In the aftermath of the financial collapse of 2008, an increased emphasis on risk management has meant, in some cases, that the pendulum may have swung too far in the direction of low tolerance or even no tolerance. But an overly cautious approach to risk management can take a toll in terms of missed opportunity and value creation.
There has been too much emphasis in the literature on eliminating all risk, which is neither desirable nor even possible. Risk is part of all business, and without it there are no rewards. Instead, the goal should be to prudently manage risk to limit the likelihood of having damage occur. And as boards implement the systems and processes to manage risk, they should carefully observe the boundary line that separates governance turf from management turf. Moreover, they must understand that risk management is not generic. Every company has its own requirements.
As the former head of the Risk Management Association and current chief risk officer of Huntington Bank, Kevin Blakely provides a contextual framework as well as practical advice for boards that are grappling with their role vis-à-vis risk management.
“Don’t shy away from risk,” Blakely advised. “Shy away from inappropriate risk, and actively manage the risk you decide to take on. Banking has been around, in one form or another, for thousands of years, and we learn from downturns what we can do better.” One of the advances in recent years, he said, is greater sophistication in the ability to graph quantitative risk, and while this is crucial to determining an accurate forecast for risk management, it is not in itself sufficient. In most cases, he said, since we use past data to forecast the future, relying on numbers alone is akin to “driving forward while looking in the rear-view mirror. Frankly, there is no substitute for the qualitative measure — for judgment, experience and a strong culture.”
The board’s role
Company boards are comprised of very smart people,” said Stewart Goldman, who heads Korn/Ferry’s North American Risk Management Practice, “but their time is not best used deciphering the nuances of financial risk modeling and analysis. Directors need concise, consolidated reporting from executive management that helps them to identify and focus on the most critical risks to an organization in order to be effective.” But, Goldman noted, boards play a more or less active role managing risk depending on their industry, particularly when grouped by financial-related companies versus nonfinancial-related companies.
“In financial services and other regulated industries, the board will be active in driving the agenda on risk appetite, but will not play as active a role in day-to-day risk management,” explains Goldman. That’s because those industries have a more mature risk management framework within their executive management teams. But the board is still on the hook as far as liability and needs to be aware of the risks being taken. The board will, of course, be generally knowledgeable about the business, but will possess the most significant risk expertise at the committee level, particularly on the audit, compliance and compensation committees.
While it is impractical, indeed impossible and even inappropriate, for directors to be involved in the minutiae of risk management, they can ask questions to ensure that they create a dashboard on which all major risks can be monitored and managed. Such questions include: Who is responsible for risk management? How are we conveying that message and ensuring that people throughout the organization understand it? Are we providing sufficient information on corporate risk tolerance, boundaries and the repercussions for overstepping them? Do we have confidence in the information we get from management? Is it too much? Too little? Is it timely? Are the incentives we provide aligned with and reinforcing our agreed--upon risk appetite and philosophy?
Covering the bases
Lawrence Zimmerman, who serves on the Stanley Black & Decker, and Brunswick boards, and also on the Delphi Automotiveboard, has focused a great deal on risk management throughout his career, both from the point of view of the executive team and as a director.
In advising directors, Zimmerman said, “The subject of risk management can drive you crazy” because directors cannot and should not be involved at all levels. “The system I’ve constructed and relied on from the perspective of the board is that there are four areas I need to worry about: regulatory, controls, financial and business strategy.”
Viewing risk as comprising those four areas, Zimmerman said, can help boards get their arms around risk management, and when they do, they may come to the realization, as he has, that boards as a whole belong squarely in the business strategy quadrant. “If you look at the other three areas — regulatory, controls, and financial — those are managed in deep dives by committees, committee chairs and outside auditors,” he said.
Where the board — the entire board — needs to spend more time is on the business strategy; that’s where the board adds value. For most companies, Zimmerman believes, taking calculated risks that will pay off when it comes to business strategy is difficult because “it’s hard to move off of where you’ve been,” particularly, perhaps, with large companies that have been highly successful with one strategy over a long period of time.
