Risk Governance: Balancing Risk and Reward

Nothing is more fundamental to business—or more vexing to boards—than risk, particularly in the context of strategic decision making. Risk has always been a companion of reward, inherent in assessing opportunities against a company’s strengths and weaknesses.

There is clearly an intense focus on risk today. While risk management has been on the radar—if not a priority—for most companies and boards over the past several years, many are asking whether our current system of corporate governance and strategic decision making ensures adequate risk assessment and management.    

But risk management is only part of the equation. The full solution entails risk governance—the focus of this report. The following pages offer practical advice and suggestions to directors on how they might improve their processes for overseeing the company’s risk management activities.

In many ways, risk management has always been a battle plan to win the last war. In 1933 and 1934, the U.S. federal government responded to the 1929 stock market collapse with securities legislation designed to solve the problems that led to that collapse. Decades later, the 2002 Sarbanes-Oxley Act created mechanisms designed to prevent activities of the kind that occurred at Enron and WorldCom. Similarly, the legislation and regulations proposed in 2009 responded to the problems of 2008. These after-the-fact measures, while important, highlight the need for engaged and informed directors who foster a valuebuilding strategy while appropriately responding to the attendant risks.

Drawing on the experiences and insights of our Blue Ribbon Commission (BRC) members, research from NACD with Oliver Wyman, as well as the thoughtful work and writings of many others in the business and governance arenas, this report:

• considers the objectives of the board’s risk oversight activities

• examines the critical link between strategy and risk

• clarifies the board’s role in relation to particular categories of risk

• recommends “Ten Principles of Effective Risk Oversight” as guidance for directors.

Clearly no single approach to risk will fit every organization, but we believe that these principles and this report will allow boards to build a more comprehensive risk oversight system tailored to the specific needs of their companies and industries. This report also can provide management with important insights into the needs and expectations of today’s boards with respect to risk and other critical areas of governance.

Our hope is that the guidance and principles set forth in this report provide a starting point— or a turning point—for board discussions about risk as we move forward into a daunting, but ultimately promising, future of balancing risk and reward.