Board Risk Oversight in the Age of Disruption

By Jim DeLoach


Disruptive Risk Risk Oversight Online Article

In these disruptive times, how should boards discharge their duty of care and duty of oversight with respect to risk when the models to follow aren’t clear? While risk has always been present in every business, in recent years, the velocity of disruption has increased.

New technologies emerging at a rapid pace, geopolitical shifts, regional conflicts, catastrophic events, economic uncertainty, and, of course, the recent pandemic and its pervasive impact on demand, supply chains, the workplace, and mental health have combined to create a new norm. The bottom line is that the check-the-box approach of providing risk lists to boards, along with summaries of who is responsible for managing the risks and what they do, seems sorely wanting in today’s dynamic environment. 

A recent NACD webinar hosted by Protiviti with James Lam, a noted author, board member, and keynote speaker in the risk management space, offered a discussion of the board’s and the executive team’s risk oversight roles in today’s interesting times. With enterprise risk management (ERM) evolving over the years and today’s risk environment portending significant change to come, proficiency at playing the game of resilience is essential.

The webinar focused on the following seven questions.

How do the board’s fiduciary duties impact its risk oversight? Directors’ duty of care and duty of loyalty, as well as the business judgment rule, have provided a long-standing framework for how boards engage management on important matters. More recently, case law has provided greater specificity regarding the board’s fiduciary duties with respect to risk and compliance oversight. Based on several Delaware court rulings (e.g., Marchand v. Barnhill, In re Clovis Oncology, In re The Boeing Co.), James Lam recommended that corporate directors ensure that a risk and compliance monitoring system is in place, the system is performing as intended, red flags and risk metrics around mission-critical risks are being escalated and reported, and management is being held accountable for these mission-critical risks.

How does the board organize itself for risk oversight? Risk oversight is not just a committee responsibility but is a full board responsibility. Each committee has a responsibility for risk oversight to the extent that risks are inherent in their respective chartered activities. Whether a separate risk committee is appropriate depends on facts and circumstances, including the nature and complexity of the risks. Listing standards may also come into play (e.g., the New York Stock Exchange’s requirements for audit committees) and so may regulatory standards (e.g., the US Securities and Exchange Commission’s required disclosure of the compensation committee’s review of incentive compensation plans for unintended consequences from a risk-taking standpoint). The governance or nominating committee should ensure that risk talent resides on the board to help stay ahead of any forthcoming issues.

How are strategy and risk integrated? James Lam suggested five key actions for integrating risk with strategy that boards should consider in their discussions with management:

  • Define business strategy and objectives (i.e., what are we trying to accomplish?).
  • Link key performance indicators to expected measures of success (i.e., what kind of growth and innovation do we expect?). 
  • Identify risks that can drive variability in performance (i.e., what are the variables that can make things better or worse than the outcomes expected?). 
  • Establish key risk indicators, risk appetite, and key controls for critical risks (i.e., what metrics, tolerances, and processes do we need to have in place?). 
  • Provide integrated reporting and management strategies (i.e., what dashboard do the board and C-suite need in order to stay informed and ground risk discussions?). 

Companies addressing these five points will make progress not only in integrating risk with strategy and performance management but also with impacting the culture and behavior of the organization in mitigating risk.

How can the board’s risk oversight be better informed through scenario analysis? James Lam shared his perspective on deploying scenario analysis to better inform the C-suite and the board on potentially disruptive risks. Industry and competitive analysis and enterprise risk analysis provide input into the development of plausible and extreme scenarios germane to the business. Analysis of these scenarios provides insights into potential disruptive risks for consideration in strategic discussions in the boardroom and C-suite. These discussions, in turn, lead to formulating early-warning indicators, action triggers, and decisions. These activities lay the foundation for ensuring that the focus on monitoring and reporting is directed to the disruptive risks that truly matter.

Effective scenario analysis points to the information decision-makers can use to better manage the business and keep the strategy on track as the market evolves. Unfortunately, there are many high-impact, low-likelihood risks—the so-called “known unknowns” or “gray rhinos.” These are the known-risk events that loom on the horizon, and it is just a matter of time before they manifest themselves—a matter of “when,” not “if.” Scenario analysis should be applied to these risks to fully understand their impact and the variables driving them.

Can our company pivot when facing disruptive events? Disruption presents an opportunity to take a business to another level if management is sufficiently anticipatory and acts before the wave of disruption crests. In the webinar, Rachael Griffiths of Protiviti used the three “Rs” to describe an early mover’s attributes:

  • Recognize. An early mover quickly recognizes opportunities and risks that matter before they become common knowledge in the market by understanding the critical assumptions underlying its strategy, evaluating plausible and extreme scenarios that could invalidate one or more assumptions, and conducting competitive and market intelligence and monitoring warning signs to ascertain whether scenarios of greatest concern are either developing or have occurred.
  • React. An early mover acts timely on the significant opportunities and risks it recognizes by acting decisively on revisions to strategic and business plans and pivoting in response to disruptive events. Possessing knowledge of market opportunities and emerging risks is not enough.
  • Reflect. An early mover learns continuously from experience, especially circumstances when it failed to either recognize or react.

In essence, early movers offer time advantage and options to decision-makers.

How do we deploy data, information, and insights to become more anticipatory? As organizations integrate strategy and risk, deploy scenario analysis, and strive to become early movers, they become more anticipatory and less reactive. These capabilities generate the data, information, and insights essential to thriving in the age of disruption. In the boardroom, the focus on managing risk tends to address such questions as what are our risks, how are we managing them, who is responsible, and what are the underlying processes that inform us on these matters? As companies become more anticipatory using the aforementioned capabilities, they will make greater use of forward-looking lead indicators and integrated analytics. They start asking different questions, such as: Are we riskier today than we were yesterday, are we entering a riskier time, and why? These questions are more fitting in the age of disruption and they underpin what defines an early mover.

How does the board know if ERM is working? This question speaks to the board’s fiduciary responsibilities, as discussed above (e.g., are the appropriate systems in place and are they operating effectively?). Progress toward integrating strategy and risk while increasing the value contributed through the board’s dashboard reports also helps to provide insights. While the ideal set of metrics depends on the scope of the business, an illustrative scorecard of board-level metrics should address enterprise, financial, strategic, operational, and reputational risks.

A strong customer focus, staying in touch with market realities, embracing the tailwind of external trends, emphasizing high-velocity and quality decision-making, and inculcating an innovative culture that functions at market speed help companies stay ahead of the change curve. While the responses to the seven questions above do not provide all of the answers, they provide takeaways for directors to consider in their efforts to sustain the business in the age of disruption.

Protiviti is a NACD partner, providing directors with critical and timely information, and perspectives. Protiviti is a financial supporter of the NACD. 

Jim DeLoach
Jim DeLoach is managing director of Protiviti. DeLoach is the author of several books and a frequent contributor to NACD BoardTalk.