The Board’s Role in Risk Management

Risk management is currently a topic of considerable interest to public company boards. While taking measured and informed risks is an important element of any company’s strategy, the financial and economic crisis has led companies and boards to change their approaches to risk management. Moreover, given the events in the capital markets over the past year, institutional investors, regulators and the public are scrutinizing public company boards’ oversight of risk more closely.

Against this background, the Lead Director Network, a group of lead directors, presiding directors and non-executive chairmen from many of America’s leading companies created by King & Spalding and Tapestry Networks, met on July 8, 2009 to discuss the board’s role in risk management. Following this meeting, King & Spalding and Tapestry Networks have published the ViewPoints report here, to present highlights of the discussion that occurred at the meeting and to stimulate further consideration of this subject. The following provides highlights from the meeting, as described in the ViewPoints report.

Greater emphasis on strategic risk assessment. Members of the Lead Director Network generally see room for improvement in the way companies approach risk management. Directors noted that, while the Sarbanes-Oxley Act resulted in boards focusing on compliance and internal controls, the financial crisis is now requiring them to focus on identifying and mitigating broader strategic risks. Directors are thinking about risk in broader terms, moving beyond financial and accounting risks to considering factors that could threaten a company’s operations or business model. At the extreme, directors are seeking to identify and address “black-swan” risks, the seemingly improbable events that could threaten a company’s survival.

The lead director’s role. Lead directors and other board leaders can play a valuable role in the board’s oversight of risk management. While companies have been forming committees or subcommittees to focus on specific or unique risks, directors noted that, given the many types of risk that companies must address, it is essential for the risk oversight function to include active participation from all directors. Directors pointed to situations in which the contemplation of certain risks has essentially been “stuck in committee” — that is, certain risks were being addressed by board committees but not the full board. Lead directors can add value to the risk management process by ensuring that risk management is actively considered by the full board and that committees are used effectively, by acting as a conduit between the board and management and by facilitating open communication and robust debate.

Recommendations to improve risk management. Members of the Lead Director Network believe that directors can improve risk management in their companies as follows:

• Maintaining the right relationship with management. Directors observed that challenging management effectively is one of the most important attributes of a successful director. This trait was noted as being especially important with respect to the board’s oversight of risk management. Directors also emphasized, however, that having the wisdom to trust management in appropriate circumstances is equally important in successfully discharging this oversight function.

• Selectively engaging outside experts. There will be situations in which specialists can help address important risks. Directing management to engage outside advisors can help identify certain long-term and strategic risks that would otherwise be difficult to observe through management’s day-to-day operation of the business.

• Emphasizing cultural aspects of risk management. While management will usually be well-equipped to address technical and operational aspects of risk management, directors should consider how they can use their experiences and intuition to improve a company’s approach to risk management. Directors can also contribute to the company’s culture of risk management by elevating risk management so that it becomes a fixture in the boardroom (for example, by showing how they consider risk in the issues that they address).

Emerging boardroom best practices in risk oversight. Members of the Lead Director Network identified several emerging best practices in the area of risk management, including the following:

• Use of risk factors in Form 10-K: Boards have begun to use the risk factors in a Form 10-K as a template for a discussion of events that could negatively impact a company. Through such discussions, the board and management may develop additional risk factors for disclosure by the company.

• Individual, iterative conversations. Members are reporting more frequent communications between board members outside of scheduled board meetings, as well as ongoing discussions with management. Previously, discussions of risk management were typically limited to agenda items at scheduled board meetings.

• Determining how “seemingly innocuous” matters can become risks. Members have begun to think of the ways in which matters that are not currently deemed to involve significant risks can pose threats to the company at some point in the future.

• Listening to analysts. Members have cited the value of listening to earnings calls and reading analyst reports to understand how analysts think about a company’s risks.

Governance concerns. Members of the Lead Director Network expressed concern that proposed regulations could weaken boards at a time when strong boards are needed most. In particular, members believe that the SEC’s proposed “proxy access” rules and the elimination of broker discretionary voting in director elections could threaten to leave some companies with boards that are less effective.

Conclusion. Directors are continuously seeking to improve their companies’ approach to risk management. At the company level, directors are urging management to think beyond financial and analytic models and to contemplate broader and more varied types of risks, including “black-swan” risks, however unlikely they may seem. Lead directors can improve the oversight of risk management by ensuring that all directors are engaged in appropriate roles, facilitating open discussion between the board and management and creating a culture of effective risk management.