Enterprise Risk and the Board of Directors

Recently, some colleagues and I worked on a board risk oversight project that resulted in interviews with numerous corporate board members about their perspective on the board’s role in enterprise risk management (ERM). During that project, one board member suggested that my next risk research project should be called “good, great, going, gone!” —a risk project about companies that thought they were doing well but somehow ended up failing. He was motivated because he served on a board of a company that went bankrupt and wondered, after the idea of ERM came along, could the company have been saved? Could management and the board have seen the risks coming? Could they have seen them sooner or understood them better?

Data by several consulting firms give us some insights into the common risks that are missed. Deloitte showed that hundreds of companies have lost from 10% to 90% of their market value in less than 30 days. Many times, unmanaged risks are related to strategic issues. Operational risk mistakes usually take second place in these types of studies. Others have noted that such losses are frequently caused by not seeing how two or three risky events can work together to create an even larger accelerated storm of risks.

A few years ago, an APQC survey showed that most companies admitted not identifying all risks. Unfortunately, many of those same companies confessed they also did not correctly assess the risks that they did see. Not seeing your risks and not understanding how big they are when you do see them is a recipe for big losses and constant surprises. Unfortunately, recent surveys show that, although a lot of companies have separate processes for strategic and operational risks, most admit they do not connect the risks to strategy.

 For those market efficiency people, just a heads up—the market is already judging whether you are good at this. Ever notice a company with a billion-dollar mistake get a billion-dollar loss in market cap? That’s efficiency and, anecdotally, most likely caused by a  surprise (or black-swan type) risk event. The market figures you probably could not have seen it coming and does not punish more than the loss. Sometimes, however, the market will punish a company with a multiple of the loss—sometimes two, three, or 10 times the  loss. Why? It seems the market is saying you should have seen this risk coming (I call these white swans). The market punishes you because they are judging your risk competence (my words—not theirs). They wonder, if you missed this event, what else might you miss  in the future? It’s important to note that these white swan cases usually result in executives getting fired (a little personal risk management can be valuable).

 After studying ERM at several major companies a few years ago, my colleagues (at the University of Virginia and the University of North Florida) and I wrote that ERM was designed to create, protect, and enhance shareholder value. That is still a good way to think of  ERM. The International Standard for Organization (ISO) says risk management is a set of coordinated activities to direct and control risk. The Committee of Sponsoring Organizations (COSO) say ERM is a process designed (among other things) to help an organization  meet their objectives. Who doesn’t want to meet their objectives?

 Executives have noted that ERM leads to less volatility, greater chance of meeting goals, increased profitability, and potentially improved reputation. Some surveys find investors admitting they would pay a premium

 for a company with better risk management. Academic research shows results such as more value added, better credit ratings, and improved decision making. ERM appropriately has its skeptics, and it certainly is not a substitute for bad strategy, people, processes, or  stupidity, but it is the right way to run a business and think about what the company is trying to achieve.

Successful ERM means companies must develop their business and risk acumen. That starts with understanding risk. But what is risk? A common phrase suggests there are knowns, known-unknowns, and unknown- unknowns. A cagy risk executive considers that things could veer left or things could veer right (imagine a normal distribution). They examine the known risks with business acumen, learning the real drivers of the business, and thus, the real known risks. I worked with one board whose chairman said to me, as we looked out of their boardroom onto the city, “You see that building over there? That company is trying to kill us.” This guy understood the importance of thinking seriously about the known risks.

French mathematician and inventor Blaise Pascal was one of the first to take known risks and add dimensions. In trying to decide the likelihood that God exists, he later decided that adding impact was significant. Apparently, he was contemplating what would happen to him if he were wrong about God not existing. Even today, ERM professionals take these dimensions of probability and impact and apply them to their known risks. The result is often called a risk map (of known risks).

Since ERM is designed to help a company manage the risks that keep it from achieving their objectives, the risk map can be a valuable starting point for seeing the big risks to the objectives. For some companies, the map can be incredibly illuminating because, for the first time, the company has captured the biggest risks all on one page. It can result in deep conversation and alter the path of a company. For others, however, the map can be a false sense of security. 

