Board Oversight of Long-Term Value Creation and Preservation

Tim J. Leech is managing director at Risk Oversight Solutions Inc. This post is based on a publication from The Conference Board, authored by Mr. Leech.

Stakeholders increasingly expect boards of directors to do more to oversee the organizations they direct. Some of these expectations are spelled out in laws and regulations—the Sarbanes-Oxley, Dodd Frank, Foreign Corrupt Practices, Anti-money Laundering acts—and stock exchange listing standards, to name just a few. Regulatory-driven board risk oversight expectations, by design, have focused on protecting the public and entity value preservation. The newest board risk oversight expectations, perhaps the most important to date, are being elevated by institutional investors representing billions of current and future pensioners and controlling trillions of dollars of investments. These highly influential investors are calling on CEOs and boards to spend more time and effort directing and overseeing long term value creation. Boards, in turn, are asking CEOs to provide long­ term value creation strategies, together with their assessment of risks to those objectives. The next logical step is for boards to ask for assurances from internal audit departments and enterprise risk management (ERM) specialists that the risk information they get from management linked to top value creation and value preservation objectives is reliable.

This post analyzes these developments and proposes “objective centric ERM and internal audit” as the best­ way forward for public companies and their boards. It is based on a paper published in the Spring 2017 Edition of Ethical Boardroom titled Focusing ERM and Internal Audit on What Really Matters: Long-Term Value Creation and Preservation.


Institutional investors who control trillions of dollars of investor funds are calling on CEOs to focus on long-term value creation and strategy and boards of directors to oversee that process.

This post focuses on an important question linked to these developments: Are boards receiving reliable information they need to meet investor expectations on their company’s long-term value creation and preservation objectives and, perhaps more importantly, risks that threaten their achievement?

The author believes that current risk management and internal audit methods and processes are ill-equipped to meet these new expectations.

He proposes a new approach—objective centric ERM and internal audit—as the way forward.

Regulator-Driven Codification of Board Risk Oversight Expectations

Regulators around the world have been increasingly codifying board risk oversight expectations in to new laws and regulations. The Sarbanes-Oxley Act (SOX) enacted in 2002 was pivotal and one of the highest cost illustrations of the trend. A progress report drawn from the 2012 Spencer Stuart Board Index on the 10-year anniversary of SOX summarizes its impact:

Although Sarbanes-Oxley did not expressly address board composition, increasing the independence of public company boards was a primary objective of the legislation. Listing requirements established by the New York Stock Exchange and NASDAQ at the time established definitions for independent directors and required that independent directors make up a majority of a listed company’s board of directors.

  • The percentage of independent directors on S&P 500 boards has increased from 79 percent in 2002 to 84 percent in 2012.
  • In 2002, the CEO was the only non-independent director on 31 percent of S&P 500 boards compared with 59 percent of boards today. [1]

In 2010 following the 2008 global financial crisis, the SEC enacted new proxy disclosure rules:

The final rules also require companies to describe the board’s role in the oversight of risk. We were persuaded by commenters who noted that risk oversight is a key competence of the board, and that additional disclosures would improve investor and shareholder understanding of the role of the board in the organization’s risk management practices. [2]

Apparently, the SEC had not seen board risk oversight as a key competence of boards before this decision or the need for investors to assess those competencies when making investment decisions.

The UK has taken what are likely the most strident steps in the world to require public disclosures on what UK-listed public company boards are doing to oversee risk. They go significantly further than the tentative and reactionary U.S. proxy disclosure rules enacted in 2010. The UK Corporate Governance Code, using a “comply-or-explain” approach, stipulates the following:

C.2: Risk Management and Internal Control


The board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems.

Code Provisions C.2.1. The directors should confirm in the annual report that they have carried out a robust assessment of the principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity. The directors should describe those risks and explain how they are being managed or mitigated.

