On Governance is a series of guest blog posts from corporate governance thought leaders. The series, which is curated by the Governance Center research team, is meant to serve as a way to spark discussion on some of the most important corporate governance issues.

The National Association of Corporate Directors (NACD) conducted a survey in 2017 to identify what board directors think are the most important board improvement areas for 2018. (Note: NACD report is free but registration required.)  The summary results of that survey are shown below.

Source: NACD 2018 Governance Outlook: Projections on Emerging Board Matters.

The theme is clear. Boards and listed companies are responding to demands from increasingly strident and powerful institutional investors for increased focus on long term value creation strategy and risk oversight.   

An important question that should be asked is:

What’s driving board members to conclude that these are their top improvement areas for 2018?  If directors have concluded they must improve on these dimensions, it follows that their boards haven’t been doing a good enough job to meet today’s expectations.

Based on 30 plus years working with companies and boards around the world, I can offer some observations on the top 2018 board improvement priorities.

Board’s understanding of risks and opportunities affecting company performance – How much formal risk assessment work is done on top strategic value creation objectives varies greatly from company to company. 

I believe that very few ERM frameworks today do a good job integrating ERM with the company’s strategic planning process, and even fewer companies use risk assessment methods that link top strategic objectives to risks, risk treatments, residual risk status information and performance. Most boards get what management provides without much information on the reliability of the process used to develop strategy and assess risks to top strategic objectives. Many executives that lead strategic planning processes have little formal training on state-of-the art risk assessment methods. The new COSO ERM framework issued in the summer of 2017 puts huge emphasis on the need to transition ERM from a predominantly risk/hazard focus to one that puts equal emphasis on strategy and value creation.

Board’s monitoring of strategy execution – All boards receive regular information on financial performance against the annual plan. Unfortunately, this often doesn’t support monitoring of long term value creation objectives very well, particularly if future success requires quantum shifts in the company’s business model.  Many ERM frameworks in place today are “risk centric” not objective centric. They use “risk registers” not “objectives registers” as a foundation.  Top long term value creation objectives often are not formally risk assessed using the type of methods recommended in COSO ERM 2017 or soon just released ISO 31000 global risk management standard.  A large majority of risk assessment methods used today do not show management and boards the linkages between strategy/objectives/risks/risk treatments/residual risk status/performance. 

Board’s contribution to strategy development process – Powerful institutional investors led by BlackRock, Vanguard and many others are calling on boards to increase their involvement in strategy development while still heeding the old adage “noses in but fingers out.” Not an easy task. When companies complete formal risk assessments on top long term value creation objectives boards are better able to provide meaningful challenge and debate, particularly if there is transparency on the level of “risk assessment rigor” used to assess long term value strategy options and objectives. Few companies today explicitly tell boards the level of risk assessment rigor applied to long term value creation strategy and objectives. Only a small percentage of boards today have board members with deep risk management skills backgrounds to evaluate the sophistication and rigor of the risk assessment process used. Many very successful CEOs have achieved great success in the past using largely intuitive informal risk management practices.  Evidence is mounting that the speed of change today is outstripping the abilities of even the smartest CEOs to manage enterprise risk linked to top value creation and preservation objectives using largely informal practices.  

Oversight of risk management – Board oversight of risks impacting long term value creation strategy and objectives, IT security, financial statements, anti-money launderings, FCPA violations and most recently sexual harassment and discrimination is under intense scrutiny.  My summer 2017 Conference Board Director Notes report Board Oversight of Long Term Value Creation and Preservation: What Needs to Change and 2015 Director Notes co-author report The Next Frontier for Boards: Oversight of Risk Culture provide more context for global demands on boards to do a better job overseeing risk. My opinion is that traditional approaches to ERM and internal audit are hindering, not helping, boards elevate their strategy and risk oversight practices.

