The oversight responsibilities of the board span the micro — approving the minutes from the last meeting — to the macro — approving a major transaction. Yet everything the board is responsible for comes down to two key fundamentals: oversight of strategy and oversight of risk — and usually the interplay of both. Over the past decade, boards have leaned further into the former, a reflection of how critical strategy is to growth. Still, risk oversight is at the core of the board's fundamental fiduciary duties.
“Risk evaluation has always been one of the key oversight responsibilities of the board, absolutely bar none,” says Ellen Richstone, audit chair of public company boards Cognition Therapeutics, Superior Industries Inc. and Orion Energy Systems Inc. “If you've got strategy, you've got risk. They are tied together.”
A More Dynamic Risk Landscape
To define what effective risk monitoring looks like in practice, it is helpful to first understand how the nature of risk has changed over the past decade. The forces impacting the business landscape — including geopolitics, emerging technology and financial uncertainty — have multiplied, morphed and intensified.
“We are living in heightened volatility,” says Shelly Lombard, a former Wall Street analyst who currently chairs the audit committees of the boards of Alpha Metallurgical Resources and Craft 1861/Nano Cures. “Boards need to be conscious of financial risks as well as technology risks like AI and cyber. Those were just not things keeping us up at night several years ago.”
The pace of change coupled with the emergence of hazards that were not a factor a decade ago have changed the way boards approach risk oversight, says Agnes Bundy Scanlan, a former bank regulator who now serves on the boards of R1, AppFolio Inc., Institutional Capital Network Inc. and Truist. “Efforts around risk management mitigation have increased one hundred-fold. That is certainly true for financial services, but that has trickled down to other industries that aren't so regulated. I'm chair of three board risk committees and a member of the risk committee of another board. In each, board members are more sophisticated at providing oversight to myriad risk challenges, including cybersecurity incidents and credit and liquidity risks stemming from the March 2023 bank failures.”
The dynamic nature of the risks facing business today requires directors to stay on top of emerging issues and to ensure they are bringing them into board discussions on a regular basis.
“If there's a topic that has been, let's say, on the front page of The Wall Street Journal that may or may not be something relative to the industry of the board that I'm on, I still ask the question, ‘How does this impact us?'” says Scanlan. “As board members, we have a responsibility to keep apprised of the industry, global and emerging issues and ask as many relevant questions as possible.”
And it is not enough to consider the unique risks each of these factors presents individually. Boards must also look at how they intersect and ripple across the business. This creates a new level of complexity that requires a holistic approach to risk oversight, argues Richstone.
“The approach of the board has dramatically changed. Today, there's a much broader and deeper understanding of risk. The best and brightest directors, and certainly every board I am familiar with, looks at risk as an integrated part of a whole. You can't talk about a topic and not think about risk. You have to always be thinking about the risk side of the equation.”
Defining Risk is Key
Risk monitoring starts with understanding and identifying what creates material risk to the business. Take the case of Blue Bell Creameries. In 2015, a listeria outbreak traced back to its products allegedly killed three people and sickened 10 more. The ensuing fallout sent revenues tumbling. It also resulted in a shareholder lawsuit that held the board had violated its Caremark duties by failing to provide adequate risk oversight of food safety. The case underscores how critical it is for boards to deeply understand the material and unique risks to the business and monitor accordingly. In Blue Bell's case, food safety was essential and mission-critical.
“One of the main jobs of a board is to understand what the risks are. And once you understand those risks, what are the ways that the company can manage and mitigate those risks?” says Maggie Wilderotter, who is chair of Docusign Inc. and serves on the boards of Costco Wholesale Corporation, Lyft Inc., Tanium Inc., Sonoma Biotherapeutics, Legends and Sana Biotechnology.
Even for risks that are more universal to every business — financial, cyber, talent or supply chain risk, for example — the likelihood, impact and form those risks take will still vary in critical ways depending on the industry, company size, complexity of operations and other key considerations.
“[The board] needs to know that there are different kinds of risks based upon industry, the type of company and the management team of that company, particularly how experienced they are,” says Wilderotter, who is a member of the Directors & Boards Editorial Advisory Board. “For example, when you're in a very competitive environment, there's a higher risk if you're not reacting fast to whatever's going on. So, it's up to boards to understand what the top risks are and what mitigations are in place. They should also be monitoring how the company is managing on a day-to-day basis.”
“First of all, there's got to be an assessment,” says Herman Bulls, who chairs the Fluence board and serves as a director of USAA, Comfort Systems USA, Host Hotels & Resorts LP and Collegis Education. “For example, when you do a financial investment, you should go through a comprehensive listing and understand both the internal factors — from staffing to supply chain issues — and the external factors that could impact the organization.”
In addition to the individual experience board members bring to the table, identifying all potential risks to the business requires two things: continuing education and a management team that understands the business and can serve as an advisor.
“As a director, I need to understand what the risks are,” says Lombard. “There should be somebody at the company who has thought about all these types of scenarios and how they would react and respond to those scenarios.”
She also suggests bringing in outside experts to help augment or fill gaps in the board and management's expertise.
“It's a great way to get relevant perspective, especially because the types of risks we look at vary so much from industry to industry.”
To monitor risk, boards must also have clearly defined risk appetites — namely, understanding and aligning with management on how much of a given risk the company is willing to tolerate in service to its growth strategy.
