In 2008, the National Association of Corporate Directors (NACD) published a white paper recommending that directors pay close attention to the connection between risk oversight and corporate strategy. What is the relationship between these two activities, and why does it matter?
Recommendation 1: Mitigate The Risks Of Strategy Implementation
NACD contends that the overarching goal of risk oversight is mitigating the threats to implementing the corporation's strategy. The goal is to manage, not eliminate, these threats.
When a crisis, such as scandal, strikes the firm, strong corporate culture, reputation, and credibility can reduce the impact. The board should establish and implement, through written policies and actions, ethical behavior, integrity, legal compliance, and strong financial reporting and controls. Risk considerations should underlie company policies regarding employee selection, retention, training, and compensation.
Recommendation 2: Understand The Relationship Between Strategy And The Company's Risk Appetite
To determine the company's appetite for risk, the board should perform a SWOT (strengths, weaknesses, opportunities, threats) analysis. In addition, directors should keep in mind that risk profiles and corporate strategy change over time.
Moreover, in developing a risk profile, directors need to consider how stakeholders such as employees, customers, and suppliers affect and are affected by the company's actions.
Recommendation 3: Identify Risks
Management should identify the specific material risks the company faces, indicate their likelihood, and estimate their cost versus the cost of prevention. However, management cannot foresee every possible threat.
Boards should review the accuracy and completeness of management's identification exercise. Directors must help identify potential risks and develop additional scenarios. Unforeseen risks have greater potential than predictable ones to cause problems for a company.
For example, in reviewing mergers and acquisitions, boards should focus on the contingencies of the deal. These often include intellectual property, litigation, implementation, and financial issues.
Recommendation 4: Monitor Risks
Directors should constantly monitor the company's financial condition, paying careful attention to accounting issues and potential fraud concerning the company's assets. The board should devote time and resources to detecting and deterring significant risks, particularly those that exceed the established tolerance levels of the company.
The security of information and information technology is becoming an issue for companies. One critical element of risk monitoring is ensuring the quality, dependability, and timeliness of information. Management and the board must guard against information overload, and outdated, incomplete, or irrelevant information. Management must provide accurate reports on the company's past activities, risk management activities, and competitive threats.
Analysis Of The Recommendations
The recommendations provide concrete guidance to directors. Yet, directors sometimes cannot properly oversee risk because they do not have a sufficient understanding of the corporation's strategy.
Why does this happen? First, the firm's managers are most familiar with the business strategy because usually they have formulated and implemented it. Outside directors have a less intimate knowledge of strategy.
Second, because of their many duties and responsibilities, directors can get overburdened with information. Sometimes strategy becomes a second priority for directors who focus more on complying with regulations and fulfilling their duties of good faith and loyalty. The duty of good faith does not require an in depth understanding and investigation of strategy.
In the face of potential personal liability, directors are concerned with meeting their fiduciary obligations. Faced with these obligations and concerns, the link between risk oversight and corporate strategy can get lost in the shuffle.
For these reasons, directors must be vigilant in ensuring that their oversight activities remain connected to the firm's strategy.