By Tim J. Leech – Managing Director, Global Operations at Risk Oversight Solutions
In early 2018, the National Association of Corporate Directors (NACD) in the US released its Governance Outlook: Projections on Emerging Board Matters report.
It listed areas that board members said they most needed or wanted to improve on (see Figure 1). Since it is early January 2019 as I write this article, the items on the NACD board improvement priorities immediately evoked memories of New Year’s resolutions from years gone by – a fleeting, good idea often created in an euphoric/intoxicated state on New Year’s Eve, but one that is often quickly discarded in favour of activities that are easier to address – e.g. I want to lose 25 pounds, I want to improve my fitness, I should drink less, I want to reduce my golf handicap by five, etc. A key question the NACD should have asked right after it asked the survey question, is ‘what tangible steps are you and/or your board(s) going to take in 2018 to actually improve on areas you say are the most important board improvement areas?’I suspect, and a new NACD 2019 update survey confirms, that progress on these self-identified top 2018 board improvement priorities has been slow. In my experience this is because boards generally have not been demanding and discerning customers of the information they receive from management, risk specialists and internal auditors. An alternative, and very plausible, explanation for slow progress on these priorities is that director responses to the 2018 NACD survey are more akin to New Year’s resolutions – not really top/urgent priorities if they are really hard to do.
This article discusses the top four 2018/2019 improvement priorities identified in NACD surveys by directors; lists what I see as the top ‘risks’/barriers to boards actually achieving them; and closes with a single tangible, and relatively easy, step directors and boards that really want to stick to their top board improvement resolutions can take to improve.
Board improvement 2018/2019
The board’s understanding of risks and opportunities affecting company performance This improvement priority has taken on new importance as powerful institutional investors have started to demand evidence that boards are actively participating in the company’s strategic planning process.
Larry Fink, CEO of BlackRock – the world’s largest investment firm controlling trillions of investment dollars – reiterated the importance it attaches to this dimension of board performance in his January 2018 letter to CEOs of the biggest companies in the world. He Said:
“In order to make engagement with shareholders as productive as possible, companies must be able to describe their strategy for long-term growth. I want to reiterate our request, outlined in past letters, that you publicly articulate your company’s strategic framework for long-term value creation and explicitly affirm that it has been reviewed by your board of directors. This demonstrates to investors that your board is engaged with the strategic direction of the company. When we meet with directors, we also expect them to describe the board process for overseeing your strategy.”
Fink goes on to elaborate why BlackRock and many other powerful institutional investors around the world are focussed on this dimension: “The board’s engagement in developing your long-term strategy is essential because an engaged board and a long-term approach are valuable indicators of a company’s ability to create long-term value for shareholders. Just as we seek deeper conversation between companies and shareholders, we also ask that directors assume deeper involvement with a firm’s long-term strategy. Boards meet only periodically, but their responsibility is continuous. Directors whose knowledge is derived only from sporadic meetings are not fulfilling their duty to shareholders. Likewise, executives who view their board as a nuisance only undermine themselves and the company’s prospects for long-term growth.
The NACD report confirms that the 2018 top board improvement priority is still the number one priority for board directors they surveyed in late 2018: “It’s therefore no surprise that for the second year in a row, according to results from the 2018–2019 NACD Public Company Governance Survey, a large majority of directors, almost 70 per cent, report that their boards need to strengthen their understanding of the risks and opportunities affecting company performance. They believe that their boards struggle to keep pace with fast-moving developments that can create or destroy business value. In a 2018 NACD poll, 62 per cent of board members said that they view atypical, disruptive risks as much more important to the business environment today as compared to five years ago (and none said that they were less important).
In the same poll, only 19 per cent of board members reported that they are either extremely or very confident in management’s preparedness to address atypical, disruptive risks, while an overwhelming 82 per cent of them indicated that they were either extremely or very confident in management’s ability to address known risks.”
Risks/barriers to improving the board’s understanding of risks and opportunities affecting company performance
Some CEO’s don’t want boards to know the risks that could impact top strategic objectives Although it is unfortunate, some CEOs still prefer boards that are largely passive and don’t ‘interfere’. In some cases, these CEOs have played a major role in selecting board members who are less likely to aggressively challenge the strategic direction they want to pursue. Some CEOs discourage robust discussions of risks to strategy in fear that boards won’t approve the direction they want to pursue.