“Risk profile and risk appetite are two core items that management needs to evaluate in discussion with the board,” says Richstone. “You could have a low risk profile and therefore be willing to take on a higher risk appetite, or your risk appetite may increase as you think in terms of innovation or taking risks on a key M&A deal or investment into new technologies. A company needs to have a really full awareness of what their current profile is and what their risk appetite is as they look at current issues and think in terms of the strategy for the future.”
Key Tools and Processes
Once key risks have been identified and balanced against strategy and risk appetite, it is critical for the board to work with management to implement the right tools and processes to monitor those risks.
“The risk framework is important,” says Bulls. “That includes looking at the policies, procedures and practices that are integrated into the daily activities of the organization to identify, measure and respond to risk. Let's take culture as an example: You want to look at your complaints, you want to look at your exit interviews, you want to look at your absenteeism rate. There are all kinds of things that you can look at systemically to assess a potential risk, its likelihood and impact.”
Once the framework is in place, it is also critical to understand who “owns” each risk. “Are there real business owners from both a top-line and an integrated risk assessment and risk mitigation for whatever the business issue is?” says Richstone. “If there isn't, that's where the problem occurs.”
Richstone advocates integrating the risk discussion throughout the board meeting as opposed to relegating it to one bullet point on the agenda. “Whatever business topic we're on, whether it's strategy or M&A or performance, the topic of risk is integrated within the business topic. Then, at the end of the day, maybe we do review our risk dashboard, but the truth of the matter is, 90% of the items on there have already been discussed earlier in the day, only integrated with the business topics where they belong.”
In evaluating emerging and business model risk, Lombard is a proponent of “sensitivity analysis” financial modeling, which helps predict how variables would affect a specific part of the business under certain conditions. “I used to invest in distressed companies, and I have seen the impact that emerging trends and technology have had over time,” she says. “LinkedIn replaced business cards. Plant-based products replaced dairy products. Netflix and streaming services have replaced cable. So it's really important for companies to do much more to identify potential risks early and try to quantify the impact they may have on the business.”
Technology and trends change rapidly, but perhaps the best tool at the board's disposal is one that has stood the test of time: asking good questions to pressure-test the management team's understanding and assessment of risk.
“It's important for board members to trust but verify,” says Wilderotter. She recommends, for example, that directors ask what data is being used to assess decision-making. “Is the data just internal data, or are they also using external data to make sure that they're making the right decisions the right way?”
Scanlan agrees. “As board members, we have a responsibility to keep apprised of these trends and ask as many questions as possible. I was always taught that no question is silly. We're in a world where so much is at stake. It is critical to ensure that we're asking questions that hit upon the challenges the company may face — whether that's regulatorily, legally or from a risk perspective. That's our job. That's all part of oversight.”
Powerful tools, the latest dashboards and smart questions are important, but they can't compensate for a culture that does not support risk management. It is critical that mitigation of key risks is woven into the accountability metrics and evaluation of the senior team.
“You have to look at the culture of the organization,” says Bulls. “Transparent communication about risk is so important, because that's the way you get early detection and notification. It has to be exemplified by the CEO, the board and senior management to get inculcated throughout the organization. For example, I'm on the board of a mechanical contractor. We are so concerned about safety that all the top five officers have safety in their objectives. We want them thinking in everything they do, ‘How can this help prevent a serious injury or a loss of life?'”
Don't Underestimate the Role of Board Composition
The people sitting around the table matter. When boards lack diversity, it can lead to groupthink and blind spots, which in turn increases risk. Diverse perspectives and expertise increase the chances that the right questions and concerns get airtime. A board member with a background in talent can ask critical questions that help with attracting or keeping the right employees in a highly competitive environment and identifying culture risks. Board members with expertise in technology will ask critical questions about how systems and capabilities either enable or hamstring the strategy.
“You want to have different expertise that folks bring to the table, and you want them to have different styles and experiences that relate to what you do and how you do it as a company,” says Wilderotter. “So, I always believe that diversity of thought, experience, capabilities, race and gender are all important things for boards to have. I also like to have a mix of venture capitalists, private equity folks and big investors, but they must understand scale — how to grow it and how to manage it.”
Lombard points back to technology, specifically how it creates business model risk and thus creates the need for outside expertise on the board. “Take radio, for example. SiriusXM wasn't a force 20 years ago. Neither were podcasts or music on your phone. So, radio is going to trade at a very different multiple of earnings than it did 20 years ago. That has implications for your ability to raise debt. It has implications for your ability to issue stock. I think boards benefit from diverse viewpoints on the board rather than having a majority of directors who have been in the industry for a long time.”
The culture of the board is also a critical — and often overlooked — factor in effective risk mitigation. While the right composition matters, it works well only if those around the table feel that they can speak their minds and surface difficult issues, says Wilderotter.
“First and foremost, you want people to be courageous when you're dealing with risk and not be afraid to speak up. We don't always have to agree, but we want to put all the facts and ideas on the table. And then we can sort through them to make the right decisions. I think when people are comfortable with other people in a room, they'll actually say out loud, ‘Help me understand why you think we should do that.' The tone, the tenor, giving people the benefit of the doubt, trying to move conversation to the next level versus cutting conversation off are critical success factors for boards to do well. It's building those relationships and making sure that, if there's an elephant in the room, somebody's putting it on the table.”
How the board engages in dialogue around risk matters, precisely because every board member's input is critical to effective oversight. While a thoughtful committee structure can help divide up the work and focus risk monitoring in key areas, risk oversight is a full board sport, says Bulls.
“It is every board member's responsibility to think about risk and provide input from their unique perspective. Ultimately, everybody is on the risk committee.”