CEO succession planning - Much has been written about how to best tackle the uptick in global risk oversight expectations.  Some companies have appointed chief risk officers (CRO).  Others stick with their belief that the company’s CEO is the CRO.  Articles on the subject of risk culture inevitably point to the huge pervasive impact of CEOs on risk culture.   Boards are being told they are fully responsible for overseeing risk culture.  That means that when boards are considering replacing a CEO, perhaps a board’s single most important decision, they must consider the impact of the person selected in terms of driving innovation and long term share value and developing and overseeing the organization’s risk culture.  CEOs need to be willing to take calculated risks to drive share value.  How they go about deciding which risks to take, which risks to share/transfer, which risks to finance, which risks to avoid, and which to treat can have profound impact on a company’s reputation and success.
The Wells Fargo bank account fraud case is a classic illustration of a company’s long term value creation strategy going bad as a result of a toxic culture driven by senior management.  

Quality of dialogue with management – I believe strongly that the quality of dialogue between the board and management is closely linked to the culture of an organization.  Healthy cultures promote and, in fact, demand candid dialogue on tough issues between the board and management.  Sometimes what management doesn’t want to tell the board raises huge red flags on the real culture of a company and the relationship between the CEO and the board. My decades of experience as risk specialist and forensic/investigative accountant indicate that, in more than a few companies, what is reported to the board on the true state of risk has been vetted by top management, sanitized and, in the worst cases, fraudulently represents the true state of risk. I suspect that internal audit functions in the majority of companies today have not been empowered to report on the reliability of information being provided to the board on risks to the most important strategic objectives.

Follow through on recommendations coming out of board meetings – A scan of articles on board process often turns up articles on the issue of documentation of minutes of board meetings.  Practices on board minute taking and the processes used to report on issues identified for follow-up vary greatly from company to company.  Much of the responsibility rests with the corporate secretary and/or general counsel who usually take their marching orders from the CEO.  Boards sometimes must take considerable care satisfying themselves that what was committed to in the board meetings is being acted on. 

Candor of board discussions – An issue that is only now beginning to receive much attention is a subset of company culture – the culture of the board. How boards interact and the level of candor in board meetings varies greatly.  I suspect the candidness of board discussions is heavily impacted by the type of information the board is provided with.  Board packs that provide a “fair and balanced” view of strategy proposals and progress on strategy goals impact how candid board discussions are.  How fair and balanced board information packs are, in fact, is usually controlled by the CEO.  The CEO, in turn, plays a dominant role influencing the company’s culture, including whether there is a culture of candidness and disclosure.

Oversight of M&A – Mergers and acquisitions is usually a subset of long term value creation.  The quality of risk assessment and due diligence on M&A activities is usually closely correlated with the level of rigor used to develop long term value creation strategy and objectives. Just as strategic planning has not always used much in the way of formal risk assessment methods, M&A process has not always been accompanied by much formal risk assessment rigor.  Only boards that have demanded high levels of transparency on M&A process have been aware of the amount of formal risk assessment process applied.

The rigor of board decision making – Boards rely on management for the majority of information they use to make important decisions. In public companies the financial statements, one of the important information sources are audited and reported on independently by external auditors.  What boards don’t often get is independent assurance on the reliability of the information that accompanies long term strategy proposals and progress reports on the strategies agreed. In the majority of companies globally, boards are not told how much risk assessment rigor was applied to identify and assess risks to value creation strategy.  The actual risk assessment rigor management uses to assess risk to long term value creation strategy varies from very low to very high.  How much risk assessment rigor has been applied to information boards receives on strategy lacks transparency in large percentage of companies.   

The Way Forward – Objective Centric ERM And Internal Audit

Boards that truly want to make significant improvement on the areas identified as needing the most improvement in 2018 should take the time to research and evaluate the business case for moving to objective centric enterprise risk management focused on top value creation and preservation objectives. The process is simple but the changes required to the way most companies work today are significant. An overview of core steps is shown below.

Source: Director Notes, July 2017, Board Oversight of Long Term Value Creation and Preservation: What Needs to Change.

Simply stated, this approach is dramatically different than the status quo in many companies because it truly focuses on the end results that are most important to long term success.  Objective centric ERM and internal audit provides a robust response to institutional investors that want more assurance management has an effective process to drive long term value and that boards of directors are effectively overseeing that process.  It also has great potential to help boards make significant progress on the areas in 2018 board members have said require the most improvement.

The views presented on the Governance Center Blog are not the official views of The Conference Board or the Governance Center and are not necessarily endorsed by all members, sponsors, advisors, contributors, staff members, or others associated with The Conference Board or the Governance Center.