Boards often receive very little information on the real top risks to strategies being proposed/implemented The reason institutional investors are escalating their demands for increased visible involvement of boards in strategic planning and oversight of top value creation objectives isn’t because the majority of boards are doing a fine job already on this dimension. It is because it simply hasn’t been happening at a level satisfactory to major institutional shareholders in a lot of corporations.
Why it hasn’t happened may not be more complicated than boards haven’t demanded it, perhaps because board members who are/were CEOs and CFOs don’t/didn’t provide their boards with much rigorous information on risks to top objectives. A less sinister reason is providing boards with a proposed strategy that comes with tough, objective, and rigorous risk assessment analysis simply isn’t the way it’s been done in the past.
Strategic planning staff and senior executives engaged in strategic planning have often not been trained to formally identify, assess and report on risks to top objectives I completed a quick review of the fledging strategic planning professional associations that have emerged along with curricula at top MBA schools. There was little mention of the need for strategic planning specialists, or senior executives generally, to learn technical, state-of-the-art risk assessment skills. Two McKinsey strategic planning experts who authored a very relevant book called Strategy Beyond the Hockey Stick, talk about massive slide deck presentations to boards on management’s proposed strategic plan where a discussion of risks is relegated to slide number 148, perhaps in the hope that boards have glazed over by then and aren’t paying much attention. Many board presentations on corporate strategy I have reviewed over the past 30 years from global companies I have worked with provide only passing mention of ‘risks’ to strategy, but it is obvious that the level of rigour applied to come up with the top risks to the top strategic objectives, particularly the top residual risks after considering management’s pro-forma risk treatment strategies, if any have been identified, isn’t very high.
ERM frameworks used by risk groups around the world are primarily ‘risk centric’ not ‘objective centric’ and often don’t link directly to strategy or performance Research surveys regularly confirm that the vast majority of ERM frameworks in use in the world today focus on what could go wrong/hazard type risks, often in isolation from objectives or performance on top strategic objectives. Few companies today start the ERM process by creating a list of top value creation/strategic objectives (objectives capable of driving sustained value creation over the longer term) and value preservation objectives (objectives that could seriously hurt share value if not achieved), and then decide which of those objectives warrant the cost of formal risk assessment. Even fewer ERM frameworks call for conscious decisions from senior management with board oversight on the level and sophistication of risk assessment rigour (i.e. the amount of time and effort they believe specific top strategic objectives warrant). When risks are shown in isolation from the objectives they relate to the still very popular corporate ‘risk heat maps’, it implies you can assess and make good resource allocation decisions fixating on specific risks in isolation. In reality, most objectives have 10 or more important risks that create uncertainty that the objective will be achieved. Objectives frequently conflict and compete for corporate resources and executive and board attention. When risks are analysed in isolation, not analysed in terms of the composite impact of multiple risks on the certainty of achieving an objective, it is very common that wrong and dangerous conclusions are reached on acceptability of the residual risk position.
Internal audit work not linked directly to top value creation and value preservation objectives For more than 30 years I have promoted the idea that internal auditors should link all their work, including the audit plan, audits, and all audit reports, to top value creation and value preservation objectives. It is disappointing, but fair, to say that after 30 years of diligent global effort, I have convinced only a small percentage of internal auditors globally to move from traditional process-centric/control-centric/compliance-centric/risk-centric methods to objective-centric risk assessment. I tried convincing the Institute of Internal Auditors (IIA) a few years ago to offer training to teach internal auditors how to conduct objective-centric risk assessments. I made some progress, but there was no willingness at the IIA at the time to actively promote objective-centric risk assessment driven and owned by management with quality assurance done by risk groups (the second line), and internal audit (the third line) as a core audit method. Even when COSO ERM 2017 framework update unequivocally confirmed all enterprise risk work should start with corporate strategy and top objectives to achieve those strategies, few risk groups or internal audit departments have made the move to objective centric assessment, perhaps because of the lack of visible and strong support from risk specialist associations and the IIA. This is true in spite of the fact the IIA is a founding member of COSO since the late 80s and, presumably, had significant input into the COSO ERM update.
