Three hurricanes hammered the United States in just two months in 2017, leaving a $200 billion swath of destruction from Puerto Rico to Texas. Several months later, a raging wildfire destroyed more than 8,500 buildings in Northern California. It was a frightful year abroad, too. A magnitude-8.2 earthquake rocked Mexico, monsoon flooding killed 1,200 in Bangladesh, and extreme temperatures scorched India.

But 2017 was not the worst year on record. That dreary distinction belonged to 2011, when the costs of natural disasters worldwide exceeded $350 billion. Yet the long-term trendline is unhappily and unmistakably upward: The inflation-adjusted expense of global calamities half-decade by half-decade has been rising, and the cost is now up more than fourfold from the early 1980s. The World Economic Forum sounded the alarm in 2019: “Global risks are intensifying but the collective will to tackle them appears to be lacking, [and we] are drifting deeper into global problems from which we will struggle to extricate ourselves.”¹

Companies worldwide have certainly felt the intensifying impact of natural disasters. In the case of the largest tropical storm on record, for instance, Hurricane Sandy in 2012, an ocean surge inundated more than 23,000 companies in New York City, knocking a third of the smaller firms out of business. Firms have also faced threats from a host of unnatural disasters, including terrorist attacks, industrial accidents, executive malfeasance, and one of the most consequential of all, the financial crisis of 2008–09.²

Consider the impact of one of the natural calamities, an epic flood that submerged much of Bangkok in 2011. The region manufactured a third of the world's hard-disk drives and served as regional hub for auto making, and the deluge damaged or destroyed facilities of more than 14,000 businesses. Western Digital Corp., the world's largest drive maker, warned that that production would not return for months, Toyota suspended assembly lines, Honda cut operations in the UK for the lack of parts, and Ford halted production altogether.³

Reducing such large-scale risks, preparing for unthinkable events, and coming back from crises are certainly the province of company leadership at the top. And for that, a firm's governing board can serve as an invaluable advisor and partner, well positioned to bring informed and independent counsel to executive action. Yet until the turn of the century, relatively few boards had been prepared to provide it, leaving risk management and continuity planning largely to those who run the firm every day. During the past two decades, however, we have found that this delegation of authority has been retracted at many firms, bringing the board more directly into the business of risk protection, though primarily as an overseer, not a doer.

Influential voices have been calling for just that, expressing but also catalyzing the historic shift underway. A prominent governance attorney and company advisor argued, for instance, that “corporate risk-taking and the monitoring of risks” should be “front and center in the minds of boards of directors.” He warned that directors who failed to oversee company risks did so at their own peril: “The reputational damage to companies and their boards that fail to properly manage risk is a major threat” to them. At the same time, he cautioned directors to stay in their lane: “The board cannot and should not be involved in actual day-to-day risk management.” It “should stick to its “oversight role,” guiding executive action but not detailing it.⁴

Major institutional investors have also pressed for director engagement. One of the largest, Vanguard Group, with $5 trillion under management, explicitly urged directors of companies in which it is invested to serve as the “shareholders' eyes and ears on risk.” To that end, Vanguard had doubled the number of companies with which it directly discussed risk oversight. Activist investors jumped into the fray as well. Trillium Asset Management, a firm with $2.5 billion under management and a focus on social change, urged the board of Facebook to create a risk committee and the board of Nike to lessen its risks from inequitable pay, gender un-diversity, and sexual harassment. It thus came as no surprise that Richard Leblanc included several chapters on company risk and director oversight in his first edition of The Handbook of Corporate Governance, and this chapter extends that discussion.⁵

The increasing engagement of boards in risk management is part of a broader trend toward a greater director partnership with company executives in a host of arenas, from company strategy to talent development, a movement we have detailed elsewhere. The heightened director alertness to risk itself is evident, for example, in a survey of 884 directors of large public enterprises in 2016. They were asked to rank the areas of expertise that should be represented in the boardroom. Directors deemed financial acumen to be the most vital capacity, but they also placed risk management high on the agenda, on a par with operational experience and industry expertise.⁶

Company directors also report that they are now devoting substantial attention to risk management. More than 90 percent of the directors in the 2016 survey stated that they spend enough time with their executives to “sufficiently understand business risks,” and that they are now concerned with longer-term risks stemming from economic, technological, geopolitical, and environmental disruptions (see Figure 26.1). Half of the directors also reported that their firm's most salient risks are on the table at every board meeting, and that the risks are highly varied, ranging from game-changing technologies to competitive threats and regulatory restrictions to operational weaknesses. In a 2018 survey, directors and executives affirmed that their companies are grappling with a wide array of risks from cyberattacks to upended reputations. Another 2018 survey found that nearly two-third of the directors viewed disruptive risks as more important to the firm than were they five years earlier.⁷

