Preparing your Board to Oversee Risk in 2024

In the March 17, 2009, edition of Business Week at the height of the 2007-2009 financial crisis, authors Clarke Murphy and J. Frank Brown declared that “Boards Must Take on Risk Management.” In that same edition, Business Week reported that “Failed risk management is at the heart of Wall Street’s malaise.”1. As we head into 2024, have boards improved their risk oversight practices?

In the latter half of 2023, I had the honour of making four public appearances addressing how boards can enhance their oversight of risk. In this paper, I’ve summarized the key takeaways from my speaking notes including leading 2023 research on this topic, addressing the following:

  • Is the world today a riskier place for businesses versus last year and the years before?
  • Why are boards challenged in risk oversight?
  • Seven actions for effective board risk oversight.

Do you wish to optimize your board’s oversight of risk in 2024? Read on to explore this subject in more detail and to access a slide deck summary with details and research.

Read More

Much research emerged in 2023 on board risk oversight and the state of ERM in the US and world-wide. The following is a summary of key points, much coming from this research, from three presentations and one online seminar appearance by the writer from August to November 2023. The presentations were delivered at:

  • GPC Governance Professionals of Canada- Annual Convention, 8/15/2023;
  • PACICC Property & Casualty Insurance Compensation Corporation- Risk Officers Forum, 11/30/2023;
  • ECSE Eastern Caribbean Securities Exchange- Governance Session, 11/29/2023;
  • Institute of Corporate Directors, Greater Toronto Chapter, 11/29/2023, online seminar panel.

In addition, the writer attended two public company board meetings and presented some of the material addressed below.

If you have a second monitor, follow along with the slide deck –Preparing Your Board to Oversee Risk in 2024.

Introduction

 

I believe that now more than ever, in this increasingly risky world that we live in, boards need to be an integral part of the Enterprise Risk Management process. Some would argue with me, but at the time of the 2007-2009 financial crisis, most boards simply rubber stamped ERM presentation materials delivered by management. I see this changing rapidly… we’re now seeing new, younger skills-based boards hiring directors with much practical experience in areas needed by the organization, including in risk. These are skilled people who have had “Finance,” “Human Resources”, “Risk” or other organizational designations in their titles or job functions throughout their careers. The need for “Qualified Risk Directors” serving on boards is a key theme today.

 

My Experience is detailed on Slide 3. Briefly, here’s a few experiences from my career which I believe qualify me to deliver this talk today:

  • Boards-Two Canadian Government Federal Crown Corporations-VIA Rail Inc. (Canada’s National Passenger Railway), including services as Chair of the Governance, Risk and Strategy Committee, member of Pension Committee; and The Standards Council of Canada, member of Audit Committee;
  • Instructor of Risk Management– Past and present experience at ICD/Institute of Corporate Directors (Canada); GPC/ Governance Professionals of Canada; and York University in Toronto- Masters Financial Accountability curriculum.
  • Career– 30+ career in the risk field- previously a CEO and Region Head within two of Canada’s largest insurance brokerage firms; founder of firm sold in 2018.
  • Current– consulting with boards and executives to facilitate best practices in risk.

 

I’ll address three topics this morning- 1) is the world riskier today; 2) Why are boards challenged in risk oversight; 3) Seven actions for effective board risk oversight. I’m going to start with two “Intro” slides to kick off my talk: “Three Takeaways” and “Two important statistics”:

 

Slide 4: “Three Takeaways”, what I’m going to be talking about today:

Three Takeaways

  1. Understanding ERM Processes– key to board risk oversight is an understanding by directors of the processes of ERM. Boards should be knowledgeable of the gaps between current management processes and Best Practices, then seek to have those gaps narrowed;
  2. Qualified Risk Directors– Boards should have members (at least one) with direct experience in risk management to understand the work of management and what’s expected;
  3. Focus on Key Risks – Boards should deep dive on the biggest current and emerging risk(s) which could impair the company.