Top four board improvement priorities are highly correlated
The NACD fall 2018 survey confirms that the number one board improvement priority for 2018 has taken on even greater importance and is still the number one board improvement priority for 2019. The top four 2018 highly correlated board improvement areas cited earlier include:
1. The board’s understanding of risks and opportunities affecting company performance
2. The board’s monitoring of strategy execution
3. The board’s contribution to the strategy development process
4. Oversight of risk management
All four top board improvement priorities are significantly impacted by the risks to priority number one, described above. The core reasons that these four highly correlated areas are still top board improvement priorities include the following:
Strategic planning and formal risk assessment It has not been standard practice in many companies to submit corporate strategies being considered and supporting top objectives to rigourous risk assessment processes. Many executives who drive the strategic planning process have little or no formal risk assessment skills training. This means less reliable fact-based information on the key ‘risks’ that create uncertainty that strategies being considered and supporting objectives will be achieved. Corporate strategy documents rarely include information on the key ‘risk treatments’ planned to manage top risks identified, if any.
“It is disappointing, but fair, to say that after 30 years of diligent global effort, I have convinced only a small percentage of internal auditors globally to move to objective centric risk assessment”
Lack of agreement on what the word ‘risk’ means A large percentage of companies around the world as well as internal auditors and risk specialists would appear to have not really embraced the generally accepted definition of the word ‘risk’ – ‘the effect of uncertainty on the achievement of objectives’ (ISO 31000 2018). Without an objective there can be no ‘risks’. It would seem logical that top objectives should warrant the most rigorous risk assessment efforts. If one really accepts the ISO 31000 2018 definition of ‘risk’, a definition very close to the COSO ERM 2017 definition, it would seem obvious that applying formal risk management methods to a company’s strategic plan should be a mandatory step in all companies. Since corporate strategy and supporting objectives are almost always considered to be the obvious ‘top strategic value creation objectives’, it would seem logical that they should also be candidates for fairly rigourous risk assessment – both during the formulation of strategy and after when the strategies and supporting objectives are being implemented. All too many companies, explicitly or implicitly, define ‘risk’ as bad things that could happen. The new COSO ERM framework released in 2017 calls for radical changes to how enterprise level risk is approached in the majority of companies. Unfortunately, it appears the COSO ERM update has had limited impact to date.
Because many corporate strategies don’t include much in the way of disclosing top residual risks to achievement, or strategies to treat those risks it makes it difficult for boards to do a better job on priorities 1 to 4 To have a really engaged discussion of strategy and supporting objectives, the process must be designed to encourage it. This is not the case at many organisations. Even a quick read of the McKinsey principles book Strategy Beyond The Hockey Stick makes it clear the strategy development approach at many companies does more to discourage board engagement in strategic planning and oversight of implementation than it does encourage it. Companies need to do a better job of articulating what management sees as top risks to strategy and how they plan to treat/respond to those risks if boards are going to increase their engagement in the strategy development and execution phases. (Note: ‘treat’ is the word ISO 31000 uses. ‘Respond’ is the word COSO ERM uses.)
Few companies today use a risk assessment methodology that links objectives, risks, risk treatments and performance I have believed for more than 25 years that it is absolutely essential that the risk assessment methodology used for ERM frameworks and internal audit should start with top objectives; identify and assess risks – situations that create uncertainty that the objective will be achieved; identify what ‘risk treatments’ are in place to treat top risks; and clearly describe performance produced by management’s decisions on how to treat risks. Unfortunately, in spite of my best efforts, only a small percentage of companies today use a risk assessment approach that includes all those elements. Demonstrating correlation between top objectives, risks, risk treatments and performance is a key element that must be present if management at all levels is going to accept responsibility for risk management and reporting and boards are going to more effectively participate in and oversee the strategic planning process.
Few companies see any role for their risk functions when one exists or internal audit in strategic planning In a significant percentage of companies today, internal audit departments and risk functions were created to respond to regulatory requirements, not add real business value. Few were created by CEOs or boards who see these functions as a way to help the company increase certainty/reduce uncertainty that top value creation/strategic objectives will be achieved. Unfortunately, the traditional methods used by a majority of internal audit departments and risk functions today are such that CEOs who have taken this position are, in fact, quite justified in their decision not to encourage/require involvement of risk functions and internal audit in strategic planning or oversight of implementation of strategic plans. The traditional methods used by risk groups and many internal auditors today are not well equipped to provide important roles in strategy development and risk assessment of strategy and supporting objectives.
