Questions Directors Should Be Asking About Risk Management
It is often far too late when directors start probing senior managers about the risks that the corporation has undertaken. The article presents a series of questions that the Board of Directors can ask to determine whether the risks undertaken by a corporation are being managed properly.
There are three overriding principles that apply to all companies that implement an integrated risk framework. Is risk management coordinated throughout the organization? Are business units empowered to implement risk management? And is risk management embedded into the organization’s culture?
Walter Wriston, the former Chairman of Citibank used to say that risk is a four-letter word. But he also said there was nothing wrong with risk, as long as it was managed. It’s no longer adequate to just have a formal risk process in place and assume that risk is being properly managed. Of course, one wants to see that management has identified all risks, properly measured them against risk tolerance levels, that specific triggers that force risk reductions are in place and that the responsibility for managing the risk is clearly defined. However, today’s complexities require a holistic view of risk that transcends individual business segments. It requires speed and intimate knowledge at the business unit level and incorporating the idea of risk into every employee’s thinking.
1. Does the corporation have an effective immune system?
Effective risk management is evidenced by policies, principles, exception approvals and risk inventories but most importantly, a risk agenda. The risk agenda and corresponding key initiatives should be routinely reported to the Board. The Board should get a sense that risk matters are handled proactively and communications across business units are open and effective. Danger signs to be watched include: excuses that specific risks do not necessarily lend themselves to measurement. Use of the phrases “don’t worry”, “this will never happen”, and “it’s all under control”. Be mindful of too much reliance on technology and sales incentive programs misaligned with risk management goals.
In risk management, these are two types of errors, omission and co-mission. An error of omission is the worst type. The company had a risk and did not realize it. It’s far better to make an error of commission – where you looked at a risk and made the wrong call. In assessing whether the company has an effective immune system, the board member needs to be comfortable that senior management is at least asking the right risk questions.
2. Does middle management view risk management as a means to improve their effectiveness?
Most managers can pull a list from the desk drawer of the five or six key business data points they monitor daily, irrespective of the MIS that they are given. The question that needs to be asked is whether risk is one of these items. As a middle manager, I was invited to lunch by a board member with six of my peers. After the lunch, there was no doubt in my mind, that risk should be on my short list.
External auditors follow a two-part process. They first access internal accounting controls to determine that the financial system produced good numbers. Once satisfied the process works, they test the financial numbers that are produced for reasonableness. So too with risk management. A company has to ensure that risk management is built into the process – akin to quality. This is accomplished by identifying the magnitude and likelihood of risks related to a specific process, quantifying the risk through a common language of measurement and reporting and proactively managing the risk. Board members should look for tell tale signs such as hearing risk as part of the vocabulary, getting requests to leverage their contacts to assess specific risks, and the absence of post-mortem (lessons learned) on mistakes that are made.
A board member should more formally determine that; the audit committee specifically looks at business risk, and there is a uniform risk measurement system that is the basis for middle management rewards/penalties.
3. Does the company have the right risk management culture?
Culture’s migrate and are difficult to control. As a result, risk management is not “one size fits all” and the implementation of an appropriate risk framework needs to be tailored to a company’s own personality and activities. For example, it’s important to understand when a company is in it’s industry/business cycle; it is obviously more important for a start-up to assess cycle risk in conjunction with its financing requirements and revenues. Further, it is important to realize that assessing risk in a start-up is not contra-entrepreneurial. In fact, there needs to be a healthy balance between risk management and market aggressiveness.
The first assessment is at the board level and specifically it’s role with respect to risk management. Has the board assumed ultimate risk responsibility? Has it established risk tolerance levels? Has the board effectively delegated responsibility with the commensurate authority for risk management? Second, does the culture encourage proper risk management? Is the message from the top consistent that risk management is important? Are rewards consistent with behavior? Do employees know what is expected? Are there risk training/awareness programs? Are silos broken down and are open communication encouraged? Are risk successes publicized? Evidence of answers to all of the above are specific signs that the company is building the right culture.
4. Are there any tools on methodologies that should be relied on?
I see two versions of risk management in the future. One is a NASA space shuttle with dials to monitor risk on a real-time basis within future tolerance levels. The other is a version of gray hair and experience – a sense of “been there, done that” with a qualitative bent. The pendulum has swung too far to the quantitative side and balance is needed. One can have the best systems in the world but they are never a substitute for good judgment. What you want to do is encourage good judgment in as many different ways as possible, from training to reward.
5. What are the danger signs of a company that is heading in the wrong direction?
The most compelling symptom is a company that is accident prone and explains away it’s problems due to market conditions. Another great vulnerability is when a senior manager has too much invested in a particular business and does not regularly revise his view of the environment. I always found that in foreign locations, county managers that were locals always lost the most money when their home country got into trouble. It’s very hard to see turning points when you are over invested – financially and emotionally.
David Martin is a former Senior Risk Manager at Citigroup. He is currently Chairman & CEO of Knightsbridge Capital Management, an incubator of hedge funds. He can be reached at 212-269-5516.