The Risks of Governance Risks

The value of directors who can furnish informed and wise counsel on questions of risk is perhaps no more starkly affirmed than when such advice has not been rendered at a moment when it might have spelled the difference. This can be vividly appreciated in the case of crises at two of America's premier corporations: American International Group, the country's largest insurer at the time of a self-inflicted disaster, and Wells Fargo Co., the nation's largest bank when it also caused its own calamity.

In the case of AIG, one of its operating divisions, Financial Products (AIGFP), had been insuring large packets of home mortgages in the mid-2000s, backing more than $1.7 trillion at one point, the equivalent of the gross domestic product of Russia. Because of the parent's premier credit rating, AIGFP was not required to have funds on hand to cover its losses, giving it a near-term competitive advantage. And because of that, Financial Products had become a jewel in AIG's crown. Employing less than 1 percent of the firm's workforce, it was generating more than 17 percent of the company's income, helping AIG emerge as the world's largest insurer. In 2004, Dow Jones added AIG to its blue-chip stock index, the Dow Jones Industrial Average.⁸

Regulators and raters, however, began to caution AIG directors that its Financial Products portfolio looked increasingly worrisome if the market were to deem substantial fractions of its insured portfolios as shaky, as seemed unlikely but not inconceivable. The U.S. Office of Thrift Supervision, serving as the primary regulator, told AIG directors in 2005 that it had found “weaknesses in AIGFP's documentation of complex structures transactions, in policies and procedures regarding accounting, in stress testing, in communication of risk tolerances, and in the company's outline of lines of authority, credit risk management and measurement.” On the eve of the Lehman-sparked financial crisis in 2008, the regulator warned AIG again of what it deemed unwarranted risk-taking in its underwriting of subprime mortgage pools, urging directors to force executives to improve AIGFP's controls and risk management. AIG's outside auditor, PricewaterhouseCoopers, also warned of accounting weaknesses, and a governance rating agency gave the AIG board itself a barely passing grade of D.

Despite the external admonitions, we have found no public evidence to suggest that AIG directors had taken steps to rein in their profitable but increasingly precarious London division. A likely contributing factor was a still sanguine view of its mortgage practices among company executives. AIG's chief risk officer stressed on August 5, 2007, for instance, that the danger in the credit default swaps “is very modest and remote.” The top executive of AIG Financial Products himself told investors on December 5, 2007 that “this is a money-good portfolio.” AIG's chief executive decreed that its risk-analysis models were “very reliable,” giving him and the company a “very high level of comfort.”

Yet when a credit-rating agency in the wake of Lehman's failure on September 15, 2008, downgraded AIG's debt from AAA to A–, the company was suddenly forced to post collateral to back its insurance guarantees, resulting in a loss of $61 billion over the next three months, the largest quarterly deficit of any company in American business history. As AIG losses further mounted, the United States stepped in through its Troubled Asset Relief Program to save the company from certain bankruptcy by injecting more cash, ultimately a total of $182 billion. With that lifesaving infusion, a new management team and a new governing board brought the firm back to health over the next several years. AIG repaid its federal loan with an extra $23 billion in interest by 2013, five years after the debacle. With the benefit of hindsight, had AIG directors taken greater heed of the external warnings despite their executives' optimism, the company's near-death experience and federal bailout might never have occurred.

A decade later, despite the urgings of governance advisors and institutional investors, and despite board improvements elsewhere, much of the same shortcomings became evident at Wells Fargo & Co. when regulators found that it had created 1.5 million fraudulent checking and savings accounts and had issued half-a-million credit cards that customers had not authorized. The company fired more than 5,000 employees for doing so, the U.S. Office of Comptroller and Consumer Financial Protection Bureau fined the company, and the board forced out CEO John Stumpf. Directors blamed the CEO and the head of the offending division for imposing an excessively aggressive incentive compensation scheme, resulting in unethical behavior, and directors clawed-back $75 million from the two executives.⁹

According to later Congressional testimony by the chief executive, however, the flawed incentive system was not a hidden misstep. It had been known but not curtailed by directors for some time. For Warren Buffett, chief executive of Berkshire Hathaway, the bank's largest investor holding nearly 10 percent of its stock, it “was a dumb incentive system,” and “when they found out it was dumb, they didn't do anything about it.” Executives had brought the faulty system to the board in 2013, but it was not until 2016 that the board finally intervened. In the end, it cost Wells Fargo billions of dollars in litigation expenses, settlement costs, and forgone income.

