So how exactly should boards go about the business of risk management?
The answer: methodically and carefully, with a defined framework for structuring their activities, always informed by the need to align risk assessment to strategy.
Those are the observations of two Deloitte corporate governance experts, Henry Ristuccia, partner and co-leader of governance and risk management services, and Maureen Errity, director of the Deloitte Center for Corporate Governance.
Actually it's all about "risk intelligence", rather than risk management, ensuring that boards are constantly monitoring really important matters, what they call "value-killer risks." And shareholder pressure and new regulations mean this is a role boards can't put on the back burner.
What you need is the right framework, a model that involves pretty much everyone in the company all the time. The first level involves business unit owners, who identify risks, and, therefore, play a critical role. Then the CEO, CFO, Chief Risk Officer (if there is one) put in place the policies and procedures for the company. Finally at the top, the board makes sure management is doing the right and most efficacious thing, analyzing risks according to a few categories-strategic, operational and financial, as well as compliance-related matters.
That means the board has to set the tone for everyone else, ensuring risk management is a priority. And it needs to challenge assumptions . That last part is especially important for making sure risk management works hand in hand with strategic planning. That is, boards needs to look at the assumptions underlying strategy to see what could happen if those ideas are wrong--like, for example, the assumption that housing prices could go up forever--and alternative strategies.
According to Ristuccia and Errity, only 30 percent to 35 percent of S&P 500 companies last year disclosed in proxies whether risk and strategy were aligned. But they say that's going to increase, because "these discussions are happening in the board room."
They certainly know what they're talking about. But I've talked to compensation and governance experts recently who say that, while risk management is still a big deal for boards, it's less top-of-mind these days because they feel they've reorganized their risk-assessment house since 2008 and the basic machinery is in place.
Which could mean it might be a while before we see a major shift among boards to scrutinize the relationship between risk and strategy alignment.