But there are many things to consider when deciding whether to shift a business strategy and assessing and ranking the risks inherent in each approach. The road not taken, for example, may result in a loss of opportunity as well as an opening for a competitor. When Xerox bought Affiliated Com-puter Services Inc. in 2010 to create one of the largest business process and document management platforms, it may not have been an ideal time from the perspective of Xerox stock (it was at a low point), but it was the only time, according to Zimmerman. “The mistake would have been to let it go, let someone else get in there, and end up with nothing,” he said. “Not taking the risk would have been the wrong decision; it would have been riskier.”
Maintaining board involvement in business strategy, including access to the management team to get the best information, and ensuring the company is well positioned to make the right bets are crucial. “At Xerox,” Zimmerman said, “we worked closely with the business units on business strategy on a regular basis. When working on the strategic plan, we would ask those in the business to list the five most important bets they would be making or not making, and then we would fold them in.” The boards on which Zimmerman serves — as with most effective boards now — review strategy at board meetings but also devote a couple of days off site once or twice a year to assess strategy with senior management to discover what is working and where shifts need to be made, depending on what is changing in the external environment.
An understanding of the strategy provides an essential foundation for board discussions and decisions related to business strategy risk management and all the board’s other responsibilities as well. With the strategy humming in the background, any presentations, proposals and decisions can be assessed according to how they align with that strategy. Lack of alignment may send up a red flag indicating that either a particular move is not the right one for the company or perhaps that the strategy should be revisited and revised.
One risk management fundamental that Blakely recommends boards keep in mind when making decisions regarding the business strategy is: If you don’t understand it, don’t do it. “If it can’t be examined and justified in a logical way, it’s not something you want to engage in.” It’s a lesson from the financial meltdown of 2008. No business, product or initiative should be so complex, arcane or far out that the CEO and the board cannot understand why the company is so engaged, what risks are involved and whether they can be properly managed.
The crucial human factor
The biggest risk to manage — one often overlooked, even in the current environment where risk is continually discussed and monitored by boards — is the risk inherent in people and leadership. Because directors must rely on management for much of the information they need, that filter greatly increases the chance that something may go awry. “Management is in control of much of the information that the board receives,” Zimmerman explained, “and you have to have absolute trust in those running the company; there is plenty of opportunity to cover things up if people are so inclined. The CEO and the CFO have to be first-rate. When boards get into trouble, it is usually a people-related issue at the top.”
People are the single biggest reason that things go wrong in any business, whether it’s an unethical CEO, contractors cutting corners or a rogue trader out to make a killing. Therefore, a broad, realistic definition of the risks to be managed includes more than the most predictable catastrophic situations and financial risk. The board’s primary responsibility in risk management is to ensure that the business is run by people with high ethical standards and unassailable integrity.
Very few organizations look at CEO succession as part of a risk management strategy, but it is crucial and should involve the entire board, ensuring that potential candidates are asked the right questions and that they are assessed on their potential not only to help the company but also to hurt it.
“The tone is set at the top,” Blakely asserted. “It is critically important for the board and the CEO to set the right tone and broad parameters regarding risk management. Otherwise, it’s like going sailing without a rudder; you don’t know where you’ll end up and more than likely you won’t like the result. The board sets the risk appetite and the processes that will be established to monitor it. Then the CEO and management execute against that. Everything has to be measurable, so it’s apparent that you are in conformance with the established risk tolerance, and there has to be a mechanism for reporting back to the board.”
Ensuring adherence to boundaries and reiterating the importance of not overstepping them sometimes requires the CEO and the board to regularly underscore, in unmistakable terms, what is acceptable behavior and what is not. At Huntington Bank, Blakely said, the CEO would occasionally publicly call out the actions of various people, not always for what he considered positive behavior, to illustrate a point. “It was his way of emphasizing what his expectations were, as well as those of the board, for risk management and individual accountability, and the impact it had on the corporation was amazing,” he said. “He not only continued to set the right tone, he also established a standard of behavior and expectations so that everyone was rowing in the right direction.”
In their day-to-day routine, Blakely said, people are so busy that they may not hear or understand the overarching messages concerning the organizational tolerance of risk. Regardless of level or position, everyone should be able to articulate the organization’s risk appetite in a similar way, simply and succinctly.