The Federal Reserve System concluded from its own investigation that the directors themselves were centrally to blame. It censured board members in 2018 for their “lack of inquiry and lack of demand for additional information” and their failure to oversee the dangers coming from the bank's flawed compensation system. The Federal Reserve forced several directors off the board, excoriated two directors by name, demanded a written plan to improve the directors' risk oversight, and in one of most stringent requirements of all, stipulated that the bank could not increase its assets beyond the $1.95 trillion it held at the end of 2017 “until it sufficiently improves its governance and controls.”¹⁰

With costly consequences, the directors of AIG and Wells Fargo appeared to have eschewed the kind of risk oversight that other boards have come to embrace in recent years—and that we advocate here. AIG's directors seemed to have missed the warning signs, their attention distracted by the topline success of its financial products division. Wells Fargo's directors may have been led to downplay the pernicious byproducts of an undermanaged and overly aggressive inventive system at a time when the firm had emerged as the country's leading bank. When companies are performing well, there is a natural tendency toward overconfidence, underplaying risks that may have helped account for exceptional returns. The passive role of the AIG and Wells Fargo boards serve as instructive warnings that although directors are positioned by virtue of experience and charter to provide wise counsel, it is an acquired strategic capacity, one that boards will want to strengthen if they are to add value to risk management rather than adding to company risk. When the PG&E Corporation faced billions of dollars in liabilities from California wildfires that may have been touched off from equipment malfunctions, it thus unsurprisingly sought new directors in 2019 who would bring “fresh perspectives” and expertise in fire safety.¹¹

For strengthening the board's risk oversight, we begin with ways of engaging directors in risk deliberations, and then turn to ways of ensuring that their guidance is strategic. For this, we draw on interviews that we conducted with executives and directors of more than a hundred companies included in the Standard & Poor's roster of the 500 largest publicly traded firms. Hearing from them directly allows us to bring out features of boardroom engagement in risk management not readily available from public sources. The features might seem like limited steps, but taken together we believe they can constitute a foundation for director engagement in risk oversight.¹²

Engaging the Board in Risk Governance Oversight

Given the governing board's heightened vigilance, some companies have created a directors' risk committee, akin to the specialized science committee that pharmaceutical companies have often formed. There, directors with more expertise and experience can give more attention to the issues of risk appetite and risk tolerance. But this feature had not yet become widespread at the time of this volume's publication. Among the S&P 500 companies in 2004, for instance, just 2 percent of their boards had formed a risk committee, and by 2013, the fraction had climbed to 8 percent and in 2018 to 12 percent. The boards of all publicly traded companies are required to maintain audit, compensation, and nominations/governance committees, but of the additional discretionary committees that some boards have created, including executive, finance, strategy, and science committees, risk committees grew the most rapidly during the 2010s. According to an appraisal by professional-services firm Ernst & Young, the central focus of such committees is to help define the firm's risk tolerance and risk appetite and then to oversee executive actions on behalf of both.¹³

Seeking to prevent a recurrence of the financial crisis of 2008–09, the U.S. government mandated director risk committees for one subspecies: bank-holding companies with at least $10 billion in assets and other publicly traded financial service companies under the supervision of the Federal Reserve. For other S&P 500 companies that still lack a risk committee, the New York Stock Exchange requires that those functions be lodged in the board's audit committee, though audit committees generally focus more on financial than operational threats. The U.S. Securities and Exchange Commission requires that publicly listed companies report factors that can make an investment in the company “speculative or risky” and also describe the board's role in risk oversight. Research on the disclosure of company risk factors in the annual report finds that they are indeed followed by lower earnings and heightened likelihood of bankruptcy. The regulatory provisions do not necessarily result in greater director vigilance in risk oversight, but they are likely to increase the probability of directors doing so.¹⁴

By way of one example, at an insurance company where we interviewed, the board had created its own risk committee in the wake of the 2008–09 financial crisis. The board's audit committee continued to focus on controls and compliance while the new risk committee sought to appraise the company's hazards more comprehensively. Providing for the latter can be a management challenge, as some 100 people in this company were now directly involved in appraising the firm's risks and preparing for their downsides. Company executives convened monthly on risk management and worked to keep the board informed, but they also sought to ensure that their directors did not become bogged down in detail.