C.2.2. Taking account of the company’s current position and principal risks, the directors should explain in the annual report how they have assessed the prospects of the company, over what period they have done so and why they consider that period to be appropriate. The directors should state whether they have a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the period of their assessment, drawing attention to any qualifications or assumptions as necessary.

C.2.3. The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness, and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls. [3]

Martin Lipton, partner at Wachtell, Lipton Rosen & Katz, succinctly summarized the evolution of the law in the area of board risk oversight in a 2017 post on the Forum:

Both the law and practicality continue to support the proposition that the board cannot and should not be involved in actual day-to-day risk management. Directors should instead, through their risk oversight role, satisfy themselves that the risk management policies and procedures designed and implemented by the company’s senior executives and risk managers are consistent with the company’s strategy and risk appetite; that these policies and procedures are functioning as directed; and that necessary steps are taken to foster an enterprise-wide culture that supports appropriate risk awareness, behaviors and judgments about risk and recognizes and appropriately escalates and addresses risk-taking beyond the company’s determined risk appetite. The board should be aware of the type and magnitude of the company’s principal risks and should require that the CEO and the senior executives are fully engaged in risk management. Through its oversight role, the board can send a message to management and employees that comprehensive risk management is not an impediment to the conduct of business nor a mere supplement to a firm’s overall compliance program. Instead, it is an integral component of strategy, culture and business operations. [4]

Investor-Driven Board Risk Oversight Expectations-Long-Term Value Creation and Preservation

Although all of the regulatory developments above could be interpreted as calling on boards to oversee risks to all types of corporate objectives, including long term value creation, we believe it is fair to say that many companies have interpreted these developments to mean oversight of objectives with potential to significantly erode shareholder value, such as unreliable financial disclosures, violations of high potential impact laws like money laundering and the Foreign Corrupt Practices Act, cyber security, business interruptions and others. Most recently however, expectations of institutional stakeholders have taken a new direction, driven by what are increasingly termed “activist investors”, or sometimes less charitably by management as “dissidents”. Boards are now expected to direct and oversee the strategies their companies are developing and deploying to create and maintain long term value—or risk the wrath and actions of investors controlling trillions of dollars.

A February 1, 2016 letter from Larry Fink, CEO of BlackRock—the largest money manager in the world with over $5.1 trillion assets under management—to thousands of CEOs of the biggest companies in the world is a good proxy for the movement. [5]

We are asking that every CEO lay out for shareholders each year a strategic framework for long-term value creation. Additionally, because boards have a critical role to play in strategic planning, we believe CEOs should explicitly affirm that their boards have reviewed these plans. BlackRock’s corporate governance team, in their engagement with companies, will be looking for this framework and board review.

Fink goes on to add a stern caution and then a caveat:

Those activists who focus on long-term value creation sometimes do offer better strategies than management. In those cases, BlackRock’s corporate governance team will support activist plans. During the 2015 proxy season, in the 18 largest U.S. proxy contests (as measured by market cap), BlackRock voted with activists 39% of the time. We recognize that the culture of short-­term results is not something that can be solved by CEOs and their boards alone. Investors, the media, and public officials all have a role to play.

The recent launch in February 2017 of the Investors Stewardship Group (ISG), representing more than $17 trillion of assets, is expected to add fuel to this movement. The release of the 2016 Principles of Corporate Governance by the Business Roundtable with CEO signatories from U.S. investment companies with over $7 trillion in annual revenue laid a solid foundation for the formation of the ISG. The International Corporate Governance Network (ICGN), a global not-for-profit representing companies with assets under management totalling over $26 trillion, calls on investors to start by focusing their attention on the boards of investee companies:

The risk oversight process begins with the board. The unitary or supervisory board has an overarching responsibility for deciding the company’s strategy and business model and understanding and agreeing on the level of risk that goes with it. The board has the task of overseeing management’s implementation of strategic and operational risk management. [6]