 

Slide 5: Key statistics from my presentation today are US based and are from a study released in 2023 from the AICPA (American Institute Chartered Professional Accountants) 2. In 2023, USA stats on ERM were more readily available, and are a reasonable reflection of what’s going on in Canada in ERM as well. Let me give you two important statistics to underline my key takeaways today (and I’ll refer to these slides later in the morning):

 

Two important statistics

 

  • Of 454 companies surveyed in 2023, only 29% said they had a Mature or Robust “best Practices” ERM program, this number went to 48% for public companies, and 47% for companies over $1BB in revenue.
  • 76% of boards of public companies are asking for more active senior executive involvement in risk management.

Conclusions-with less than half of the biggest organizations having a best practices ERM program, there’s a gap between what boards want in term of active risk management practices by their management teams, and what’s happening in risk management. So, how can boards oversee practices which don’t yet exist?

 

Topic #1- Is the world a Riskier Place? (Slide 7)

 

Is the world riskier compared to last year and the years before that? Compared to last year and recent prior years, all categories of surveyed companies (big, small, public, private, financials, not-for-profit) said the world is getting riskier. Note that, 77% of public companies feel the world is riskier now than in past years, and 72% of Financial Services companies concur.

 

What are the current top risks leading into 2024:

 

  • (Slide 8) World Economic Forum/WEF– In a late 2023 study recently concluded by the WEF of 11,000 international executives, the top risks were ranked. In the USA, the risks rank – Economic Downturn #1, Infectious Diseases # 2, Inflation #3. In Canada Economic Downturn #1; Labour & Talent Shortage #2; Extreme Weather events (Floods & Storms) #3.
  • (Slide 9) North Carolina University and Protiviti study (Executives and Board members); the study ranked top three Risks in 2023 being: Talent Acquisition; Economy and Labour; and 10 years from now (2032) this group sees Talent; technology Adoption; technology Disruption as top three risks;
  • (Slide 10) Office Supervisor Financial Institutions (OSFI Canada) – sees Housing bubble, Liquidity, Commercial Real Estate as top risks
  • (Slide 11) PACICC/Property and Casualty Industry in Canada– From the PACICC September 2023 ERM study: Climate Change; Cyber; Technology Change/AI – the top Emerging Risks

Top Risk themes leading into 2024-

“… Economy, Labor, Technology/Cyber, Weather/Climate Change…”

 

Conclusions– I see… Economy, Labor, Technology/Cyber and Weather/Climate Change as predominant top risks going into 2024. So is it important now more than ever that organizations adopt Best Practices in ERM to manage these risks and others? Yes, and equally important is that Boards become better equipped to understand ERM so they can oversee risk processes and practices of management.

 

TOPIC #2 (a), “Why do boards fail in risk oversight”- LACK OF RISK GOVERNANCE (Slide 12)

 

Simple answer, if there is a slow adoption of RISK GOVERNANCE PRACTICES, risk oversight becomes very challenging.

 

OSFI in Canada (Slide 13)- offers guidance which all industries can benefit from, but let’s dig deeper and look at three common causes of governance breakdown in the risk area.

 

(Slide 14)- Let’s compare the practices by boards of risk oversight vs. financial oversight. Look at a well-organized Audit Committee which typically has qualified financial directors, mandated certification standards to follow for compliance, and directors with education and certification in this area. But contrast this to:

 

  • Lack of Qualified Risk Directors (QRD)– Qualified risk committee members are hard to find. The DCROI (Slide 15) defines four characteristics of a QRD It is particularly challenging for Board Chairs to find someone who meets all these qualifications. Recruiting and training board members and individual directors can be done in a variety of ways (see “Recruiting or Training Qualified Risk Directors for your Board”, footnote 5)5.
  • Lack of Mandated Standards– there are internationally recognized risk standards available to underpin and blue print an organization’s risk framework, but none are mandated, and many organizations don’t adopt them. Many directors can’t advise which standard their risk framework is based on;
  • Minimal Education– most senior executives and board members are not trained in ERM, i.e. this is needed for proper implementation by C-Suite, and for proper oversight by board members. The AICPA stats show Education is lacking. 58% (full sample) and 55% of Financial Services firms have provided minimal or no training in ERM for their boards and Executives in the last two years.