Other variants emerged as companies grappled in a host of ways to more actively orchestrate risk oversight at the board level. A bank-holding company, for example, created a combined executive and risk committee with a charter of overseeing all hazards for the enterprise. To guide the committee's work, the board specified the bank's appetite and tolerance for risk, setting forward the firm's strategic thrusts and the level of risk it was willing to incur in each. The committee's mandate was to track the company's actual risk profile against the directors' stated goals and limits.

Many companies reported that their board's audit or risk committee included directors who had a better grasp of the risk-related issues facing their industry. This was especially evident in financial services where risk issues can be particularly thorny. In a third of the companies we studied, their chief risk officer reported to the board through such committees rather than directly to the full board. That made for more technically informed deliberation but had the effect of reducing the visibility of risk to the board as a whole.

Directors also give more attention to their committee norms for vetting risks, as one board member told us: “All directors are responsible for risk oversight,” and “we have to make sure that the full board is comfortable with where the audit committee has been delegated specific oversight responsibilities.”

By way of illustration of the power of the audit committee to grapple with company risk, consider an agricultural products company where the committee had asked for regular data on the firm's supply and trading risks that could disrupt its ability to move large agricultural stocks from one nation to another. The audit committee learned that 40 percent of the world's cocoa was grown in one country at a time when its president had refused to step down following an electoral defeat. Europe had imposed an embargo on trade with the country, and the company's audit committee deliberated whether its operations in that country should be shuttered, and if so, how its several hundred employees would be supported or even evacuated. The committee also asked if the company should purchase political-risk insurance against the possibility of closing this and other threatened facilities, and more generally if the company should simply avoid politically volatile countries altogether. Informed by an exchange with the audit committee, company executives finally opted to close its operation in the embargoed country.

Because of the heightening external risks and rising internal concerns about their company impact, some firms have elevated oversight up to the board. The audit committee at a chemical company, for instance, asked that appraisal of the firm's risks be moved from the committee to the full board, as the chair of the committee explained: “All directors are responsible for risk oversight; audit is responsible for the process, but really, all directors are responsible for the oversight.” When the company considered a major acquisition, for example, all directors wrestled with the integration risks before sanctioning the purchase.

Among the hundred companies where we interviewed, senior risk managers now reported to their board about company hazards at least twice a year. In doing so, they worked up through one of several channels, with two-fifths connecting via the board's audit committee, a fifth by a risk committee, and two fifths through a finance committee, executive committee, or other conduit.¹⁵

However the board's risk oversight is structured, the general principle is for directors to embrace more active responsibility for it. One company director, serving on nine boards, offered the prescriptive point shared by many: “I am an advocate for the entire board handling the risk matters because the entire board is held accountable.” Depth understanding in the sometimes arcane issues of risk management, however, can still be limited in the boardroom, as a risk manager of a major financial institution cautioned: “We have to be very effective communicating the right subject for the right decision,” she said, warning that some of the board members were simply not competent, at least in the eyes of the regulators, to understand the bank's hazards.

While several pathways for board engagement in risk management have thus emerged as directors have become more engaged, academic research points to a moderate advantage of involving the entire board. In a study of 296 publicly listed companies in 2011–2013 across 28 countries, half of the firms in the United States, investigators found that companies that brought risk oversight into the full board exercised more effective oversight and that that correlated with stronger risk practices, operating performance, and even share price.¹⁶

By way of a brief example of the value of the full board's engagement, a director of a major airline reported that he was in a board meeting at the very moment when terrorists attacked the World Trade Center and Pentagon on September 11, 2001. The shocked directors appreciated immediately that the attacks would have a profound impact on travel and would be especially damaging to their industry. Though the airline's equipment had not been commandeered for the attack, the closing of air space for several days and the subsequent contraction in air travel came as an unanticipated shock to the company. Appreciating how that disruption could send the airline and other carriers into a tailspin, the directors concluded with company executives that U.S. assistance would be essential for the firm's survival. The board asked the chief executive to step forward as an advocate for the industry and to mobilize company resources to press Washington for emergency assistance. With the board's backing, the CEO did so, leading to Congressional approval of $10 billion in loan guarantees and $15 billion in emergency aid to the airline industry.