On the long-term value preservation front, Institutional Shareholder Services (ISS), the leading proxy advisory firm, has laid out its position quite clearly:

ISS will recommend voting “against” or “withhold” in director elections, even in uncontested elections, when the company has experienced certain extraordinary circumstances, including material failures of risk oversight. In 2012, ISS clarified that such failures of risk oversight will include bribery, large or serial fines or sanctions from regulatory bodies and significant adverse legal judgments or settlements. [7]

The author believes that the combination of regulatory driven board risk oversight expectations and the new long-term value creation focus of institutional investors indicates that stakeholders increasingly expect boards to oversee objectives key to long-term value creation, as well as prevention of material erosion of entity value. The long-awaited update to the 2004 COSO Enterprise Risk Management (ERM) guidance scheduled for summer 2017 is expected to affirm and reinforce this dual focus.

Need for Reliable Risk Status Information on Value Creation and Preservation Objectives

It is clear that key institutional investors and regulators are increasingly focused on evaluating the role that boards play overseeing their company’s top value creation and value preservation objectives. Boards are now expected to take steps to ensure that CEOs provide persuasive strategic long-term value creation plans; while at the same time demonstrating that top value erosion objectives like producing reliable financial statements, ensuring the viability of the enterprise against ever increasing cyber security attacks, complying with high impact laws, and the like are also getting the attention they require.

Boards generally have the composite expertise to evaluate the value creation strategies and related objectives being presented by CEOs. Whether boards will heed the calls of influential fund managers like BlackRock and increase their focus on long-term value creation and forego the temptations of catering to short-term results will be heavily dependent on the commitment of the groundswell of institutional investors calling for change.

What has not been given the attention it deserves to date is a key question:

Are boards receiving reliable information they need to meet investor expectations on their company’s long term value creation and preservation objectives and, perhaps more importantly, risks that threaten their achievement?

Available evidence from independent sources, including Larry Fink at BlackRock and other institutional investors, suggests the answer to this question for many public companies and their boards is “not enough and not often enough.”

A respected annual global risk oversight study sponsored by the American Institute of Certified Public Accountants (AICPA) and North Carolina State university Poole College reported for the eighth time in March 2017. [8] Key findings of the 2017 report are summarized below:

The survey information reproduced below suggests companies are starting to recognize that highly influential shareholders are calling for major changes in their planning and oversight practices, but for many public companies there is considerable work yet to be done if they want to move beyond “window dressing” responses to these demands.

Barriers to Boards That Want More and Better Information on Risks to Top Value Creation and Preservation Objectives

The author believes that the lack of real integration between strategic planning processes and enterprise risk management is a major impediment to responding to what major institutional investors say they want—more focus on long-term value creation and preservation objectives and risks that could impact them. Correcting this misalignment will require overcoming major barriers. These barriers include:

CEO And Board Acceptance of Investor/Shareholder Focus on Long-Term Value Creation—The developments described at the beginning of this post overviewing the elevation of importance of long-term value creation and preservation being called for by Fink and hundreds of the world’s largest institutional investors are relatively new. Attitudes and reward systems are the product of decades of evolution and events. Radical change doesn’t occur overnight. There are more than a few cynics/realists that believe, when it really counts, boards and CEOs will sacrifice the long-term future of their companies when ignoring the longer term will, or may, negatively impact short-term results and their rewards. It is likely that many board members will withhold full support for a strong bias to long-term value creation until there is overwhelming evidence that, on balance, focusing on the long-term is the rational thing to do. Since risk is defined internationally as the “effect of uncertainty on objectives”, [9] without management proposing specific objectives with a focus on long-term value creation and preservation there is no need for boards to obtain information on the risks to those objectives.

