On June 4–5, 2013, members of the North American Audit Committee Leadership Network (ACLN) and the Lead Director Network (LDN) 1 met jointly in New York to discuss the board’s oversight of risk, among other topics.2
 

This document summarizes the key points that ACLN and LDN members raised in the discussion, along with background information and perspectives that members shared before the meeting.3 For further information about the ACLN and LDN, see “About this document” on page 7. For a list of participants, see Appendix 1 on page 8.


Executive summary


The discussion among ACLN and LDN members and other participants in the meeting brought forth three major points:

  • Boards are worried about long-term strategic risks (page 2)

While boards pay attention to many aspects of risk, an important priority is to help management understand and manage the most strategically important risks. Members mentioned the potential impact of disruptive innovation, which may be both difficult to anticipate and devastating. The board must push management to identify these types of risks, and it must assist in the process by discussing strategic risks frequently and seeking the input of outsiders.

  •  All board directors should engage in risk oversight (page 4)

Members said that all board directors should contribute their expertise and judgment to the board’s efforts to oversee risk. Many members noted that the full board is ultimately in charge of risk oversight. At the same time, various committees of the board, especially the audit committee and the risk committee (if there is one), are likely to play important roles, by overseeing the overall process and/or by taking responsibility for the oversight of specific risks.
 

  • Risk disclosures should reflect the board’s discussion of risk (Page 6)

Disclosures about risk, risk management, and the board’s oversight role are increasingly important elements of reporting to regulators, shareholders, and the wider public. One member suggested that companies may be wary of divulging competitive information in risk disclosures. However, Michael Smith, a partner at King & Spalding, noted that disclosures should reflect the board’s concerns regarding risk. The board should review the risk factors disclosed by the company to assure they are aligned with the boards’ view of risks.

Boards are worried about long-term strategic risks


Risk oversight is an important responsibility for boards, and boards pay attention to many aspects of the issue, including the range of risks that companies face and the various elements of enterprise risk management (ERM) systems. But members underscored that it is critical for boards to focus on the risks that could affect the company’s strategy, leveraging directors’ talents to help senior management identify, analyze, and respond to those risks.
 

The big risks


ACLN and LDN members returned several times to the challenge of risks that pose a threat to the very existence of a company. They were particularly interested in the impact of disruptive technologies and new business models that sometimes emerge so quickly that they surprise companies that had held strong positions in their industry. A few examples loomed large, such as the fate of Blockbuster, which succumbed to bankruptcy in the face of competition from Netflix and Redbox. Blockbuster was the world’s biggest movie rental company, but it did not respond effectively to the online technology developed by Netflix and the kiosks operated by Redbox.4


The question for many directors was, in the words of one member, “What are the major disruptive things that could happen to us?” Members suggested that it is not as easy to assess big, strategic risks as it is to assess narrower, more easily measured risks. A member remarked, “There are standard mappings of the risks that are easier to quantify, but strategic risk is not dealt with so easily.” Other members alluded to the element of vision and imagination required. One said, “You don’t know the answers, but you do know you need to see well out in front of the headlights.” Another added, “Seeing disruptive innovation requires a lens to interpret the environment.”
 

Members acknowledged that exposing a company to risk is an inherent aspect of business. A member noted, “Risk isn’t a negative – management needs to take appropriate risks.” Finding a way to think about how much risk a company should assume is essential. The members noted that the concept of risk appetite is appealing in the abstract but hard to apply. One member said: “Risk-adjusted return is a better concept than risk appetite.”

Risk is a challenge to analyze, members said: “Risk is slippery to discuss – it’s hard to make it concrete.” One member explained how even a rigorous process can be misguided if it misses a key factor: “We looked at certain policies and we limited certain risks, to keep risk within certain parameters. Management gave us a chart each month, and they came to the board if it was too far out of whack. But it was false precision. We were measuring the wrong things. We were not focusing on real estate risk before the crisis and that cost us.”

The board’s role


A critical role of the board is to ensure that companies are alert to the big risks. Boards should put pressure on company management to identify and address them, and that means seeking a range of opinions. One member said, “A really important role of directors is to make sure companies are looking and learning. People need to be aware of what others are saying.”


Boards can also assist in trying to identify the risks, using some of the same tactics that management should be using. A member reflected, “Directors can’t be perfect, but they ought to try. You want to learn, listen, explore – get out of the box.” Another member commented, “Every company smokes its own exhaust. One of the most important roles for directors is to listen to the people who don’t agree with them.” Others agreed. As one said, “You’ve got to get outsiders into the boardroom who will throw bombs. The best place I know for doing that is Silicon Valley.” In addition to listening to innovators in technology, members mentioned seeking input from competitive entrepreneurs, younger employees, and other possible dissenters from the company’s established strategy.