Optimally structuring the board's greater engagement in catastrophic risk still remains a matter of company judgment, with no dominant arrangement. The chief risk officer of an energy company, for instance, asked when he joined the firm where best to position the risk function: “The role of the board obviously is protecting the shareholders and making sure we bring about wise use of the investment, and so they're very engaged in overall risk management, especially around things that could hurt us.” But reflecting the era's uncertainty, he was not sure how risk reporting to the board should be structured. “Would it be an audit committee” function, he wondered. Or did they need a risk committee? If so, how should its reporting to the board best be arranged?”

Whatever the reporting channels, executives more frequently communicated their company risks to their directors, and vice versa. The chief risk officer of a steelmaker, for example, informed his board monthly about the firm's most salient ongoing risks. One time it could be a worrisome trend in raw material prices, and another a declining demand for finished products. And that communication increasingly went both ways, with directors more often bringing perceived risks to the attention of company executives.

Given the arcane nature of some risks, executives recognized the need for clarity and simplicity for effectively drawing on the directors' counsel. “Prior to the financial crisis, it was a challenge for many of the board members to understand the complex nature of the risks that financial services firms were undertaking,” explained the chief risk officer of a financial institution. “The challenge that all chief risk officers face today is to be very effective in communicating by explaining complex risks such as derivatives in very simple language.”

At many companies, boards and management have routinized their exchanges of information and insight. At a steelmaker, for instance, directors and executives recurrently reviewed the firm's annual risk management plan, focusing on risks that could derail the company's strategy. And then, midway through the year, directors and executives turned their attention to five years forward, focusing on the strategic, market, operational, regulatory, and legacy risks that could upend the firm's long-range plans.

How directors work together once they are focused on company risk in the boardroom also affects the board's ability to counsel executives in managing hazards. In a study of large UK companies for instance, researchers found that boards that stressed director engagement, substantive dialogue, and board cohesiveness helped their companies avoid excessive financial risk during the financial crisis of 2008–09. This also points to the special role of the board chair or lead director in risk management. If she or he can more actively engage directors in hard-hitting dialogue by creating strong norms for director preparation and participation in board deliberations, their firms are more likely to manage risk well.¹⁷

Bringing Deliberative Thinking into the Boardroom

Academic researchers have drawn a useful distinction between intuitive and deliberative thinking. The first is guided by instinctual reactions and rules of thumb acquired from personal experience, and it does not require extensive time or analytics for reaching closure. By contrast, deliberative thinking gives greater attention to reasoned analysis and complex protocols before choosing among alternative courses of action. Psychologist Daniel Kahneman captured the differences between the two mental models in his book, Thinking, Fast and Slow, and in our interviews with directors and executives of the large publicly traded firms we heard this distinction repeatedly drawn out as they described their frameworks for anticipating disruptive events and responding to them. They stressed moving toward the more deliberative side with an emphasis on thinking strategically, detailing analytically, and seeing longer term.¹⁸

Intuitive or tactical thinking works well when directors have good data and insight from past experience on the possible outcomes of their firm's varied options, and when complexity is low, as in a period of normalcy. But it is less effective when companies face disruptive events since they have rarely or never been experienced before and their impact is typically multifaceted. We know, for instance, that there is a resulting tendency for those thinking intuitively to underestimate risk prior to a disaster and then overestimate it afterwards. Hence, the more analytic and systematic methods associated with deliberative thinking can better direct a board's attention to the complex sequences and consequences that characterize low-probability but high-impact setbacks. Governing boards are exceptionally well positioned by virtue of their oversight charter to think deliberatively and thus provide strategic guidance to executives seeking to manage company risks. The challenge for directors is to embrace that thinking before being compelled by necessity to incorporate it.

Company executives can play an enabling role in strengthening deliberative thinking in the boardroom by knowing what to bring to directors and what not. The chief executive of a discount retail chain, for instance, warned that there was a cost in taking too many hazards to the board. At first, he had carried a lengthy list of its risks into board meetings. But both directors and the CEO found, in his words, that “there is no way the board can ever deal with all those issues.” Several million customers passed through the retailer's stores every day, and though the risks of shoplifting should thus not get on the board's agenda, protecting the privacy of its 78 million credit card holders should be. Prioritizing was thus key: “If you try to worry about a thousand items on the risk list,” found the CEO, “I guarantee you that nothing is going to get attention.” As a result, from his experience he had learned to focus on just 15 to 20 risks that are really important and zero-in on them.

