Excellent Advice on Risk Oversight
Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.
The National Association of Corporate Directors (NACD) has established an advisory council on risk oversight and published a report on its second meeting that contains notable comments. It is available at http://www.nacdonline.org/Resources/Article.cfm?ItemNumber=6762.
I advise reading the publication carefully and slowly because many points are made without elaboration.
Here a some of the more interesting pieces with my elaboration.
Directors should have a “real and thorough” understanding of the business to be able to effectively discuss strategy and risk with management.
- This is a known and significant problem. Other surveys have reported that as many as 70% of directors do not have a sufficient understanding of either the business or the strategies for delivering value. As discussed in the next quote, directors are part-time, often unable or unwilling to dedicate the time required to obtain the detailed understanding of the business and its operations to provide effective oversight of strategies, risk, or performance.
As overseers of the company, it is necessary for directors to act as skeptics of management, questioning and even providing dissention if necessary. However, delegates noted that with lengthy tenures, it is possible that some committee chairs can become so comfortable with their respective management contacts that they risk losing sufficient skepticism. To promote fresh thinking and skepticism, the delegates suggested implementing methods of committee rotation, such as term limits. Additionally, conducting meaningful board and committee evaluations that consider director tenure can help to ensure that committee rotation is viewed positively by the whole board.
- It is interesting to note that the more recent governance codes, such in Malaysia and Singapore, consider that directors with long tenure are no longer independent.
In many cases, the board was simply unaware of the operational risks occurring at the company... The role of a director, by nature, is a part-time job. As such, directors are reliant upon the executive team to provide the information necessary to evaluate risks and corporate performance... “The definition and role of oversight has changed in the last five years... [but] management hasn’t realized that oversight has changed.” Indeed, the expanding gaps may stem from management not fully realizing the new, changed board oversight role... Directors should establish tolerance levels for the level of risk they are willing to bear, and look for signs of when this risk has become too high... Of course, communication is a two-way street. It is the responsibility of the board to communicate its expectations regarding information flow.
This is where the council, in my opinion, missed the most critical ingredient to effective oversight: adequate processes for risk management that include appropriate communication to the board. The board should ask more questions about the adequacy of management's processes than about individual risks. If the processes are sound, new risks or changes to existing risks are likely to be handled well.
It is certainly desirable for the chief risk officer to have access to the board, and provide regular reports. But is that sufficient when we are living in such a turbulent world? Access should be as often as necessary. In addition, the onus for communicating changes in the risk environment should be primarily with executive management.
The board should require that internal audit assess and report on the quality of governance and risk management processes at least annually, using a risk-based approach. The discussion in the NACD report about comparing the internal audit plan to management's risk report is interesting; I would wonder why internal audit would work on areas not rated at the top of management's assessment, and why they decided not to address key risk areas.
This is good, but the selection of objectives and strategies should be based, in part, on risks in the business environment. Risks should not be left to be an afterthought.
- It is true that the only risks that matter are those that relate to the achievement of objectives and delivery of value.
- The discussion of whether the full board or a committee of the board should provide risk oversight is interesting. I like this idea that if there is a risk committee, all directors should be able and encouraged to attend.
Some will say that there is little new. That may be true, but the points are made well and are from a credible and authoritative source.
I welcome your comments.
Posted on May 20, 2013 by Norman Marks
Share This Article: