Key principles of risk oversight
Thursday, 23 May 2019
By Parmi Natesan and Prieur du Plessis
Helping the organisation to strike the balance between risk and reward is arguably one of the governing body’s most difficult tasks ̶ but also one of its most vital contributions to long-term sustainability.
Risk has always been integral to business. The fundamental nature of business involves committing money to a venture and hopefully reaping the reward later. The more risky the venture, the greater the potential reward ̶ and therein lies the eternal conundrum that no business gets right all of the time.
Because it is so integral to business success, the job of managing risk has always been one of the executive team’s key responsibilities. The 2008 global financial crisis, with its massive negative effects on the global economy, acted as a major catalyst for the increasing importance of governing bodies’ oversight role. A further driver is the ongoing digitalisation of business, which is increasing the chances of disruption and also making business cycles much faster.
Principle 11 of the King IV Report on corporate Governance for South Africa states: The governing body should govern risk in a way that supports the organisation in setting and achieving its strategic objectives.
The wording of the principle captures an important nuance: the governing body is not supposed to eliminate risk, because to do so would eliminate the possibility of reward ̶ something investors abhor, to put it mildly. Rather, it should ensure risk governance actually underpins the strategy by getting the balance between risk and reward more or less right.
King IV also recognises that risk may in fact lead to opportunity.
A measure of the increased importance of risk oversight is the recommendation that risk committees comprise a majority of non-executive members, an advance on the King III Report.
Regulators, and institutional investors, are seeing risk oversight as critical. To get a sense of where things are going, consider the enforcement action the US Federal Reserve (central bank) took against Wells Fargo. It spelt out the board’s dereliction of duty relating to risk, and went so far as to release publicly letters of censure to directors even after they had left the board.
Governing body members clearly have their work cut out for them. Below are some principles that will assist them to discharge this important obligation, and which have been freely adapted from the 10 Principles for effective board risk oversight of the US National Association of Corporate Directors (NACD).
Understand not only the organisation’s key success drivers but also the risks implicit in its strategy. The organisation’s business model will reveal the most important risks, and will enable the governing body to engage with management in determining how much risk the organisation is prepared to assume in order to create value. This will entail a continual, robust yet constructive dialogue with management. One of the lessons of the 2008 financial crisis was that boards seemed not to have properly understood their organisations’ key success drivers and their risks.
Define the roles of the governing body and its standing committees with regard to risk. It’s critical to remember that governing bodies have a risk oversight role, not a risk management one.
Establish whether the organisation’s risk management system is fit for purpose, and is well-resourced. Frequently, risk management is not integrated into strategy but is an afterthought. It is also essential that it has the right resources, including people with the correct skills, to be effective.
Make sure the governing body gets the right kind of risk information it needs. Information needs to be both complete and insightful ̶ copious is not good enough.
Assess the risks inherent in the corporate culture and incentive structure. Another lesson of the financial crisis is that corporate culture and incentive structures can promote excessive risk-taking. This is a highly complex area, and unintended consequences are legion.
Ensure and monitor that strategy, risk, controls, compliance and culture are all aligned. This is essentially pulling all the above principles into a coherent whole.
Review the board’s risk oversight processes, including horizon scanning. As with all its key duties, the governing body should periodically review how effective its risk oversight processes are. Care should also be taken to keep abreast of new and emerging risks; because it does not have responsibility for the running of the organisation, the governing body is best placed to keep an eye out for rapidly moving clouds on the horizon.
Risk is a fact of business life. It is the governing body’s job to make sure it is managed in such a way as to support value creation without compromising long-term sustainability.
||Dr Prieur du Plessis
Parmi Natesan and Dr Prieur du Plessis are respectively CEO Elect and Chairman of the Institute of Directors (IoDSA).
Better Directors. Better Boards. Better Business