Company directors and executives generally affirmed that their boards had more deliberatively taken up risk management in recent years, two-thirds reporting that that uptake had come within the past seven years, often sparked by a disaster of their own or in their industry. BP's Deepwater Horizon oil spill in the Gulf of Mexico in 2010 had cost the company some $40 billion, for instance, and that led another energy company to elevate risk responsibility to the full board. Directors came to annually appraise the firm's risk-management practices in exploration, production, and retail operations. They focused on the firm's largest risks, actively reviewing the firm's appetite and tolerance, raising concerns about the firm's reputational risks in light of BP's debacle, and providing counsel when the firm confronted a crisis of its own.

The heightened deliberative engagement of the board was evident in the commentary of a director on enterprise risk management (ERM) at a major airline where he had served for a decade: “I didn't know what ERM stood for at some point, eight, nine, or ten years ago,” he confessed. Now “I think American corporations and American boards have just made vast strides in the last five years on risk management,” he said, including the airline where he served. “It's just radically different than what it used to be.” The chief risk officer of a financial institution offered much the same: “The whole function of operational risk management” that was not on the board's agenda two decades ago is now reviewed by the board every quarter. Company directors, he explained, are “much more involved in terms of knowing what's going on and providing guidance where necessary.”

Some calamities are relatively unique to a company's industry, leading directors to ask their executives to surface potential risks distinctive to their sector. In the airline industry, for instance, extreme swings in fuel prices, disease epidemics, and air crashes are among the market-specific hazards. Other risks can be entirely idiosyncratic or unique to a firm. At one of the large companies where we interviewed, its chief executive had unexpectedly passed away, and then just three years later so did his successor.

Directors can be an especially informed conduit of deliberative practices by virtue of their service in senior management and on the governing board of a range of companies. They see close up how other boards and their firms had managed risk, and they bring a mind's-eye understanding of proven methods elsewhere. Better practices in risk management are consequentially conveyed informally from one firm to another. The director of a chemical company, for instance, reported that although her fellow directors did not have specific risk experience in the industry, many had served as senior managers elsewhere and thus brought hands-on experience with their risks to this boardroom. A second director with multiple board service reported his experience with risk at each firm informed her guidance of the others. A third, having served as an executive at a major commodity trader, came with personal expertise to another company that faced risks in securing raw materials.

Many directors reported that, consistent with deliberative thinking without micromanaging, they raised wide-ranging concerns but avoided specific directives. One company executive summed up the observations of many. The “primary role of the board,” she said, “is to ask really smart questions and ensure that the proper due diligence of the business is being done.… Are we prepared? What are we thinking about long-term business? What happens if we continue to have these problems? What are the implications?” An industrial executive offered much the same: “Ideally, directors have helped set the stage for company response but they are generally not in a position to make quick and well-informed decisions in the midst of the crisis.” Directors ask, “Have you thought about X and Y?” But “it's not a directing-traffic role.”

To prevent deliberative counsel in the boardroom from slipping into managing management, many companies have created protocols—“delegations of authority”—that mandate which actions come to the board for review. And most firms have created a culture of governance with implicit norms on which risks should be considered by directors. Anything that touches on catastrophic risk should go the board, and risk appetite and risk tolerance are among the concepts slated for board consideration, as the executive of a financial services company explained: “Our board adopted a statement of risk appetite, which articulates … business strategies and how much risk we're willing to take in pursuit of those strategies.” Executives worked to keep the directors informed about any differences between the risk appetite that the board had approved and the risks that the company actually assumed. Shared understandings of which lesser risks should be taken to the board, however, are often more ambiguous.¹⁹

A Director's Risk Roadmap

Skeptics may fear that company directors bring neither the expertise nor the time to add substantial value to the way that executives manage risk in their company. Still, it is evident from our interviews and any number of other sources that many directors have become more engaged and deliberate in doing so, partnering with executives to bolster company risk practices. Drawing on the governing experience of directors of the companies where we interviewed, academic research, and the risk record of directors at AIG, Wells Fargo, and other firms, we conclude with eight guidelines for deliberative thinking and risk engagement among directors of publicly traded firms:

