed by robust ERM systems], set risk limits, ensure transparent disclosure of principal risk mitigation, possess expertise to enable risk probity, and seek independent assurance that ERM practices are effective.
The unspoken reality of these regulatory expectations is that cultural barriers in certain parts of the world where risk management practice is less mature, such as certain Asian and African countries, cause veritable adoption to be challenged. I will address this later in the chapter.
These risk oversight expectations have spread beyond global stock exchange regulators. To illustrate, in Canada the Imagine Canada Standards Accreditation Program, launched in 2012 and revised in 2018, aims to strengthen public confidence in the Canadian charitable and nonprofit sector and include bolstered board risk governance requirements.17
Other sectors in Canada, such as colleges, healthcare institutions and credit unions have also adopted risk governance rules. This is profoundly edifying as risk governance is now simply deemed good for business.
This leads to another question: What do investors expect from directors?
According to the NACD's Advisory Council on Risk Oversight, investors are interested in whether the board has an inclusive, holistic understanding of the organizations risks and an equally comprehensive approach to risk oversight.18 This requires:
With these mounting expectations, what does it take to be an effective governor of risk? Leading practice offers a proven framework and methodologies, discussed next.
James Lam, a pioneer and leading expert in the field of ERM, in his paper, “The Role of the Board in ERM,” offers practical guidance notably from his work as a chief risk officer at companies such as GE Capital Markets and Fidelity Investments; trusted board advisor and as a management consultant. Lam suggests that essential board responsibilities include three areas: governance structure and roles, risk policy and limits, and assurance and reporting: The Risk Governance Framework (Figure 32.1).19
I can attest to the practicality of Lam's framework, having successfully applied it in organizations of varying scales and sectors, profit and not-for-profit, accompanied by healthy risk culture.
A strong governance structure is the nexus for effective risk oversight. Designed correctly, governance structure drives positive risk culture and supports value-creating strategic effectiveness.
The board organizational chart, together with committee and full board charters provide a clear sense of board roles, including who does what and why.
This is where the design of the risk governance structure should begin. The structure should consider the significant areas of business risk, and board committees best suited to oversee the risks, while enabling partnership with management charged to manage risk.
There are three structures that I have found to be quite effective.
The first is taken from a Fortune 500 global insurance firm. The board risk governance structure consisted of three components. First, a risk committee charged to oversee business, strategic, credit, market, insurance, liquidity and operational risk. Second, an audit committee that oversees operational risk. Third, a human resource committee charged to oversee compensation risk. The board reviews its risk governance structure annually in the context of organization objectives.
The board committees partner with management through executive risk committees accountable to manage risk. Each executive risk committee is chaired by a senior executive that reports to the global chief risk officer.
This approach is coined the Risk Area Governance Structure (Figure 32.2).
In a second structure, based on a Forbes 2018 Top 100 Digital firm, the board has a risk and strategy committee that the chief risk and strategy officer reports to. This approach compels the highest order of stewardship to oversee risks embedded in strategic goals. Management in turn is accountable for managing risks to specific strategies. For instance, the CEO and chief sales officer are accountable to risk assess revenue growth goals, with oversight of the board risk and strategy committee, while other strategic goals are risk assessed by different executives, with accountability to the full board or other committees.
This approach, conceptually depicted in Figure 32.3, is coined the Integrated Strategy and Risk Governance Structure.
In the third structure, the chief risk officer of a private firm reported to the board risk committee charged to oversee principal risks to the global business. The board risk committee is an excellent venue for focused risk dialogue, unencumbered by a tight board agenda. Similar approaches are used by not-for-profit boards.
Underpinning the board risk committee, the chief risk officer chaired a cross-functional executive risk committee. This venue enabled rich interdisciplinary insight and solving of critical business problems amongst the management team. To avoid redundancy, the executive risk committee should be integrated into existing executive committee structures, particularly for smaller organizations. Where this is done, it is important that sufficient agenda time is provided to discuss risk topics.
Executive risk committees are common today as suggested by AICPA's 2017 study that found that 59 percent of firms have a committee in place.20,21
While standalone board risk committees are growing in popularity in North America, it is still common practice today for boards to delegate risk oversight to the audit committee.22
Whatever structure is employed, it is imperative that it collectively orchestrates the full board, board committees, and management to fulfill the board's risk oversight obligations. Reporting lines, decision structures, and information flows must be clear. Moreover, the structure must acknowledge that risk oversight obligations cannot be relegated to a single committee, as the full board is ultimately accountable for risk oversight.
The charter of each committee should clearly set out its risk oversight accountabilities—areas of risk oversight, meeting cadence, standing meetings with executives (in-camera or otherwise), reporting frequency, authority to engage experts, alignment to management, and continuing education requirements.
In addition, the charter of the full board and board risk committee should include responsibility to:
Directors should possess both industry and technical expertise in the risk area they are charged to oversee commensurate to the size and scale of the organization. Where a director understands potential outcomes from first-hand experience, true risk probity is achieved and risk-informed decisions are made.
