On Governance is a series of guest blog posts from corporate governance thought leaders. The series, which is curated by the Governance Center research team, is meant to serve as a way to spark discussion on some of the most important corporate governance issues.

A new National Association of Corporate Directors (NACD) Blue Ribbon Commission (BRC) report titled Adaptive Governance: Board Oversight of Disruptive Risks (available as a free download but registration is required) opens with a very apt and famous quote from baseball legend Yogi Berra – “The future ain’t what is used to be.” Board oversight expectations have skyrocketed in the 10 years following the 2008 global financial crisis. What was considered good, even excellent, board oversight practices five years ago, doesn’t come close to meeting today’s escalating expectations set by the NACD for members as evidenced in their new guidance, regulators, and, increasingly, powerful institutional investors. Given the mounting pressure, duty of care standards for boards are likely to become even more onerous in years ahead.

This post briefly touches on those mounting expectations and calls on directors to demand better risk management processes and better risk status information from management, risk specialists and internal auditors. More details on the business case for change and my detailed recommendations can be sourced in the longer Director Notes “Board Oversight of Long-Term Value Creation and Preservation: What needs to change?” available free to members of The Conference Board and on my website, and an earlier June 2018 Governance Center blog post “On Governance: Boards, CEOs and CFOs Need to Demand a Lot More from Internal Audit and Risk Groups”

The 2018 NACD BRC report opens with a broad statement of escalating expectations and a caution on status quo practices from the report’s Co-chairs:

“It is more important than ever before for board members and executives to anticipate changes that could affect those four elements of long-term value creation—performance, strategy, risk management, and purpose—especially developments that could undermine the validity of key assumptions on which the organization’s strategy and operating model are based. Yet traditional enterprise risk management (ERM) processes may not be well enough designed to address these types of risks; by necessity, many ERM activities focus on determining the impact and the likelihood of a range of identifiable potential risks in order to help prioritize the allocation of scarce resources and boardroom discussions often rely heavily on reports about past performance and results, which may offer limited insight into the unconventional or unexpected.”

The Co-chairs go on to say:

“In an operating environment frequently characterized by the acronym VUCA (volatility, uncertainty, complexity, and ambiguity), boards need to help their organizations do a better job of assessing disruptive risks—those risks that, whether internally- or externally-driven, could have a significant economic, operational, and/or reputational impact—and to help them be better prepared to respond when they occur. We believe this task is not an optional undertaking for directors: it is a critical imperative for the boards of for-profit as well as non-profit organizations, and for both private and public companies.”

The report’s recommendations are relevant and should be considered a “must-read” for board members, CEOs, CFOs, risk specialists and internal auditors. Unfortunately, what the NACD BRC report doesn’t say as bluntly and strongly as it needs to say it is that the information many boards receive today from senior management, risk specialists and internal auditors in the majority of companies isn’t what’s required to meet these new expectations.

The vast majority of ERM frameworks today still use ineffective risk registers as a foundation. Many don’t focus on top strategic/value creation objectives. Few integrate well with top management’s strategy processes or internal audit efforts.  Internal auditors do audits and give subjective opinions on whether internal controls are “effective” on a small percentage of the total risk universe each year – rarely on their organizations top strategic objectives. Not a big help to boards being asked to better oversee really important “disruptive risks”.

It is important to note that the BRC report does give status quo methods a “failing grade” and at least one Commission member zeroed in on what he/she thinks is wrong.

“Evidence indicates that most boards are not prepared for a VUCA world. According to recent NACD research, nearly half of directors said their boards’ tendency to focus on oversight of known risks—those that management has already identified—presents a significant barrier to understanding and overseeing disruptive, atypical risks. We believe this constitutes a failing grade, and the objective of this Blue Ribbon Commission initiative is to help directors improve that grade.”

For disruptive/really important risks at least one commission member believes:

“Traditional compliance or ERM processes might not always capture them, or not capture them early enough, and as a result there is not necessarily a clear path for escalation to the board.”

The carefully chosen words “might now always capture them or capture them early enough” is what has sometimes been called “candy coating” or, at best, massively, understating the major deficiencies of the ERM processes and internal audit methods used in the majority of organizations around the world today. It’s my observation that the majority of Boards have been relatively passive consumer of the products produced by risk and internal audit functions, perhaps believing that risk groups and internal audit are mainly there to meet regulatory expectations, not actually help senior management better achieve important strategic/value creation objectives or manage the really important “disruptive risks.”

