Board Oversight of Strategic Risk

Strategic risk — which may be defined as the risk to the achievement of a company’s strategic plan — is at the forefront of any board’s agenda. While boards have always focused on the oversight of strategic risk, the recent financial and economic crisis has led companies and boards to refine, and in some cases change, their approaches to this function.

The Lead Director Network (the “LDN”), a group of lead directors, presiding directors and non-executive chairmen from many of America’s leading companies, met on April 3, 2012 to discuss board oversight of strategic risk. Following this meeting, King & Spalding and Tapestry Networks have published a ViewPoints report here to present highlights of the discussion that occurred at the meeting and to stimulate further consideration of this subject.

The following provides highlights from the LDN meeting, as described in the ViewPoints report.

1. Changes in risk oversight since the financial crisis

LDN members made the following observations regarding recent changes in the board’s risk oversight function:

• Both risk management and risk oversight have matured since 2009. The maturation and widespread adoption of enterprise risk management (ERM) systems have enabled boards to be more effective in discharging their risk oversight duties. The increased sophistication of ERM systems has improved board oversight of certain risks, such as accounting fraud and legal compliance, which has enabled boards to devote more time to strategic risks.
• Boards are more thoughtful about risk than ever before. Many LDN members noted that boards are approaching risk in a more thorough manner. Specifically, LDN members noted the following as evidence of this improvement: (1) boards frequently and systematically consider the coupling between corporate strategy and risk, (2) risk analysis has become less compartmentalized as companies have a better understanding of risk co-dependencies, (3) risk and strategy receive constant board attention, (4) boards are engaging in more vigorous discussions of risks, and (5) boards are actively seeking new directors with backgrounds and experiences tailored to a company’s needs and specific risk issues, which reduces the likelihood that a company will fail to spot or elevate a major risk.
• Perfect risk oversight is an illusory goal. Despite these recent improvements, directors acknowledged that boards will never achieve a perfect risk oversight model. While this reality does not limit a board’s risk oversight efforts, LDN members cautioned that it is just as hard for directors to plan for the “1,000-year flood” as it is for non-directors.

2. Common strategic risks companies face

LDN members discussed the following three types of risks that they believe have increased for most companies in recent years:

• Cybersecurity risk: The reputational damage associated with cybercrime incidents, along with the costs of investigation, litigation and remediation, have made cybersecurity one of the most significant risks that directly or indirectly impacts every company. Advisors that participated in the LDN meeting counseled directors to (1) assume that their company, whatever its size, has already been breached and (2) focus on detection and mitigation, which are just as important as improving safeguards.
• Key-person risk: Members noted that most companies have room to improve their succession planning and that the lead director may have a greater role in this area. Directors were of the view that succession planning should not focus solely on the CEO but should encompass all other critical roles within the company. Directors also discussed the risks associated with executive compensation and strategy, including the risk of reputational damage associated with “overpaying” top executives.
• Political and regulatory risk: Political risk is no longer limited to developing countries, as LDN members have become increasingly concerned about anti-business sentiment in the U.S. The effect of this anti-business sentiment has been further enhanced when coupled with aggressive regulators and divided government.

3. Emerging best practices for more expansive and imaginative risk oversight

LDN members discussed emerging best practices that boards are embracing to improve their risk oversight functions. Among other matters, directors recommended the following:

• Lead by example: Thinking “outside-the-box” should start with the lead director. Lead directors should regularly ask themselves whether they are thinking broadly enough, whether they are being objective, and whether there are topics that were not discussed by the board that need to be addressed. Some lead directors reported that they attend each board committee meeting, which they believe improves risk oversight by helping directors “connect the dots”.
• Creatively assign risk ownership: The audit committee should not automatically be assigned every difficult risk. LDN members recommended assigning every risk an “individual champion” on the board and working with committee chairs to assign all identified risks to committees. Regardless of how the risks are assigned, the lead director should work to ensure that all of the company’s risks are appropriately mapped.
• Play devil’s advocate: King & Spalding partner Chris Wray suggested using a tactic employed by the security intelligence community whereby an issue would be evaluated by assuming that everything a board or person knew about an issue was wrong. Considering an issue in these terms can provide startling conclusions, which can improve the risk oversight process by revealing risks and remediation opportunities that may not have been considered previously.
• Get new voices into the boardroom: LDN members recommended diversifying the board to address gaps in board knowledge. Although this diversification may require boards to loosen traditional seniority and experience requirements, adding new voices in the boardroom from time to time is one of the most potent tools to combat “groupthink.”
• Dive more deeply: Members discussed the importance of spending time in key operational hubs and having discussions with the right groups of executives. It may be important for visiting directors to have complete access to facilities, without a management chaperone.

Additional information regarding the Lead Director Network may be found on the websites of Tapestry Networks and King & Spalding.