The board risk committee chair should be competent in connecting professional experience to what is happening in the world, and to diverse sources of information and perspectives to inform risk assessment and risk-based decisions.
This philosophy should inform board risk committee appointments. Time and time again corporate debacles unfold that point to director experience that is not appropriately aligned to the organization, a key finding of the Financial Stability Board 2008–2009 financial crisis investigation.
The board in hiring the chief executive officer is entrusted with the affairs of the organization, which includes managing risk. The reality is that agency theory rears its head where the interests of the chief executive officer [to propel organizational success] intrinsically conflict with risk taking, making it challenging for the board to govern risk effectively.
To avoid this, the chief risk officer should have an independent reporting relationship to the board [including standing in-camera sessions and risk committee and/or full board participation] and unfettered access to the chief executive officer.
This reporting relationship should be articulated in a charter that includes standing in-camera meetings with the chief executive office and the board risk committee.
The chief risk officer has a tall order to fill, as he or she in many respects is the “eyes and ears” of the board inside the organization, charged to unearth risk insight and foresight.
That said, this job can only be done by someone that possesses deep organizational knowledge, gained through broad stakeholder engagement, business experience, tenacious curiosity, and deep risk management expertise.
It is also important that the chief risk officer work closely with the head of strategy. Organizations that do so remain ahead of disruptive, emerging, and principal risks simultaneously.
The chief risk officer has strong relationships with organizational leaders pivotal to risk insight. I have certainly found that the best information is often unveiled over coffee with executives!
In short, the chief risk officer must know the business, be a credible part of the executive team and business operations, and be able to gauge and influence the risk tone at the top and bottom of the organization.
These ingredients are paramount for the chief risk officer to be credible to both the board and executives.
According to a 2018 AICPA study, 67 percent and 63 percent of large and public companies respectively have a chief risk officer (or equivalent)23 compared to 48 percent in 2017.24
Table 32.2 Risk Governance Structure Key Success Factors25
Key Success Factor | Description |
Board reporting relationship in place to support risk oversight | Chief risk officer has reporting accountability to the board with standing in-camera sessions. |
Peer relationship between the chief risk officer and executive leaders | Senior leaders are afforded the forward-looking risk perspective by a chief risk officer that is viewed as a peer, with an equivalent chief executive officer reporting line. |
Managing risk is a company imperative, and that accountability is cascaded to executives and managers | Systematic and structured process is in place to support line management awareness and accountability for managing line specific risks; and escalation of risk concerns to executives. |
Value creation and control underpin business pursuits | Business pursuits consider long-term business interests, while balancing value creation and control. This is achieved by stress testing pursuits and aligning results to established risk thresholds. Chief risk officer is engaged in process to inform risks to and from strategic business pursuits. |
Chief executive officer and board clearly define expectations of the chief risk officer | Chief executive officer and the board define expectations of the chief risk officer which can include objective business risk assessment; alerting when strategies are not aligned to set risk thresholds; and/or supporting improvement of the business plan, by advising on associated risks. |
Table 32.2 outlines leading research on key factors to successfully position risk governance from the board to management.
These factors position the chief risk officer as the linking “spoke” between the board, chief executive officer, and executive leadership (Figure 32.4).
Table 32.3 Cascaded Risk Accountabilities from the Board to Management
Role | Accountabilities |
Board |
|
Executive |
|
Executive Risk Committee |
|
Functional Risk Owners |
|
Employees |
|
Table 32.3 illustrates leading practice for cascaded risk accountabilities from the board to management.
Surrounding risk governance structure at the core is sound risk policy.
Risk policy is intended to set out board expectations and standards for risk management practice, and should include four core elements.
First, the policy should set out a visionary statement of the organization's attitude toward risk in the context of the business mission.
Second, the policy should articulate the risk governance structure, including roles and responsibilities of stakeholders.
Third, risk limits should be clearly defined and articulate the amount of risk the organization is willing to accept in the pursuit of value, tied to business decision drivers. To be effective, risk limits must be underpinned by a risk appetite framework whereby management systems and processes work together to enable risk limit compliance, which is not easy to accomplish.
Fourth, the policy should state the methodology employed by the organization for risk management. There are two widely used risk management methodologies today, notably:
International Standards Organization Risk Management Principles and Guidelines (ISO 31000), in Figure 32.5, provides principles for managing risk, a framework setting out foundational infrastructure required for organizational risk management and a process for the management of risk. This methodology is fashioned as a management system, providing a structured and systematic approach for risk management.
COSO ERM, in Figure 32.6, focuses on aligning strategy with risk and performance, by bringing mission, strategy, and performance together with risk governance, risk culture, strategy setting, and execution; coupled with risk communication, reporting, and monitoring.
Whichever methodology is used, risks today are rapidly changing, highly interdependent, and faced with an ambiguous external environment that can bring forth both unforeseen opportunities and risks.
I encourage you to delve deeper into what these methodologies entail. While I understand that you are not in a management role, directors need to know that management has established a systematic and comprehensive process to evaluate a broad spectrum of risks. The risk policy should be approved by the board and reviewed annually.
