The board’s role in risk oversight is ever-expanding. Ten years ago, issues like cybersecurity, data privacy or sexual harassment were infrequently discussed at the board level. Today, these issues dominate board agendas given the material risk they pose to corporations and their financial longevity.
Risk oversight has long been a function of the board of directors. The last decade, however, has seen a significant uptick in stakeholder interest and involvement: regulators have taken an active role in increasing transparency and monitoring risk throughout corporate financial systems. Institutional investors are pressing boards to think less mechanically and more holistically about the risks that may threaten long-term value creation. Even customers and employees are pressing companies to consider the impact of their actions on the communities in which they operate and society at large. Board risk oversight has grown increasingly complex—and it’s now a spectator sport.
Effective board risk oversight will look slightly different for each board, but there are a few best practices that can be followed:
Identify the company’s key drivers of success: An intimate knowledge of the company’s business model is key to improving effective board risk oversight. Understanding what underpins the success of the company is the first step to protecting the organization’s most valuable systems and assets. By deconstructing the business-model drivers, boards and management teams can begin to recognize the inherent risks and identify potential disruptors, both internal and external. This awareness is foundational to the board’s role in effective risk oversight.
Establish Key Risk Indicators (KRIs): Through this process, the board should agree on a set of key risk indicators or KRIs (i.e., metrics designed to raise red flags when key risks may be materializing). For example, if the company culture has been identified as a driving force in the organization’s success, the board may use metrics around employee turnover or whistleblower complaints to indicate a crack in the culture before it becomes a flood.
Anticipate (and encourage) disruption: To think about risk only in a vacuum of “present day” is misguided. This is where discussions of risk and strategy are nearly inseparable, but also where the board can add 30,000-foot value to the management’s day-to-day operations. Keeping a competitive eye on the market, today’s board must also consider the risks of not innovating fast enough. Boards must set the right tone in their interactions with management—one that encourages this type of disruptive thinking from both sides, but always keeps an eye on the inherent risks. Diligent’s new book Governing in the Digital Age explores at length the board’s role in risk oversight amid today’s digital landscape.
Assess the best structure for your board: The full board has the responsibility for risk oversight; yet, board committees typically play an important role in the process. The audit committee has traditionally spearheaded the boards risk oversight function; yet, many boards explore different committee structures to ensure that risk gets the attention it needs in today’s boardrooms. Risk committees, while still the minority, are becoming a more common method for governance. Increasingly, boards are even creating committees around specific types of risk (i.e., cyber risk committee, technology risk committee). Each board should assess its own needs based on the company, industry, business model, existing committee structure, etc.
Get the right data: What data do boards need to oversee risk effectively? Board members must have visibility into the organization, across the competitive landscape, and into the future. Diligent Governance Intel is one such tool that enhances external visibility by monitoring peer group activity and company reputation across media outlets around the globe. In addition, Diligent Insights, a free offering in the Diligent software, equips board members with industry-leading articles, videos, and thought leadership to improve visibility into the future.