1. Boards are more directly engaged in company strategy and leadership, and directors are taking a more deliberative role in overseeing risk, helping to guide executives in managing the firm's risk appetite, risk tolerance, and risk readiness.
2. Directors carry special responsibility for identifying hazards that can become disruptive or even disastrous if not detected and mitigated—including those caused by management.
3. Directors can work with executives to caution against intuitive thinking that can lead company executives to misestimate high-impact but low-probability risks, and to bring more deliberative thinking into both the boardroom and executive suite.
4. Recruiting directors with prior risk-management experience as an executive or director of another company onto a company's board can strengthen the firm's engaged and deliberative oversight of risk.
5. Directors can usefully guide and appraise company risks in the development of new products and services, posing critical questions and challenging executive assumptions.
6. Directors can play a special role in pressing executives to substantiate their forecasts, anticipated results, and identified risks without micromanaging them.
7. Board chairs and lead directors can more proactively involve directors in substantive dialogue by strengthening the norms of informed and active engagement in risk oversight.
8. Finally, company directors can also recruit and coach their top executives to think more deliberatively about company threats.²⁰

About the Author

Michael Useem is professor of management and director of the Center for Leadership and Change Management and Faculty Director of the McNulty Leadership Program at the Wharton School, University of Pennsylvania. His university teaching includes MBA and executive-MBA courses on management and leadership, and he offers programs on leadership and governance for managers in the United States, Asia, Europe, and Latin America. He works on leadership development with many companies and organizations in the private, public, and nonprofit sectors. He is the author of The Leader's Checklist, The Leadership Moment, Executive Defense, Investor Capitalism, Leading Up, and The Go Point. He is also coauthor and coeditor of Learning from Catastrophes; coauthor of The India Way, Leadership Dispatches, Boards That Lead, and The Strategic Leader's Roadmap; and coauthor of Fortune Makers: The Leaders Creating China's Great Global Companies (2017), Go Long: Why Long-Term Thinking Is Your Best Short-Term Strategy (2018), and Mastering Catastrophic Risk: How Companies Are Coping with Disruption (2018).