 

TOPIC #2 (b), “Why do boards fail in risk oversight”- SLOW ADOPTION OF  ERM BEST PRACTICES BY MANAGEMENT (Slide 17)

 

So “Why do boards fail in risk oversight,” lets look at REASON #2 b: Slow Adoption of ERM “Best Practices” by C-Suite.

 

(Slide 18) The AICPA statistics show that there is a lot of work to be done. From the full sample the survey, only 29% of organizations in 2023 have a mature, robust best practices program being operated by management. This number grows to 48% for public companies and 36% for financial services firms in 2023. This means therefore, that in most cases boards are overseeing less than optimal ERM practices by management.

 

So, are the gaps between current and best practices of management in risk being challenged by boards?

 

(Slide 19) The AICPA statistics show that 76% of boards of public companies are asking for more active senior executive involvement in risk management. This means boards want more adoption by management of best practices in ERM.

 

(Slide 20) To address the above referenced “challenges”, the writer conducted interviews with five directors (one being a Chair of a major company board) from Canada’s property and casualty (P&C) insurance industry, along with an interview with a Chief Risk Officer (CRO) of a large Canadian P&C Institution. These board members generally concurred with the comments stated earlier regarding why boards are challenged in risk governance practices. But with the biggest organizations, many of the referenced risk practices exist especially if the management team has a full time chief risk officer and the board has a member of the board who was a CRO in a past role (see Slide 20 for a summary of these discussions). In my discussion with the CRO of one of Canada’s largest financial institutions, many of the governance practices and best practices were being closely followed.

 

Conclusions: Concurring with the AICPA statistics, the larger the institution, the more prevalent risk governance and ERM Best practices seem to become, largely driven by the existence of a full time CRO at the management level and given a board (s) member with Chief Risk Officer or similar past experience in risk. However, in other companies the need for improved risk governance and oversight is required.

 

TOPIC #3- Effective Board Risk oversight- Seven Actions

(Slide 21) Now  Let’s look at our third topic …. what are the key fundamental steps for Effective Board Risk oversight. We’ll focus on seven actions.

(Slide 22) ACTION 1: Qualified Risk Director– a key governance topic- we’ve spent some time earlier addressing this matter, so I won’t repeat the importance of this. Directors leading risk oversight need to have enough experience that they can discern the difference between current and best practices by the executive team, to ensure all required processes are being orchestrated diligently;

 

(Slide 23) ACTION 2: Create opportunities for Independent Directors to question the risks and processes of the company– In the United States, independent outsiders make up 66% of all boards and 72% of S&P 500 company boards. But for Private of NFP, non-independents are often the minority. We cannot assume that they are as informed. These independent directors need access to additional information to understand the adequacy of management processes. Ideas for securing this information include in-camera sessions with the Chief Risk Officer and with executive team “risk owners”;

 

(Slide 24) ACTION 3: Defining the Board’s Role in Risk– assume that most members of the board don’t know how to oversee risk. Therefore the role should be clearly defined, usually in the “ERM Policy Statement”, “Risk Framework” or in the board charter. Steps should be repeatable with annualized steps to actualize the oversight, with each scheduled in the board calendar- some items monthly, some quarterly, some annually. Before adopting the roles (which are usually proposed by management), the board should agree that they are reasonable, achievable and that they can be actualized. Important is that the role of the Risk Committee (or other committee oversees risk oversight) be also defined and differentiated from the overall role of the board with specific deliverables such as: what is to be presented at board meetings, what items require overall board approval (i.e. risk appetite). A brief list is shown on slide 24;

 

