A majority of articles here on the blog focus on the process of ERM for anyone involved in their organization’s strategy-setting and day-to-day operations.
While learning about processes like risk identification, assessment, and reporting is important, there are other risk-related activities in the organization that are equally important, namely the oversight of risk by the organization’s Board of Directors.
Risk oversight has become increasingly important following passage of the Sarbanes-Oxley Act in 2002 and, more significantly, the 08/09 financial crisis. Examples include:
- Corporate governance rules at the New York Stock Exchange require, at minimum, that risk oversight be a part of the board audit committee.
- Legislation passed after the 08/09 financial crisis (commonly known as Dodd-Frank) requires large financial institutions to have a formal board-level risk committee. According the 2019 State of Risk Oversight report from NC State, 76% of financial services organizations have a formal board-level risk committee. Check out this example of a risk oversight committee charter for E*Trade.
- An organization’s risk control process is one of four major risk-related criteria Standard & Poor’s evaluates before assigning a credit rating.
Although rules like these and others only mention publicly-traded or financial companies, the expectation for the Board to take an active role in risk oversight is filtering down to all types of organizations, even non-profits.
Two scenarios that illustrate the importance of risk oversight by the board
I think the best way to demonstrate the importance of good risk oversight is with a couple of examples.
First, the good – Morgan Stanley
Former Managing Director Garth Peterson plead guilty in 2012 to evading internal accounting controls Morgan Stanley was required to maintain as part of the Foreign Corrupt Practices Act (FCPA). More specifically, Peterson encouraged Morgan Stanley to sell its interest in a Shanghai building to a Chinese state-owned entity. He falsely claimed that the shell company purchasing the real estate was controlled by a state-owned enterprise (Yongye) when in fact the firm was controlled by him, a Chinese public official, and a Canadian attorney.
Morgan Stanley sold its interest to the shell company at a discount, and as a result, Peterson and his fellow conspirers realized a $2.5 million profit, at least on paper.
Former Assistant Director for the FBI’s New York Field Office, Janice Fedarcyk, explains:
“The defendant engaged in a pattern of self-dealing and deception that perpetuated his unjust enrichment. He not only circumvented his employer’s internal controls; he violated the law.”
Although Peterson was sentenced to 9 months in prison for his involvement in the conspiracy, no charges were brought against Morgan Stanley due to their robust internal controls, training and risk oversight.
Employees were constantly trained on these internal controls and relevant corruption laws. Peterson himself received training on 7 separate occasions and was reminded of his obligations to comply with the FCPA at least 35 times according to Morgan Stanley.
Following Peterson’s sentencing, Morgan Stanley spokesman Matt Burkhard said:
“Mr. Peterson’s intentional circumvention of Morgan Stanley’s internal controls was a deliberate and egregious violation of our values and policies.”
Now, the bad – Wendy’s
Many locations of the iconic fast food chain are actually operated by franchises throughout the U.S. Starting in late 2015, over 1000 locations were affected by a credit card breach of a third-party payment services provider.
Wendy’s initially claimed the breach only affected 5% of its locations but later revealed the scope of the breach was much larger. The company placed blame for the breach on malware that was installed through compromised credentials from the vendor.
Outsourcing the management and upkeep of payment systems to third-party providers is pretty common.
However, due to lax risk oversight on its third-party vendors, Wendy’s became the subject of two class-action lawsuits, one from individual customers affected by the breach and the other from financial institutions. Wendy’s settled both lawsuits in mid-2018 and early 2019 respectively for significant sums.
One credit union involved in the lawsuit explained that had Wendy’s exercised better oversight, the breach could have prevented or at least the effects could have been reduced. CEO of the National Association of Federal Credit Unions explained that member institutions suffered far more losses than breaches affecting Target and Home Depot.
The impact of this breach on Wendy’s will be felt far beyond the money the company agreed to pay out in its settlements. Although no criminal charges were brought forward, the company will have to overcome damage to its reputation.
And while the breach technically originated from a third-party provider, this story brings to mind an important axiom that I’m always reminding my team and clients about, and that is:
Both of these situations show the necessity of good risk oversight by the Board. Things can happen regardless of how many controls are put in place. However, as we saw in the Morgan Stanley example, having good oversight can shield the organization from any criminal charges, lawsuits, or reputation impacts.
How Boards can ensure they fulfill their risk oversight responsibilities
Although regulations and other professional standards are placing more risk oversight requirements on Boards, it is becoming an expectation across-the-board (…no pun intended). Boards can no longer say they were not aware as the two scenarios above show. Why? Because if they say that, then they will be asked, “Why didn’t you know?! It is your responsibility as a board member to know.”
The following are a few points for ensuring robust risk oversight by the Board:
- Boards should include individuals from diverse backgrounds, skills, and ideas.
- Board members should be candid and transparent in expressing their opinions and ideas. They should challenge management’s assumptions to ensure any blind spots don’t get missed. Some questions the board could ask include:
- How do we know we are identifying the right risks?
- When something changes, how are we incorporating risk into our reactions to those changes?
- What are different scenarios that exist? Which is more likely to happen versus which one is more acceptable?
- Ideally, a separate Board-level risk committee should be established that works closely with the audit committee.
- On an enterprise level, the Board needs to foster a risk culture that encourages communication. Executives and even mid-managers and employees need to feel like they can bring their concerns forward without fear of rejection or censure.
- Work closely with management to determine not just the type of risk information required, but the best format as well.
- Avoid the tendency to go from a risk oversight role to a risk management role. Executives and business units are ultimately responsible for managing the risks.
As the Morgan Stanley and Wendy’s scenarios show, you can’t put a price on good risk oversight by the Board.
Also, you may have noticed how this article only begins the topic of risk oversight. Additional considerations for board oversight of strategic risks and opportunities will be discussed in a future article.
How engaged is your company’s board in risk oversight?
I’m interested to hear your perspective on this important topic. Feel free to leave a comment below or join the conversation on LinkedIn.
And if you are struggling to help your Board develop the best process for fulfilling its risk oversight responsibilities, please don’t hesitate to contact me to discuss your specific situation.