In populating their skills matrices, board chairs often find that recruiting directors with suitable risk governance experience is their most difficult task. According to the DCRO Institute (Directors and Chief Risk Officers), those most capable of leading board risk oversight have much experience “demonstrating a serious commitment to the positive governance of risk-taking at their organizations.”1 But how and where do you recruit a “Qualified Risk Director”, a designation defined by the DCRO in 2013? Where do candidate directors acquire their education and become credentialed in risk governance? What are the attributes which boards should focus on when recruiting?
Do you have a “Qualified Risk Director” on your board? If not, read on to find the right candidate.
Boards are having difficulty finding directors that
understand best practices in risk
Why is it difficult finding good board members with risk governance experience? In my experience from having served on boards including as a risk and governance committee chair, and from having instructed risk practices (principally ERM/Enterprise Risk Management and how to govern it) to hundreds of board members and senior executives, the answer is simple- leadership from the top results in effective risk governance, yet many directors and executives don’t understand ERM, nor can they determine if it is fully in place in their organization, nor do they know how to implement it. Hence, if risk practices are not understood, they can’t be overseen. Consider the workings of a properly functioning audit committee at the board level, with most members well-schooled in finance, having led and managed senior finance executives. These audit committee directors have held finance jobs and are well equipped to oversee the work of financial executives at the management level. In the risk world however, fewer board members have had risk related jobs and hence are less qualified to oversee a practice they’ve never learned.
Two Choices: Recruit or Train
So, you are a board chair, and you need a director experienced in risk governance. You have two choices: recruit a director or train an existing or potential director to fill the role.
Recruiting directors with experience in risk sounds easy, but it is not. You can use your connections, or you can use the services of a recruitment firm to find a director with a track record who has led board risk oversight on another board. Alternatively you can find a candidate in the risk management field and promote them.
Recruiting sounds easy, but it is not
People in the risk field who could be promoted to a director’s position provide an interesting option for board chairs who would otherwise gravitate to a search firm to find a solution. One key source is RIMS (Risk and Insurance Management Society)3 which has 80 chapters globally and serves more than 200,000 risk practitioners and business leaders from over 75 countries. Founded in 1950, the Society publishes award-winning Risk Management research and is the largest annual gathering of global risk professionals. RIMS embraces diversity, equity and inclusion, and caters to risk professionals to connect and learn, explore a robust online Risk Knowledge library, tune into the RIMS podcasts, and to network. Many RIMS members are certified with the ARM/CRM (American/Canadian Risk Management) designation, are well networked and have much practical working experience. Many RIMS members are senior executives including Chief Risk Officers and/or are retiring looking for board positions. Various other risk (and insurance) related industry specific organizations serve as recruitment sources for boards looking for risk directors.
What are the experience requirements of a
Qualified Risk Director1
The DCRO Institute is a non-profit educational collaboration among board members and c-suite executives, and is “the world’s leading source of risk governance training and credentialing.”1 According to the DCRO, boards should consider potential candidates with experience in the following areas:
- Experience as a Chief Risk Officer
- Experience as a Chief Executive Officer or senior operating executive
- Experience on a Risk Committee at a company of similar complexity
- Experience on an Audit Committee at a company of similar complexity
- Experience developing or structuring new products, or a new business, where successful risk management was key to a positive outcome
- Leadership experience with a high growth company
- Experience as an expert in business valuations or in a leadership role in the evaluation of investments or mergers and acquisitions
- Leadership experience with a successful turnaround or restructuring
- Having had responsibility for substantial P&L or revenue generation against a budget for risk-taking
- Having managed a department through various business cycles
- Having chaired a key executive committee at an organization
- Having a role in which a “risk appetite” was defined and applied
- Experience in assessing, managing, and mitigating risk in one of the key risk domains and exposure to all core risk domains
- Experience with derivatives and/or Real Options, or products that have embedded optionality (as appropriate for the organization)
- Experience preparing and analyzing risk reports of commensurate complexity to the organization
- Executive experience in consulting, control, or regulatory roles, provided that those are not the exclusive domains of experience
- Experience with failure from which risk governance lessons were learned
Risk Training for Directors
Most director institutes globally now include some training in risk-governance, but such education is typically ancillary to, and not the main focus of the accreditation programs which directors participate in. Canada’s two leading director’s institutes- the ICD (Institute of Corporate Directors) and Directors College both focus on a lengthy list of governance topics with an brief introduction to key subjects within each, risk-based governance being one. The same is true in the USA with the NACD (National Association of Corporate Directors) and the ACCD (American College of Corporate Directors). Routinely being offered now through these organizations are non-accredited short courses in overall risk governance, typically a half day or one-day type course offering general and high-level principals in risk oversight. Short courses in Cyber Security oversight for directors are now routinely offered.
