A series of events starting with the 2008 financial crisis and continuing through recent major data breaches and defective-part recalls are prompting many companies' boards to take a more active role in overseeing risk management, a strategy that can benefit the organization and the risk manager.
“I think (boards) are definitely becoming more involved,” said John R. Phelps, director of business risk solutions at Jacksonville, Florida-based Blue Cross and Blue Shield of Florida Inc. “A lot of the headlines today about the problems companies are having are drawing a lot more attention to managing the risks from a board level.”
Among recent examples was a major proxy adviser's May recommendation that shareholders vote out seven Target Corp. directors, blaming their lack of adequate risk oversight for last year's data breach affecting 40 million payment cards.
Another is the June decision by General Motors Co.'s board to form an operational risk committee following its defective ignition switch crisis.
In addition, U.S. Securities and Exchange Commission Commissioner Luis A. Aguilar in June called on boards to be more involved in managing cyber risks and to be more adaptable to changing risks.
The recent issues driving greater board interest in risk management add to the increased legislative and regulatory fallout from the 2008 financial crisis.
“After the financial crisis, there were questions about what role boards were actually playing when things became very challenging,” said Rupak Mazumdar, director of enterprise risk management at food processing and distribution firm George Weston Ltd. in Toronto. “Certainly, risk management's also an important part of strategic planning, so more boards are getting active in that.”
“The boards are being held more accountable,” said Carol A. Fox, director of the strategic and enterprise risk practice at the Risk & Insurance Management Society Inc. in New York. Risk management is “seen more as a strategic function rather than the traditional view of it as a tactical function,” she said.
Frank Fiorille, senior director of risk management at Paychex Inc. in Rochester, New York, said the payroll and benefits administrator has been very successful at looking at risk strategically, helping the business grow and drawing more board and senior management attention to risk management.
“Here at Paychex, that has a lot of interest,” Mr. Fiorille said. “That's something I make sure is on my agenda every time I go before them.”
While risk management and enterprise risk management historically got little board attention, “now risk management is on the agenda at board meetings and it's on the agenda more than once a year, which is extremely favorable,” said John Bugalla, managing principal at consultant ermInsights in Indianapolis.
Effective board oversight of risk management helps organizations achieve strategic success and increases their resilience, Ms. Fox said.
Achieving a high-quality risk dialogue with the CEO and board allows companies to “be adaptive and agile” in adjusting their strategies when marketplace disruption occurs, said James W. DeLoach, managing director at consultant Protiviti Inc. in Houston.
“The leaders in risk management tend to be high-performing companies,” Mr. Bugalla said. “The tone really needs to be set at the top and come down from the top.”
Corey Gooch, senior enterprise risk management consultant at Towers Watson & Co. in Chicago, said more boards are going beyond regulatory compliance.
“That's where we're seeing some more advanced companies and engaged companies going in enterprise risk management — away from just compliance,” he said.
And when the board sees tangible benefits for the company, it helps improve the perception of risk management and the risk manager, Mr. Fiorille said. “When you can help companies grow and contribute directly to revenue generation and sales, that can't help but enhance your overall perception within the company,” he said. “It also helps other folks think of you as a true partner.”
The risk management operation also can benefit from board members' expertise and perspective, said Mr. Mazumdar.
For the board to provide effective risk management oversight, however, it needs appropriate support.
“In order to make the information that comes from a strategic risk manager consumable by the board and be useful, it has to be in a form and fashion that they're used to” and presented in the context of the business, the Florida Blues' Mr. Phelps said. The board also needs a repeatable process to evaluate risks, he said.
“We provide all the information and reporting. We facilitate a lot of the dialogue and discussion,” Mr. Mazumdar said of the relationship between risk managers and boards who exercise effective risk oversight.
Mr. DeLoach said it's essential that the risk manager work closely with the CEO to focus the board's attention on the organization's critical enterprise risks and emerging risks. “If the board buys that, then the lion's share of the oversight process will really be devoted to the critical enterprise risks and the emerging risks,” he said.