References

1. Airbus SE, 380 Customers, 2019, https://www.airbus.com/content/dam/corporate-topics/publications/backgrounders/Backgrounder-Airbus-Commercial-Aircraft-A380-Customers-list-EN.pdf.
2. Blunt, Katherine, and Russell Gold, “PG&E Plans to Overhaul Its Board,” Wall Street Journal, January 5–6, 2019.
3. Board of Directors of the Federal Reserve System, “Responding to widespread consumer abuses and compliance breakdowns by Wells Fargo, Federal Reserve restricts Wells' growth until firm improves governance and controls. Concurrent with Fed action, Wells to replace three directors by April, one by year end,” February 2, 2018, https://www.federalreserve.gov/newsevents/pressreleases/enforcement20180202a.htm.
4. Charan, Ram, Dennis Carey, and Michael Useem, Boards That Lead: When to Take Charge, When to Partner, and When to Stay Out of the Way, Harvard Business Review Press, 2014.
5. City of New York, “A Stronger, More Resilient New York” 2013, http://s-media.nyc.gov/agencies/sirr/SIRR_singles_Lo_res.pdf.
6. Cohen, Lauren, Christopher Malloy, and Quoc Nguyen, “Lazy Prices,” National Bureau of Economic Research, 2018, https://www.nber.org/papers/w25084.
7. Deloitte, “CEO and Board Risk Management Survey,” 2018, https://www2.deloitte.com/content/dam/Deloitte/us/Documents/noindex/us-risk-ceo-board-risk-management-survey-report.pdf.
8. Fraser, John R. S., “The Role of the Board in Risk Management Oversight,” Handbook of Board Governance: A Comprehensive Guide for Public, Private, and Not for Profit Board Members, Richard Leblanc, ed., Wiley, 2016.
9. Harvard Business Review, “Giving After Disasters,” Harvard Business Review, January–February 2019, https://hbr.org/2019/01/giving-after-disasters.
10. Holcomb, John M., “Corporate Governance: Ethics, Legal Compliance, Risk Management, and Political Activities,” Handbook of Board Governance: A Comprehensive Guide for Public, Private, and Not for Profit Board Members, Richard Leblanc, ed., Wiley, 2016.
11. Independent Directors of the Board of Wells Fargo & Company, “Sales Practices Investigation Report,” April 10, 2017, https://www.wellsfargo.com/assets/pdf/about/investor-relations/presentations/2017/board-report.pdf.
12. Ittner, Christopher D., and Thomas Keusch. “Incorporating Risk Considerations into Planning and Control Systems,” in The Routledge Companion to Accounting and Risk, edited by Philip Linsley and Margaret Woods, Routledge, 2016.
13. Ittner, Christopher D., and Thomas Keusch, “The Influence of Board of Directors' Risk Oversight on Risk Management Maturity and Firm Risk-Taking,” unpublished manuscript, 2017.
14. Ittner, Christopher D., and Jeremy Michels, “Risk-Based Forecasting and Planning and Management Earnings Forecast,” unpublished manuscript, 2017.
15. Kahneman, Daniel, Thinking, Fast and Slow, Farrar, Straus and Giroux, 2011.
16. Klarner, Patricia, Gilbert Probst, and Michael Useem, “How Do Boards Engage in Product Innovation? A Hybrid Multi-Channel Governance Framework,” unpublished manuscript, 2019.
17. Kunreuther, Howard, and Michael Useem, Mastering Catastrophic Risk: How Companies Are Coping with Disruption, Oxford University Press, 2018.
18. Leech, Tim J., and Lauren C. Hanlon, “Three Lines of Defense versus Five Line of Assurance: Elevating the Role of the Board and CEO in Risk,” Handbook of Board Governance: A Comprehensive Guide for Public, Private, and Not for Profit Board Members, Richard Leblanc, ed., Wiley, 2016.
19. Lipton, Martin, “Risk Management and the Board of Directors,” Wachtell, Lipton, Rosen & Katz, 2015, https://corpgov.law.harvard.edu/2015/07/28/risk-management-and-the-board-of-directors-3.
20. Lipton, Martin, et al., “Risk Management and the Board of Directors (Updated August, 2018),” Wachtell, Lipton, Rosen & Katz, 2018a, http://www.wlrk.com/webdocs/wlrknew/WLRKMemos/WLRK/WLRK.25907.18.pdf.
21. Lipton, Martin, “Spotlight on Boards,” Wachtell, Lipton, Rosen & Katz, 2018b, https://corpgov.law.harvard.edu/2018/12/01/spotlight-on-boards-2.
22. McNulty, Terry, Chris Florackis, and Philip Ormrod, “Boards of Directors and Financial Risk during the Credit Crisis, Corporate Governance: An International Review, 21, 58–78, 2013.
23. National Association of Corporate Directors, “2019 Governance Outlook: Projections on Emerging Board Matters,” https://www.nacdonline.org/analytics/survey.cfm?ItemNumber=64105.
24. PG&E Corporation, “PG&E Board Committed to Change,” January 4, 2019, http://investor.pgecorp.com/news-events/press-releases/press-release-details/2019/PGE-Board-Committed-to-Change/default.aspx.
25. PricewaterhouseCoopers. “The Swinging Pendulum: Board Governance in the Age of Shareholder Empowerment,” 2016, https://www.pwc.es/es/publicaciones/consejos-y-buen-gobierno/2016-annual-corporate-directors-survey.pdf.
26. Trillium Asset Management, “Facebook: Risk Oversight Committee,” 2018a, http://www.trilliuminvest.com/shareholder-proposal/facebook-risk-oversight-committee-2018.
27. Trillium Asset Management, “Nike, Inc.: Sexual Misconduct Risk Management,” 2018b, http://www.trilliuminvest.com/shareholder-proposal/nike-inc-sexual-misconduct-risk-management-2018.
28. Useem, Michael. “How Well-Run Boards Make Decisions,” Harvard Business Review, November, 2006, 130–138.
29. Useem, Michael, “Developing Leadership to Avert and Mitigate Disasters,” in Learning from Catastrophes: Strategies for Reaction and Response, edited by Howard Kunreuther and Michael Useem, Pearson, 2010.
30. Useem, Michael, Dennis Carey, and Ram Charan, “Boards That Lead,” Handbook of Board Governance: A Comprehensive Guide for Public, Private, and Not for Profit Board Members, Richard Leblanc, ed., Wiley, 2016.
31. Useem, Michael, and Andy Zelleke, “Oversight and Delegation in Corporate Governance: Deciding What the Board Should Decide,” Corporate Governance: An International Review, 14, 2006, 2–12.
32. Vanguard Group, Investment Stewardship Report, 2018, https://about.vanguard.com/investment-stewardship/perspectives-and-commentary/2018_investment_stewardship_annual_report.pdf.
33. World Economic Forum, “The Global Risks Report 2019,” https://www.weforum.org/reports/the-global-risks-report-2019.