Some ACLN and LDN members had seen recent efforts by boards to focus more on strategic risks. One member explained what happened at some companies: “Board directors were increasingly frustrated that they were not spending enough time on strategic risks. The boards went to the CEO and said, ‘Tear up the traditional agenda and make strategic risk the centerpiece of every board discussion.’”


The members described having to overcome some resistance and underscored the rationale for pushing through the changes: “Management was often less enthused, but they have accommodated us. Most of the stuff we did before didn’t matter, but the stuff we didn’t do could have mattered.”


A focus on risk is emerging in data on board engagement. According to a recent survey by the Conference Board, reporting to the board about risk takes place at each board meeting for 30% to 50% of companies, depending on sector, with fewer than 20% of companies reporting on risk to the board only “as needed” or at the board’s request.5

The board’s role and management’s role
 

Members brought up the general question of what the board should be doing versus what management should be doing. A member remarked, “The board faces a dilemma. We can’t be setting strategy. But we don’t want to feel like we’re watching a Greek tragedy. We want to play a part.”
At one member’s company, appointing a chief risk officer resulted in both the board and management paying more attention to risks. The member explained, “The appointment prompted activity and brought more information to the board. We whittled down 250 risks to 30 risks and assigned follow-up on them … We now have a more organized process, and more significant commitment than at other companies.”

A few companies use the board more actively to assess strategic risk. One member recounted how the CEO of the company asked a group of board members to travel to China to investigate a potential joint venture and report back to the board on both the major rewards and major risks. However, another director pointed out that management has to be deeply involved in all risk assessments: “We need management to look at these issues. Management lives and breathes what we only see periodically.”
 

All board directors should engage in risk oversight
ACLN and LDN members expressed a strong view that all board directors bear responsibility for strategic and operational risk oversight. Not only do directors get involved as members of committees that take on specific elements of risk oversight, but they inevitably play a role as members of the full board, which directors emphasized is ultimately responsible for risk oversight.

The role of the full board
According to the recent survey by the Conference Board, a high percentage of all companies (anywhere from about 38% to just over 50%, depending on sector) assign responsibility for risk oversight to the full board.6 Many ACLN and LDN directors confirmed that the full board often takes the lead, or that it should. One director said, “Most board members would like to be fully engaged. It’s the responsibility of the full board in an ideal world.”


In some cases, ownership of risk oversight by the full board may entail little if any delegation to the board’s committees. In a pre-meeting conversation, one lead director said, “My boards handle it fully. The entire board wants to understand and have oversight of the full company. If it’s parceled out to the committees, the board is worried that they are out of the loop.”
 

In other cases, one or more committees may be closely involved, but the full board is ultimately in charge because all the board members are engaged. A member commented, “A committee may do the heavy lifting, but in a lot of cases where it goes to a committee, you see the full board around the table [at the committee meeting].” Another member said, “The committee does work on behalf of the other directors, but everyone is responsible. Everyone signs the 10-K and needs to take that seriously.”
 

One member said, “The worst thing that can happen is that the full board thinks it has no responsibility because it’s delegated – you have to prevent that.” Bringing to bear all the expertise available is a driving factor, another member said: “Look at the composition of the board. You can’t have only those on the audit committee evaluating company risks.”


The role of committees


Even if the full board is ultimately responsible, specific committees may play an important role in risk oversight. On some boards, they may play a leading role. The directors touched on the contributions of several different committees:

  • The audit committee. The New York Stock Exchange requirement that the audit committee “discuss policies with respect to risk assessment and risk management”7 is often interpreted to mean that the audit committee must see to it that there is an ERM process in place and that responsibility for various risk areas has been assigned. Indeed, the percentage of companies assigning responsibility to the audit committee is only somewhat lower than the percentage assigning it to the full board (28% to 40%, depending on sector).8 A member said, “It’s not the full board per se. The audit committee has responsibility for the process steps.”

In pre-meeting conversations, audit chairs pointed out that the audit committee typically also delves deeper into risks that match its expertise, playing, as one put it, “the traditional role of risk assessment and management regarding the pure financial side – financial controls, financial reporting, and accuracy of the numbers.” In some cases, the audit committee may also take on responsibility for other risks, such as technology risks or certain operational risks.