What can boards that really want to achieve their top improvement priorities do? It’s simple – require the company/companies they oversee to implement objective-centric enterprise risk management and internal audit.
Companies all over the world have implemented some combination of process-centric, risk-centric, control-centric, and compliance-centric assurance methods. This is the main reason boards now cite the four top improvement priorities listed earlier and institutional investors are unhappy. Few have implemented management-owned, objective-centric assurance that starts by defining top value creation/strategic objectives; and top value preservation objectives; make conscious decisions on who will be the ‘owner/sponsor’ responsible for assessing and reporting on the objectives, the target level of risk assessment rigour; and who, if anyone, will provide independent assurance on those objectives. This simple step immediately forces true integration of effort between the first, second and third lines in the popular ‘three lines of defence’ framework. The first line owns responsibility for doing formal risk assessment on strategies and objectives that are deemed important enough to warrant the cost of formal risk assessment. The risk group, where one exists, the ‘second line’, is responsible for helping the first line do a good job on this task and objectively reporting on progress and reliability of management’s reports on risk status linked to top objectives. Internal audit, ‘the third line’ is responsible for providing independent assurance on assessments done by the first with the help of the second line and providing reports to the board on the entity’s risk management processes. CEOs, the fourth line, and the board, the fifth line in the framework we promote, oversee and actively participate in the process (see graphic, below).
A diagram showing the core elements of the objective-centric risk assessment approach we promote is below. The focus is on knowledgeable decisions on the acceptability of what we call ‘residual risk status’ and ‘certainty’ of achieving top objectives. It is the only methodology I am aware of that explicitly links objectives/risks/risk treatments and performance data.
More details on what objective-centric ERM is and the business case for change can be found in an article in Conference Board Director Notes/Harvard Governance Blog titled Board Oversight of Long Term Value Creation and Preservation: What Needs to Changeand the spring 2017 issue of Ethical Boardroom titled Building Businesses for the Long Term: Focussing ERM and Internal Audit on What Really Matters: Long Term Value Creation and Preservation.
The way forward
Public company board members surveyed by the NACD in late 2017 and 2018, many whom are on the boards of global companies, have been clear on what they most need/want to improve on. I believe that the primary reason these areas have been identified as top priorities by directors is because the companies they oversee do not use objective-centric assurance methods. This article recommends that directors that really want to improve their performance should simply demand that the company/companies they oversee implement objective-centric ERM and internal audit.
This easy and simple step will lead to dramatic and immediate improvement on the top four improvement priorities identified by board directors. It will also respond to increasingly strident calls from powerful institutional investors for increased engagement of boards in strategy development and oversight and, most importantly, increase certainty/reduce uncertainty that top value creation and value preservation objectives will be achieved while operating within the company and board’s risk appetite/tolerance.
About the Author:
Tim J. Leech FCPA CIA CCSA CRMA is Managing Director Global Operations at Risk Oversight Solutions Inc. ROS focuses on helping companies implement objective centric enterprise risk management (ERM) and internal audit to meet escalating board risk oversight expectations and add real value. He has over 30 years of global experience in the board risk oversight, ERM, internal audit, and forensic accounting fields, including expert witness testimony in civil and criminal proceedings. Leech has provided training for hundreds of thousands of public and private sector board members, senior executives, professional accountants, auditors and risk management specialists in Canada, the U.S., the UK and EU, Australia, South America, Africa and the Middle and Far East. He has received worldwide recognition as a pioneer, thought leader and trainer. He has been published in the Harvard Governance blog, London School of Economics Center for Risk and Regulation, IIA global and many others. He is a regular contributor to Ethical Boardroom and Conference Board Director Notes.
1.2018 Governance Outlook:Projections on Emerging Board Matters, National Association of Corporate Directors (NACD), January 2018
2.Larry Fink’s Annual Letter to CEOs, https://www.blackrock.com/corporate/investor-relations/larry-fink-ceo-letter
3.2019 Governance Outlook: Projections on Emerging Board Matters, National Association of Corporate Directors, (http://bit.ly/2VmWKAE)
4.See http://bit.ly/2P3J6iA for more details on Five Lines Of Assurance