Misaligned Reward Systems—The age old adage “what gets measured gets done” is likely the biggest single barrier to increased focus on long-term value creation and preservation. Reward systems for C-Suite executives and boards that put heavy focus on short-term results cause rational people to focus on achieving short-term results, sometimes to the detriment of both long-term value creation and value preservation objectives. (e.g. Wells Fargo, Kodak, Target, Blackberry, etc.) Activist investors are steadily increasing their focus on long-term value creation and how CEOs and their direct reports are remunerated. The last chart in the previous section indicates that, at least to date, many companies have still not put much emphasis on their executive compensation systems to the objective of ensuring boards receive reliable information on the true state of risks linked to top value creation and preservation objectives.

An important dimension that has not yet received much attention is the role that Chief Risk Officers (CROs) and Chief Audit Executives (CAEs) should play, but often have not, ensuring that boards are getting reliable information on the risks that threaten the achievement of top strategic objectives. CAEs in many companies have been measured and rewarded on execution of their audit plans and their “audit universe”—not ensuring the board is receiving reliable information on the true state of risk to top value creation and preservation objectives. A global study done by the Institute of Internal Auditors [10] suggests that there is a growing recognition that internal auditors should play a much greater role in the area of strategic risk than has been the case in the majority of companies. Two excerpts from that IIA study are shown below:

Available data would also appear to support a view that many CROs have not played significant roles in the past reporting the effectiveness of risk management assessments linked to their company’s top strategic long term value creation plans to their board. The data drawn from the March 2017 AICPA risk oversight survey cited earlier (See chart on page 6) indicates that there is a lot of work and changes to accountabilities and reward systems that needs to be done if boards are to receive more reliable information on risks linked to their organization’s long term strategic plan.

Paradigm Paralysis in ERM and Internal Audit—In many companies ERM specialists have focused on creating and maintaining “risk registers”, or less charitably “risk lists”, compiled from annual or semi-annual workshops and interviews asking “what could go wrong?” or “what keeps you awake at night”? The focus has not been on helping senior executives complete formal risk assessments on top value creation and preservation objectives. Internal auditors have focused on developing “internal audit universes”, planning and reporting spot-in-time audits on a small percentage of the total risk universe, and reporting subjective opinions on “internal control effectiveness” to boards. This approach provides boards with little input from internal audit on how reliably risks to the company’s top strategic value creation objectives have been identified and assessed by management and reported to the board.

Skill & Capability Gaps in Key Players—Many companies have struggled with defining and communicating strategic value creation objectives. It is often far easier to be a custodian than a designer. Seeing the future and defining how to exploit it is not an easy task. CEOs and boards must bring all their collective skills to outperform competitors on this dimension. In terms of support for the process of developing long-term value creation objectives—although there is little or no empirical data available to draw on—it is likely that many executives that lead their company’s strategic planning processes lack deep risk management/risk assessment expertise. The 2017 AICPA/NCSU risk oversight survey reported the following:

“Most organizations (59%) have not provided or only minimally provided training and guidance on risk management in the past two years for senior executives or key business unit leaders. This is slightly lower for the largest organizations (46%), public companies (43%), and financial services (41%). Thus, while improvements have been made in the manner in which organizations oversee their enterprise-wide risks, the lack of robustness in general may be due to a lack of understanding of the key components of an effective enterprise-wide approach to risk oversight that some basic training and education might provide.” [11]

On the assurance front, data available indicates that only a small minority of internal audit departments have provided positive assurance to boards on the quality of the risk management processes linked to their company’s strategic planning processes. Findings from a 2016 Deloitte survey of Chief Audit Executives [12] shown below are indicative of the current internal audit capability gap.

  • CAEs recognize the need for change. The status quo is not an option when 85 percent of CAEs expect their organization to change moderately to significantly in the next three to five years, and nearly as many (79 percent) expect similar change in internal audit. The survey also found that most CAEs believe that management and the audit committee will expect internal audit to step up to meet new challenges.
  • Internal audit needs more impact and influence. Only 28 percent of CAEs believe that their functions have strong impact and influence within the organization. A disturbing 16 percent noted that internal audit has little to no impact and influence. Meanwhile, almost two-thirds believe that internal audit strength in these areas will be important in the coming years. This disconnect—between current and needed impact and influence—must be addressed, for the good of internal audit and the organization.
  • Gaps in skills must be addressed. More than half of CAEs (57 percent) are not convinced that their teams have the skills and expertise needed to deliver on stakeholders’ current expectations—let alone future demands. If internal audit can’t fulfill stakeholder expectations, how can it exert influence and have an impact on the organization?