  •  The risk committee. Risk committees are becoming more common in financial services companies, but they are still rare in other industries. According to the Conference Board survey, 24% of financial services companies assign responsibility for risk oversight to a risk committee, while fewer than 5% of manufacturing and non–financial services companies do so.9 Commenting in a pre-meeting conversation on the potential benefits of a risk committee, one audit chair noted, “That’s very specific to each company and its business, and the way that the board is organized and the skills of individual board members. It needs to be customized.”

Other directors saw disadvantages to having a risk committee. One member said, “The problem is that all risk is centralized. There is not as much exposure to the full board and all those perspectives. Everyone relies on the risk committee, but a broader perspective is better.”

  • Other board committees. In pre-meeting conversations, members noted that certain risks belong to certain other board committees. In some cases, there are committees set up to look at industry-specific risks, such as science and medicine in the pharmaceuticals sector or environment, health, and safety in extractive industries. One audit chair said, “Compensation risk could go to the compensation committee. IT risks could end up in the innovation and technology committee.” The nomination and governance committee may also play a role: “I sit on the nomination and governance committee, and that’s where we make decisions about what goes to what committees. Everyone understands what we are doing before we take it to the board for a decision.”

If risk oversight is assigned to multiple committees, the full board or the committee taking the lead ensures that oversight activities are coordinated. A member mentioned the audit committee’s role: “The audit committee is the traffic cop for risk management processes. It looks to see how the committees of the board deal with particular risks.” Another member described an approach taken by a risk committee: “The risk committee chair does an annual survey of all committee chairs to review all of the different activities being covered.” Other approaches also help. As one member said, “There is significant overlap in membership across the audit and risk committees, which helps with coordination.”

Risk disclosures should reflect the board’s discussion of risk
Disclosures about risk, risk management, and the board’s oversight role are increasingly important elements of reporting to regulators, shareholders, and the wider public. During a session on board–shareholder engagement at the recent ACLN–EACLN summit, Colin Melvin, CEO of Hermes Equity Ownership Services, said, “Since the audit committee has an important role in oversight of risk management, we would like more information about it. We want to understand more about the dialogue and debate on these issues.”10 LDN members heard a similar message last year from Richard Breeden, CEO and chairman of Breeden Capital Management: “When issues of capital allocation or risk management are before the board, for example, many large shareholders want to assess whether directors have carefully thought through the issues.”11


The federal securities laws require companies to make disclosure of risk factors, and the Securities and Exchange Commission (SEC) occasionally issues guidance on specific risks in areas such as climate change or cybersecurity.12 In addition, proxy disclosure enhancement rules issued by the SEC in late 2009 require additional disclosures regarding how the board oversees risk, including information about how the board delegates responsibility among committees and the full board and how the board’s leadership structure supports the oversight of risk management.13


Members suggested that companies may be wary of too much transparency in their disclosures about risk. A chief concern is the possibility of helping competitors. In the words of one member, “If you spell it out too completely, you give competitive information away.” Another member suggested that disclosures may be drafted to avoid this eventuality: “Risk disclosures can serve as camouflage to avoid passing information to competitors.”

Michael Smith, a partner at King & Spalding, warned that “the company’s disclosure of risk should match up with the board’s discussion of risk”  to avoid shareholder litigation and SEC scrutiny. He pointed to a court case in which a developer of semiconductor chips was found to have made inadequate risk disclosures in advance of a secondary stock offering. The company had received complaints from its customers about quality issues in some of its chips. The board of the company was aware of the complaints, but the company did not disclose them. Months after the secondary offering, the company had to replace the chips sold to its biggest customers, leading to large losses and a sharp drop in its stock price. Shareholders sued and won an appellate ruling that the allegations of failure to disclose the known risk of replacement stated a claim. The lesson was that boards should regularly review the risk factors disclosed in periodic reports to assure they are aligned with the board’s view of risks.

Conclusion


ACLN and LDN members underscored that strategic risks should be a key focus for the board, saying that the board should encourage and help management anticipate the major disruptions that could severely threaten the company’s success and survival. At the same time, they lamented the difficulty of the task and the temptation to focus on what seems more manageable. As one member put it, “We move so quickly from strategic risks to what we can understand better, but which is not nearly as important.” Addressing strategic risk requires the engagement of all board directors, and whereas specific elements of risk oversight may be delegated to board committees, most members said that the ultimate responsibility rests with the full board. In their public disclosures about risk, companies should be forthright about the issues they face.