A 2018 joint report prepared by NACD, Protiviti, and NC State’s Enterprise Risk Management (ERM) Initiative advanced the view that boards may not be overseeing the appropriate risks and outlined a road map for strengthening the board’s risk oversight in today’s complex and unpredictable marketplace.

As
the business environment changes, so must the board’s risk oversight. As the
pace of change quickens and the stakes for “getting it right” increase, a
question arises: Is our board risk oversight process still fit for purpose?

Below
is a refresher of four points from the report’s road map that continue to apply
today.

1. Revisit the board’s risk governance model and
director skill sets. Depending on the nature of the enterprise’s
risks and the extent of the expected change in its risk profile over time, the
board should assess whether it has access to the requisite expertise and
experience needed to provide appropriate oversight—either on the board itself
or among its external advisers. For example, with digital disruption affecting
many businesses, do directors have sufficient understanding of digital business
models, digital ecosystems, and the potential that hyperscaling digital
platforms has to facilitate rapid growth and reinvent the company’s business
model? These are trends that bring both opportunity and risk to the business,
and understanding them is essential to sound oversight. In addition, the board
should rethink how it organizes itself for risk oversight, including the
delineation of responsibilities among its various committees and the full
board.

2. Make culture an
enterprise asset as well as an oversight priority. Culture is
almost always the source of reputation and financial performance outcomes, as
it is a potent source of strength or weakness for an organization. A strong
culture is a critical asset for any brand. It is of vital importance to both a
differentiating strategy and superior performance. Accordingly, the board
should expect management to understand the culture at lower levels of the
organization, and whether the mood in the middle and the tone at the top are
aligned. Concerns that this topic may be “too soft” for objective assessment
should not distract the board’s focus on the real question:

Does the CEO really want to know the unvarnished truth about people’s
perceptions across the entity, and is he or she prepared to act on that
knowledge?

A “speak up” culture that encourages transparency and sharing of contrarian data and bad news entails convincing employees that they can indeed speak up without fear of repercussions to their careers or compensation. Anonymous and confidential surveys are an example of how executive management can learn what they need to know. Metrics addressing such things as mission and values alignment, innovation, resiliency (speed), collaboration, and employee satisfaction also offer insights regarding culture. Candid, open, and constructive board and management interactions should prioritize the tough questions on directors’ minds.

3. Focus on the quality of the risk management
process. Given the
pace of change experienced in the industry and the nature and relative
riskiness of the organization’s operations, does the board understand the
quality of the process informing its risk oversight? For example, how much
manual effort is required by management and various board-reporting departments
to generate the reports used in board meetings? How actionable is the entity’s
risk information for decision-making? These and other questions focus on how
mature and robust the risk management process is and whether it is effective in:

Delineating
the critical enterprise risks from the day-to-day risks of managing the
business; Establishing
accountability for results; Fostering
an open dialogue to identify and evaluate opportunities and risks; and Informing
key decision-making processes with current, reliable information.

4. Ensure management integrates risk considerations
into strategy, performance, and decision-making. The unique
aspect regarding exposure to disruptive change is that it presents a choice: On
which side of the change curve do organizations want to be? Organizations must
make a conscious decision about whether they are going to be the disrupter and
try to lead as a transformer of the industry, or whether they are going to play
a waiting game, monitor the competitive landscape, and react appropriately and in a timely manneras an
agile follower to defend their market share.

These market realities strongly suggest that the board should
ground its risk oversight with a solid understanding of the enterprise’s key
strategic drivers and management’s significant assumptions underlying the
strategy and risk appetite. Directors need to ensure that risk oversight and
management are not appendages to strategy-setting, performance management, and
decision-making, but contribute information and insights relevant to the
success of these core processes.

We encourage everyone to read the joint report from 2018. Boards should take a fresh look at how they are approaching risk oversight, including how the company’s ERM is informing that oversight. With risk management practices for many industries largely rooted in the prior century, the big question is:

Are we prepared to
improve our risk management and risk oversight, or do we face the challenges of
the next 10 years in the digital age with what we’ve been doing over the past
10 years?

The nature, velocity, and persistence of risks have changed. Consequently, it’s time for boards to revisit their governance model and skill sets and refresh the focus of their risk oversight.

Jim DeLoach is managing director of Protiviti.