Embedding a culture of risk management
Among the lessons learned in the last several years is the growing realization that risk management is everyone’s business, not limited to those in control or risk management functions. “An understanding of risk-reward tradeoffs needs to be driven down into the organization, and everybody needs to be aware of the corporate appetite,” Goldman said. “What are the tolerances we are willing to accept?” And, he added, there has to be an internal framework so that the big picture of risk is readily viewable with a consolidation of positions that are being taken.
But information should flow in both directions, and feedback that makes its way from the businesses to the CEO and the board is also crucial. A system designed to set off needed alarms — signaling that the organization is approaching limits of risk tolerance — is essential to avoiding major problems.
The growing organizationwide approach to communicating about and managing risk — as opposed to the more siloed functional approach, has led to a different view of the required skill set of the risk manager, Goldman said. “The risk manager needs to be more of a commercial thinker than in the past,” he said. “He or she has to be able to speak the language that those who run key businesses will understand to effectively create a risk culture.” It’s an area in which Korn/Ferry has maintained a dedicated focus since the accounting scandals of 2001, he said, when the firm worked with the government to assemble the Public Companies Accounting Oversight Board. “We are seeing greatly increased demand from clients for this new breed of risk manager, which we expect will continue.”
In an organization with a risk-aware culture, risk belongs to everyone and cannot be shirked by anyone. “Everyone owns risk; that’s our mantra at Huntington,” Blakely said. “It doesn’t matter if you approve or source deals — you will be held accountable. Anywhere you are able to avoid responsibility for risk as ‘not my job,’ you are destined to have significant problems.” In a financial services company, Blakely identified three lines of defense for risk management, which ensure broad ownership and little opportunity for anything to fall through the cracks:
• The risk taker — on the front line with the client
• The primary oversight function — risk management
• Additional backup functions — internal audit and credit review
It’s a team approach, not unlike a hockey team’s approach to defense, Blakely said.
“It’s the goalie’s job to prevent goals, but if defense belongs only to the goalie, you will lose the game,” he said. “Everyone has to be a risk manager. Revenue producers have to see it as part of their responsibility.”
Maintaining the right level of board involvement
Because they are part-timers at companies and because they are responsible for governance, not management, directors have to ensure that they maintain the right level of involvement when it comes to risk management.
Boards help to establish the framework for managing risk. By consulting with those who lead the business, they can determine the most likely risks and create a scorecard to keep an eye on them and sound the alarm if necessary.
It’s generally considered undesirable for directors to be too intimately involved with management. At some companies, however, key committees, like audit and compensation, have begun to work more closely with relevant executive team members to manage their sizable workload — the CFO and chief human resources officer, for example — often bypassing the CEO, while still keeping him or her in the loop. This sort of partnership, where directors are closer to the business, may have other benefits as well, including the ability of boards to spot early warning signs of trouble, the result of a thoughtful risk management process, enabling them to intervene before a full-blown crisis develops.
Building a culture in which all understand their role in monitoring and identifying risk is part of a complex process where the board and the CEO set the tone and the agenda, but everyone is a sentry in the corporate army. Assuming those in the organization have gotten the message and the CEO and board establish the right sort of environment, people will be motivated to say something when they see something, although that is sometimes easier said than done. It takes courage for a risk manager, when assessing the risk-reward equation against a particular transaction to stand up and say, “We can’t do this,” especially to the individual who pays his or her salary. But a carefully devised culture, supported by proper incentives, can go a long way toward encouraging people to do the right thing.
Boards should recognize risk for what it is and will continue to be: a fact of corporate life. When risk is consciously accepted, harnessed and actively managed on an enterprise level, and no one is permitted to abdicate responsibility for it, however, it becomes a critical competitive advantage. This disciplined, systematic approach to risk management should enable boards to evaluate the risks inherent in all aspects of their work, determine what risks are worth taking and calculate their return on that risk.
Dennis Carey is vice chairman of Korn/Ferry International and specializes in the recruitment of CEOs and corporate directors. He is lead author of “CEO Succession: A Window on How Boards Can Get It Right When Choosing a New Chief Executive” (Oxford University Press). Judy Roland is president of Roland Communications in New York, and works with clients on communication strategy and planning.