In terms of support from CROs and their staff, many of the ERM groups that have been created were put in place to meet regulatory requirements, not assist the company’s top executives to define and execute on their company’s long-term value creation strategic plan. It’s not surprising many CROs don’t appear to participate in a material way in the strategic planning process.

The Way Forward—Objective Centric ERM and Internal Audit

Given that is highly likely that institutional investors will increase, not lessen, their demands on companies and CEOs to clearly explain their long-term value creation strategy and the process used to identify and assess risks to the supporting objectives, the author believes major changes to the way the majority of companies define and oversee the risks to their top value creation and preservation objectives are required. The job of developing and refining top value creation objectives clearly lies with CEOs, their direct reports, and their boards. CEOs and boards will also need a framework that provides them with assurance that processes in place that should identify and assess material risks that threaten the achievement of long term value creation objectives are sound; and likely to produce reliable information for C-suite and board decision making and resource allocations. Although it represents a radical departure from the approach used in many companies today, the author believes what is required is Objective Centric ERM and Internal Audit (OCERMIA) strategic planning and risk oversight. The key elements of an OCERMIA framework are described below.

  1. The process senior management uses to define and document the organization’s top current and proposed value creation and preservation objectives, including objectives that form core elements of the company’s long term value creation strategy, should be transparent and overseen by the company’s board of directors. The company’s top long-term value creation and value preservation objective should be documented in an entity’s Objectives Register.
  2. Each objective that has been deemed important/dangerous enough to warrant the cost of formal risk assessment and board oversight included in the Objectives Register by the CEO and board should be assigned an Owner/Sponsor. That person should be responsible for identifying and assessing risks to those objectives and reporting upwards to the board on the true state of residual risk linked to those objectives.
  3. The company’s CEO or his/her designate should be assigned responsibility for providing the board with regular reports on the evolution of the company’s top value creation and preservation objectives and the current state of residual risk linked to those objectives.
  4. Management personnel, particularly those that are assigned Owner/Sponsor status, need to be provided with sufficient training to prepare reliable risk assessments on the organizations top value creation and preservation objectives.
  5. Enterprise risk specialist groups, in companies that have them, should be assigned responsibility for helping the company build and maintain its Objectives Register; helping Owner/Sponsor assigned to those objectives complete risk assessments; and facilitating reporting upwards on residual/retained risk status linked to top objectives to the board of directors. Boards should hold ERM specialist groups responsible for providing regular reports on the reliability and maturity of the process used to report to them on the true state of residual risk linked to the organizations top value creation and preservation objectives.
  6. Internal audit should be assigned formal responsibility for providing independent reports on the reliability of the company’s enterprise risk management process and the consolidated report provided to the board of directors on the state of residual risk linked to top value creation and preservation objectives.

The core steps required to implement OCERMIA are shown below. The risk assessment process the author recommends for each objective is included as Appendix A.

Long-term value creation and preservation—will it be accepted as a key imperative?

Remuneration systems and risk governance systems in place today are the product of decades of evolution. Change, particularly radical change, is unlikely to come quickly in the majority of public companies unless institutional investors significantly elevate their calls for change and, perhaps even more importantly, consequences for companies that don’t heed their calls for change. Proactive companies and their CEOs will evolve faster to better meet what current and prospective investors want than more reactive companies. In many ways, the key question is:

Is the type of change called for by Larry Fink to CEOs calling on them to focus on long term value creation with board oversight of those objectives and related risks referenced in the opening of this post going to be the new public corporate reality? Or will it be just another “sound bite” that sounds good but can’t compete with way senior executives and boards are really rewarded?