To assuage this concern, risk-savvy executives also think about the known-unknown risks, even though that concept is hard to grasp. To an econometrician, it might mean what you know and do not know about the error term in your regression model. To a risk-thinker, it captures more. It means that executives need to factor in other aspects and dimensions of risk to be able to make the best decisions. One dimension is utility, or what the company or stakeholders care about. Another dimension is the interconnectedness of risk. Using a portfolio view, companies quickly realize how risks can be correlated and must be managed together. Successful retailers such as Target, Neiman-Marcus, and others are being reminded what stakeholders care about as they contemplate how IT risks relate to customer trust and reputation risk.

Risk-thinkers also factor in velocity. They understand how quickly things can unravel in a digital and social media world. They also grasp that decision makers may not be rational at all and could fall into many different types of decision traps (bias, groupthink, etc.). Risk-thinkers further realize that decisions and risk management are never made in a vacuum. The minute your organization decides on a path, your competitors are responding. Only the foolish ignore this. Risk-savvy executives view their risks and attempt to understand the known-unknowns using these dimensions of risk.

Unknown-unknowns are the scary part. While the black swan approach is one idea, others approach this via value killer workshops or Friday the 13th workshops. These workshops focus on digging into the business model and the related assumptions and uncertainties. Still others bring in outsiders to challenge their thinking about their strategy and potential risks. Emerging risks is a more common and recent development for some companies. The key in these approaches is for boards and executives to really dig into their business model, assumptions,

value chain, etc. Another key is to examine macro risks to determine their impact on the business and business model.

Digging in requires a serious look at things like disruptive technologies, but even better, it requires disruptive risk thinking. It becomes not just avoiding becoming Borders, Lehman, or Circuit City but seeing the upside too. The value of these unknown approaches is that risk-savvy executives start to ask questions about how confident they are in achieving their strategic objectives. After challenging their business assumptions and strategy, sometimes companies realize they had the wrong objectives and need to change. One board member recently noted that he knows what the nearest competitors are doing (knowns and known-unknowns) but was worried about who his Amazon was (unknown-unknowns) or which company would come in and disrupt the business they had not considered as a competitor.

Some companies can be successful by being better at being normal. My view is that great companies view their business model with a keen eye and look at both sides of an equation. They also try to figure out new business models altogether. I call it business risk acumen. It’s really a combination of understanding the business model, value chain, and the related risks.

Great companies figure out which options have the most value and where they can compete. For example, the Internet and digital music arrived, and while music companies complained about lost revenue, Napster saw a way to share music that never before existed (and reached millions of people). New artists saw a way to break the old business model (of getting into the business completely based on who you know); they saw a way to get exposure for their music. Of course, downside risks still exist, since this is sort of how we got Justin Bieber. Apple saw a new opportunity and not only created new products but remade the entire cell phone industry. RIM (Blackberry) gets behind, Samsung responds, Pandora enters the game, Apple responds, the risk and response goes on; we must not make decisions in a vacuum.

If you are a board member, you have heard about the courts potentially raising the risk bar: the NYSE risk management requirements, the credit rating agencies’ review of ERM, or the SEC rules on board risk oversight, etc. If you feel like your company’s executives are not risk savvy, be patient. ERM works when you give it time, get buy-in, develop your business risk acumen, develop the appropriate infrastructure (vision, charter, reporting, linkage to strategy, etc.), and when the culture embraces it.

A board member I interviewed last year stated that his job was to determine if the CEO was lucky or not. That is, does the CEO really understand the business and risks? Another astute board member pointed out that companies do not last forever. Just look at the data. Big and small companies fail to stay around. Why? According to this board member, the answer is easy. They fall asleep at the wheel, and they miss the big risks and how the market changes and moves. Another board member stated that perhaps the biggest risk facing most companies is whether the board does their job with respect to board risk oversight, especially for risks in areas such as strategy and reputation.

There are still many unsolved questions for boards, executives, and academics. One key question is where and why is the value added? Do we save companies from the downside and accelerate them to greatness and more value because they are better at seeing the risks or because they are better at assessing risks? Do they succeed because they are more robust with respect to the risk or is resiliency the key? Knowing the answer to these questions can potentially lead to greater value from ERM efforts in the future.