In Canada, the GPC (Governance Professionals of Canada) also offers a broad range of general governance topics to their constituents within their accreditation program, risk being one of them (the writer teaches the risk segment). Like within the directors’ institutes, the GPC also offers one day type broad training in risk governance. Other governance organizations around the world also address the many topics within board governance but few organizations are dedicated directly to training for directors in risk oversight.
As mentioned above, RIMS offers much education risk management, but the focus of such education is offered for the benefit of risk practitioners such as chief risk officers.
Directors Global provides Risk Governance training for board members and executives
Some consultancies such as Director’s Global Risk Consulting Inc. (the writer is the principal consultant) focus on training groups, i.e., boards and executives, to learn best practices in risk governance and to find opportunities to improve current practices.
The DCRO institute is one of the only world-wide organizations of some size offering credentialing in risk governance, including the Qualified Risk Director® designation, the Certificate in Risk Governance®, and the Certificate in Cyber Risk Governance℠. The DRCO Institute has a Stakeholder Supervisory Board comprised of directors from regions all over the world and offers its programs to international participants. Its courses are an interesting option for board members and executives with global operations.
The Poole College of management, ERM initiative5, North Carolina State University is geared toward training for risk practitioners such as CROs, but houses an online library available to anyone interested, including much material focused on board risk oversight.
Qualified Risk Directors1 need special attributes
What are the necessary attributes of a director who can lead board risk oversight. According to the DCRO1, there are four categories of competencies required:
1. Risk Management Acumen
- Experience managing the types and complexity of risk the organization faces
- An understanding of how risk relates to integrity, ethics, and ultimately to success
- An understanding of how incentive and compensation design influence risk taking
- An understanding of the broad scope of risk, risk terminology, the tools of risk management, and how to assess their proper application to the organization
- An understanding of risk management best practices and their application to the organization and in the organization’s specific areas of work, including a general familiarity with the principles of existing global standards
- An understanding of the influence of corporate and regional cultures on risk taking
- An understanding of how risks can be amplified or attenuated
- An understanding of the regulatory environment in which the organization operates, if any, and prospective changes related to risk governance
- An understanding of board and/or executive Risk Committee functions
- A sound knowledge of financial reporting, not limited to balance sheets, income statements, cash flow statements, and internal control processes as well as how reporting may be influenced by accounting practices
- An understanding of distribution functions, correlations, and statistics commensurate to the complexity of the organization
- Independence, integrity, honesty, and ethical conviction, with the determination to act above personal interests in the conduct of their role
- Having the ability to assess multiple potential outcomes concurrently — to think “stochastically” and about the likelihood of non-linear outcomes
- Assertiveness and the ability to manage conflict with strong personalities
- Having the ability to communicate with a non-technical audience
- Healthy skepticism, balanced with earned trust — allowing one to probe and challenge without becoming unnecessarily antagonistic
- Being unafraid to ask basic and necessary questions
- Having the ability to teach, without lecturing, and to collaboratively build support for risk governance initiatives among board colleagues
- Having the ability to challenge a “group think” mentality, along with the awareness of common cognitive biases present among groups and individuals
- The ability to evaluate different kinds of strategic options, including financial, operational, technological, or market-based investments
- The ability to keep risk strategically relevant, “at the board level” of discussion
- The ability to see both the upside and downside of risk-taking
- The ability to take the “long view” — to think about the effects that something will have in the future as well as in the present
- The ability to think through problems from different and sometimes conflicting viewpoints
- An understanding of the environment in which the organization operates, including identifying stakeholders, international networks, economic inter-relationships, and other external influences on the ability of the organization to achieve its goals
- An academic education commensurate with the complexity of the organization’s needs and related to the industry or industries in which the organization operates
- General director development and governance training
Navigating the world of risk management is difficult enough but finding the right candidate to oversee management’s proper best practice processes, requires very experienced individuals. “Qualified Risk Directors” must not only have experience in the risk management field, but equally important is that they have business experience with P&L. Per David Koenig, President and CEO of the DCRO Institute “when we do our evaluation of those applying for the Qualified Risk Director designation, we give equal weight to business acumen and to experience to risk governance/management acumen and experience.”
Make sure to populate your board skills matrix with a director well qualified in risk governance.
- The Directors and Chief Risk Officers Institute, https://dcroi.org/
- Stephen Mallory, Risk Oversight for Directors: A Practical Guide, Chapter 31 from “The Handbook of Board Governance”, Wiley Press, 2020
- Risk and Insurance Management Society, RIMS.org
- Directors Global Risk Consulting Inc., https://directorsglobal.com/
- Poole College of management, ERM/Enterprise Risk Management initiative, North Carolina State University, https://erm.ncsu.edu/