The root problem: fundamentally flawed risk and internal audit methods

The diagram below illustrates the 10 primary methods available today to provide information on risk status, including “disruptive risks,” and assurance to boards that the organization is operating within senior management and the board’s risk appetite and tolerance. The left side shows five primary methods auditors and risk specialists can use to provide “direct report” reports to senior management and boards. “Direct report” means auditors and other specialists are the primary risk/control analysts and reporters. Compliance centric, process-centric, control centric and risk-centric are the most popular direct report methods used. Few start with top objectives and, as a result, often miss the really important “disruptive risks.” Most internal audit departments spend the majority of their time doing audits this way. Boards are provided with audit findings, audit observations and summaries of audit deficiencies noted during audits. These methods have not generally been used on the top strategic/value creation objectives, and have shown high failure rates in terms of finding major risk exposures, even on the more traditional value preservation objectives like financial statement reliability, cyber security, paying bribes/Foreign Corrupt Practices Act, business continuity and other objectives that the obsolete “three lines of defense” methods have focused on.

On the right side of the diagram, responsible management can self-assess using some combinations of the same five primary methods. Most ERM frameworks involve using management interviews and workshops and the “risk starting point” assurance approach. Management is typically asked “What do you think are the risks to a process, business unit, or the company as a whole?” Only a small number of organizations require management self-assess using the “business objective starting point.”

In the objective centric approach, steps are taken to identify and agree the company’s top value creation and value preservation objectives first. Those objectives populate the company’s “objectives register.” When an objective centric approach is used a company’s objective register is used as the basis for all assurance work done by internal auditors and other assurance specialists like safety, compliance, environment, and others on the left side of the diagram, and by management on the right side. Full integration occurs naturally. Objective centric risk assessments done by management on the company’s top value creation and preservation objectives can be “quality assured” by independent assurance providers.  

Why is the business objective starting point/management self-assessment method better?

1. It focuses on only the most important value creation and preservation objectives key to a company’s long-term success that warrant the cost of formal assurance and is significantly better equipped to identify really important “disruptive risks”.
2. It engages senior management and boards in the process of deciding which specific end result objectives they want assurance on, who they want it from, and how much.
3. Accountability for assessing and reporting to senior management and the board is clearly defined as a management responsibility. Very few organizations or their boards today formally hold management accountable for reporting to top management and the board on the true state of risk being accepted by the business, particularly on top strategic objectives. Auditors and other specialists working from the left side of the diagram have great difficulty covering the full range of top value creation and preservation objectives and risks that create uncertainty these objectives will be achieved.
4. Boards are provided with a concise report of the state of risk linked to top strategic/value creation objectives and value preservation objectives. Starting the process with strategic and top value creation objectives is aligned with the processes called for in the new 2017 COSO ERM framework.
5. The framework focuses on obtaining consensus agreement on the acceptability of what we call “residual risk status” linked to top value creation and preservation objectives. This provides a visible process to demonstrate to regulators, investors and credit agencies that senior management and the board are effectively overseeing the company’s risk appetite and tolerance.
6. The work plan for risk specialists, internal auditor, and other specialists is defined in the objectives register. This provides a significantly more valid way to determine how many staff and what kind of staff risk groups and internal audit functions need to meet the needs of their customers. In the majority of companies in the world today specific assurance requirements of senior management and boards linked to what NACD calls “disruptive risks” are not clearly defined!!!
7. It is a technically superior approach to meet the needs of boards defined in the NACD BRC report Adaptive Governance: Board Oversight of Disruptive Risks.
8. It has great potential to reduce the growing costs of the plethora of assurance silos that are sprouting in companies all over the world and add significantly more value.

Boards need to take a leadership role calling for change

I have had the privilege of working with boards and companies around the world over the past 30 years. It has been my experience that many boards, for a lot of reasons, have largely accepted the ineffective methods used by internal auditors and, more recently ERM support staff with few questions or challenge.

I have sometimes uncharitably referred to the C-suite and boards as “apathetic customers” of internal audit and risk groups. It may be that many C-suites and boards have believed that the key reason for internal audit and risk groups is simply to meet regulator expectations, not add much real value. Unfortunately, and somewhat ironically, regulators have played a big role fostering and promoting ineffective risk and internal audit methods. They have and still champion assurance methods that history proves aren’t very good.

Given the massive escalation in board risk oversight expectations I have been accelerating my calls on boards around the world to demand more, a lot more, from risk and internal audit groups. Time will tell if boards will transition from being largely apathetic to demanding and discerning customers of the products and services they get from these groups.

(Editor’s note: When approached by the author about this blog post, the NACD said: “A lot of the actionable guidance is embedded in our member toolkit and the education sessions we have launched through our chapters and national programming. [There is a] multi-pronged approach to sustain momentum around this challenge. “)

The views presented on the Governance Center Blog are not the official views of The Conference Board or the Governance Center and are not necessarily endorsed by all members, sponsors, advisors, contributors, staff members, or others associated with The Conference Board or the Governance Center.