(SLIDES 25 & 26) ACTION 4: Set Up a Board Risk Committee and/or sub-committee– Audit Comm and Risk Comm are typically where risk resides (see slides 25 & 26 for typical committee structures and for current % of boards with these structures). An interesting structure is where risk resides in “all committees”- this structure utilizes the knowledge and experience of most board members from the various committees. However, a “Risk Committee” structure is also preferred and houses expertise which helps whole board in oversight. Here are some challenges with the Audit Committee approach:

  1. AC is the busiest committee; risk often gets pushed aside; other key issues are prioritized
  2. Financial risks get priority; members are often prone to view risk through a financial lens
  3. Internal audit often oversee risk and also reports up through Finance creating a conflict, i.e. can IA be truly independent?

 

(Slide 27) ACTION 5: Ensuring ERM “Best Practice” Maturity and Progress– Boards need advice on the “Maturity” of their ERM programs. Key is to conduct a gap study of current practices versus best practices. In simple terms, how can you oversee a practice if you don’t know what to look for? Preferable is that a qualified Chief Risk Officer is part of the management team to provide internal expertise, otherwise boards should engage external expertise. Boards need to know the sate of advancement and quality of their risk processes in areas such as risk identification, assessment, control, monitoring, and reporting. There are various ways to gauge the Maturity of a risk program (See slide 27);

 

(Slides 28 and 29) ACTION 6: Executive Compensation for Risk Milestones– Big and Public companies are starting to introduce compensation to executive teams for achieving milestones in ERM, but this practice is typically non-existent in mid-sized and smaller companies. Per slide 29, only 14% of US organizations follow this practice, while international adherence is slightly higher. Build “measurables” into executive compensation to reward the CEO and the executive team for effective management of risk and for accomplishing milestones, and specifically for achieving Best Practices in ERM.

 

(Slide 30) ACTION 7: Board Risk Workshops– To ensure the development of a risk culture, it is important to increase engagement and interest by board members to support and promote ERM and the CEO’s initiatives to prioritize it. Without board and CEO support, ERM programs are likely to fail. In addition to providing education for board members, the board should have an opportunity to meet annually for a special meeting on risk to review, comment, and input on the risk register and other elements of ERM such as: risk appetite, alignment of risks with key corporate objectives, deep dives on top risks, reviewing the progress made in maturing the ERM program (see slide 30 for Workshop ideas).

 

Conclusion

Studies show that the business world is riskier today than ever. This necessitates boards moving from a “gut feel” approach to risk, to a state of risk oversight using structured and proven processes. Boards don’t manage risk, executive teams do- boards should be comfortable they understand the gaps between current processes of management and best practices, then seek to have those gaps narrowed. While constructively supporting and challenging executives to mature their risk programs according to accepted standards, directors should be knowledgeable of these standards to be able to oversee and understand work of management and what’s expected. Boards are therefore urged to have members (at least one) with direct experience in risk management. Boards are urged to deep dive on the biggest current and emerging risk(s) which could impair the company.

 

 

Footnotes

  1. Clarke Murphy & J. Frank Brown, “Boards Must Take on Risk Management,” Business Week, March 17, 2009 (“Failed risk management is at the heart of Wall Street’s malaise.”)
  2. The State of Risk Oversight (2023): (AICPA) American Institute of Certified Public Accountants and (NCU) North Carolina State University, Poole School of Management https://erm.ncsu.edu/library/article/2023-risk-oversight-report-erm-ncstate-lp
  3. “Executive Perspectives on Top Risks 2023 & 2032”, NCU and Protiviti, https://erm.ncsu.edu/az/erm/i/chan/library/nc-state-protiviti-survey-top-risks-2022-2032.pdf
  4. The Directors and Chief Risk Officers Institute https://dcroi.org/
  5. Recruiting or Training Qualified Risk Directors for your Board, Directors Global Risk Consulting, https://directorsglobal.com/recruiting-or-training-qualified-risk-directors-for-your-board/
  6. Risk and Insurance Management Society, RIMS.org

 

 

 

Share this