Risk Oversight Tips for Directors, From Directors

With the financial crisis focusing increasing attention on corporate risk oversight in general, the topic is top of mind for boards these days. Those grappling with the board's role in overseeing the company's risk exposure can take some tips gathered from other public company directors.

In a report published by The Conference Board, authors André Brodeur and Martin Pergler of management consulting firm McKinsey & Co. detail 10 best practices for risk oversight across all business sectors, gleaned from interviews with 20 corporate board members.

First, assign the responsibility of risk oversight to the full board and the burden of risk oversight to the right committee. Risk oversight has moved to the core of the board's fiduciary duties. As such, all directors need to be engaged and participate in discussions about managing specific risks, and ensure that the company's risk-management program is thorough and effective.

That being said, the bulk of the risk oversight work is allocated to a committee, usually the audit committee, though some boards assign it to the finance or risk committee, or split it among several committees with each reporting on the risks within their scope (e.g., the compensation committee reports on compensation related risk).

Second, consider the full breadth of material risks that can impact the company. The most effective boards cast a wide net and take a variety of "risk lenses" to look at the business (regulatory risk, stakeholder risk, country risk, demand risk, reputational risk, competitive risk, human resources risk, etc.). Some go further and look outside of their own organization to benchmark against a range of companies.

Third, push for a deep understanding of the key risks. Don't fall into the trap of skipping too quickly past the known "big risks" and looking to uncover new risks. Revisit the analysis of the company's familiar big risks, including consideration of the impact on competitors and the full value chain. The board should seek the required training, external advice, and tools, such as risk reports, it needs to fulfill its risk oversight responsibilities.

Fourth, have the right expertise. Besides specialists in the risk-management process, the board should include, or have access to, experts in the key risks the company faces who can get to the bottom of the issues and communicate their insights to their fellow directors.

Fifth, nurture a "healthy tension borne by diversity." Gather different perspectives on risk and reward, including those of staff and operations. For instance, the chief legal officer, who may be more sensitive to issues of compliance risk in day-to-day operations, has different worries than the chief operating officer. The same consideration applies to different board members with different backgrounds.

Sixth, engage the broad management team. It's critical for the board to interact with members of management about the risks they are managing and therefore are in the best position to understand. As one director put it, "The board needs to interact with management in an open manner, not just hear what has been rehearsed three times."

Seventh, embed risk discussions in all key board processes. While risk oversight is a responsibility of the board, risk taking permeates the whole business.

Risk should be considered for any major decision that the board evaluates-not as an afterthought. More and more boards are viewing risk oversight as a sub-item of the strategic planning agenda and other board agendas.

Eighth, avoid the "bureaucratic trap." Don't fall into the trap of relying too much on the risk-management process and not getting involved in the substance. The risk-management process needs to be embedded in the management of the business—not an overlay process owned by support staff.

Ninth, make risk management actionable. Board level risk discussions should end with an action plan with owners assigned to each action, and follow up on what's decided.

Finally, the board should take ownership of improving risk management in the organization. That includes both risk-related processes and overall organizational risk culture. Organizations that succeed in transforming their risk-management function usually do so through board insistence, or at least with energetic board support, according to the report.

The complete report, "Risk Oversight Practices: Insights from Corporate Directors," is available here.