How will the board know that the risk governance structure is effective? This is the ultimate purpose of assurance, the outer layer of the risk governance framework.
Assurance is provided in two forms. First, through board reporting, ideally provided quarterly. Reports delivered by the chief risk officer should be crisp and focus on what the board needs to know, at the point in time, to effectively govern risk—including simplified facts and well-articulated impacts. For global firms, reports should address principal risks in each geographic region the firm operates in.
The content will also vary, from briefing notes on principal risks, to scenario analysis supporting deal recommendations, to emerging risks, to outcomes of risk mitigation strategy, and is driven by board expectations.
As it relates to risk mitigation strategy outcomes, it is just as important to set and execute risk mitigation strategy as it is to measure whether desired outcomes are achieved. From this standpoint it is prudent that boards ask management to report the intended ROI and risk mitigation outcome for mitigation investments, and how the outcome will be measured. The board should in turn hold management accountable to report outcomes.
Boards should also ask for information to gauge transparency and risk culture. For instance, looking for signs of “green scorecards” and “red faces,” such as client satisfaction that reveals issues purportedly unknown by management. Or employee surveys that indicate employees are not comfortable to bring risk issues to management attention without fear of reprisal.
Second, it is critical that an independent party validate the effectiveness of risk governance structure and policy. This can take many forms, from a rating agency evaluation to an internal audit.
Implementing the Risk Governance Framework can be a challenging task. Table 32.4 provides five key steps to aid in successfully doing so.
Before concluding this chapter, there is one important issue that should be addressed: How do board demographics (gender and professional experience) influence effective actualization of risk governance theory?
In the beginning of the chapter I stated that demographics can influence risk governance theory put into practice. So I set out to prove it, beyond my own experience. I interviewed seasoned executives and directors with significant board risk oversight experience to understand their experiences. Directors represented 20 Canadian boards of financial institution, Big Four professional services, professional association, real estate investment trust, crown, health care, securities regulator and not-for-profit organizations. Directors served on risk committees, audit committees, and held board chair and risk committee chair roles. Directors also had several years of C-suite and 30 or more years of business experience working in various parts of the globe, including North America, South America, Asia and Africa.
Table 32.4 Implementing the Governance, Policy, and Assurance Framework
# | Key Steps | Description | Expected Outcome |
1 | Establish Risk Governance Structure |
|
|
2 | Set Board Risk Committee Charter |
|
|
3 | Approve Risk Policy |
|
|
4 | Endorse/Monitor principal risk mitigation strategies |
|
|
5 | Monitor Risk Mitigation Strategies |
|
|
I asked about:
What I found was eye opening.
These findings have convinced me that director demographics influence risk taking. I also firmly believe that having insight to a director's risk compass is a critical consideration for board risk committee appointments.
I have shared with you what I believe is the formula for more effective risk governance in today's business climate.
It starts by instituting sound risk governance methodology, enabled by a solid partnership between the board and management, deep industry and business knowledge, alignment of the risk compass of individual directors and collective board to the organization's risk philosophy, keeping a pulse on risk culture, and a diverse board mindset [breadth of experience, gender, and ethnicity].
It is also important that boards understand what a sound risk management system looks like and that risk governance effectiveness is periodically assessed.
Above all,
There is no passion to be found in playing small—in settling for a life that is less than the one you are capable of living.
—Nelson Mandela
As directors aim to drive organizations forward to build stakeholder value, it is paramount that they fall forward or see what barriers the organization may hit so that barriers are averted and success is achieved. This is important as we continue to see examples of organizations falling backwards.
In closing, I leave you with a few tips in Table 32.5 to achieve this.
Table 32.5 Tips for Effective Risk Governance
|
Ingrid Robinson is the former principal and managing director of Enterprise Risk Management for BGIS Global Integrated Solutions [a global commercial facility management firm] where she instituted the company's global ERM program from the ground up and led business continuity, internal audit, and insurance functions.
Ingrid is a Thought Leadership executive for the Canadian Public Accountability Board [audit regulator that protects capital markets interests] and professor of ERM for the York University [Toronto, Ontario] Master of Financial Accountability program.
Over her 23-year career, Ingrid has provided corporate governance, ERM and internal controls consulting to large-scale firms in various sectors and countries.
Ingrid is on the board of the Charitable Impact Foundation, and served as finance and risk committee chair for Hospice Palliative Care Ontario and human resources and governance committee chair for the Community Development Council of Durham, Ontario.
Ingrid earned a Master of Financial Accountability [with distinction] from York University and Bachelor of Commerce from the University of Windsor. She is a graduate of the Institute of Corporate Directors (ICD) directors education program [diversity scholarship recipient] and the Harvard Business School corporate risk leadership executive program.
Ingrid is a Certified Public Accountant, Certified Internal Auditor, and Certified Risk Management Assurance Professional.
Ingrid is also a recognized thought leader in her field, as a published author in highly recognized professional journals (Directors Journal, Corporate Risk Canada magazine, and the ISACA Journal), and a frequent speaker at professional conferences.
3.129.15.99