The Business Case for Objective Centric ERM and Internal Audit

The author recognizes that what he is recommending represents a radical shift from strategic planning and risk oversight processes in place in most public companies today. A summary of the main benefits are listed below.

  1. Expectations of highly influential and important current and prospective investors and regulators calling on companies and their boards to increase the focus on long-term value creation and preservation will be better met. This should, in turn, lead to higher share prices, all other things being equal.
  2. The importance and need to clearly define and articulate the company’s long-term value creation strategy is elevated; and a simple process put in place to document top value creation and preservation objectives and complete reliable risk assessments for presentation to the board of directors, a step increasingly expected by key institutional investors.
  3. The process calls for appointment of an “Owner/Sponsor” to take primary responsibility for coordinating and reporting the results of risk assessments on each objective that senior management and the board believe warrant the cost of formal risk assessment. This will make it clear that senior executives charged with responsibility for reporting on top value creation and preservation objectives are also expected to have the necessary skills to identify, assess, manage and report on the top risks to the company’s top value creation and preservation objectives
  4. The role of risk specialists and internal audit (often referred to as the second and third line of defense) is clear and integrated:
    • ERM specialists are charged with helping senior management define, refine, risk assess and continually monitor progress and the risk status of objectives most important to the company’s long-term success.
    • Internal audit is responsible for reporting to the CEO and board on the process and reliability of the risk status information linked to top value creation and preservation objectives being reported to the board of directors.
  5. The process is consistent with best practice frameworks being proposed by highly influential groups, including the Financial Stability Board in their Principles for Effective Risk Appetite Frameworks [13] guidance. It is also expected to be directionally aligned with the 2017 COSO ERM framework and the 2017 update of ISO 31000 Risk Management global standard expected in the summer/fall of 2017.
  6. The recommended risk assessment methodology illustrated in this appendix, in addition to being aligned with global risk management practices and terminology, also focuses on the need to “optimize risk treatment designs”—the lowest cost possible set of risk treatments capable of producing a level of residual risk acceptable to senior management and the board.


110 years later: Sarbanes-Oxley Act Continues to Shape Board Governance,” PR NewsWire, July 30, 2012.(go back)

2Proxy Disclosure Enhancements, Securities and Exchange Commission, February 28, 2010.(go back)

3UK Corporate Governance Code, Financial Reporting Council, April 2016.(go back)

4Martin Lipton, Risk Management and the Board of Directors, Harvard Law School Forum on Governance and Financial Regulation, Feb 15, 2017.(go back)

5Text of Larry Fink’s 2016 Corporate Governance letter to CEOs, February 1, 2016.(go back)

6ICGN Guidance on Corporate Risk Oversight, Third Edition, 2015.(go back)

7Martin Lipton, Risk Management and the Board of Directors, Harvard Law School Forum on Governance and Financial Regulation, Feb 15, 2017.(go back)

8The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, North Carolina State Poole College of Management, Eight Edition, Mark Beasley, Bruce Branson, Bonnie Hancock, March 2017.(go back)

9Draft International Standard ISO 31000, Risk Management—Guidelines, February 2017 discussion draft.(go back)

10Relationships and Risks: Insights from Stakeholders in North America, IIA Research Foundation, A CBOK Stakeholder Report, 2016.(go back)

11The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, North Carolina State Poole College of Management, Eight Edition, Mark Beasley, Bruce Branson, Bonnie Hancock, March 2017, page 37.(go back)

12Evolution or Irrelevance: Internal Audit at a Cross Road: Deloitte’s Global Chief Audit Executives Survey, 2016.(go back)

13Principles for an Effective Risk Appetite Framework, Financial Stability Board, November 2013.(go back)

Both comments and trackbacks are currently closed.