AdSlot 1 (Leaderboard)

Risk revisions lead to more board oversight

Risking capital or assets in search of financial reward is the definition of business, but governments and regulators have come to view risk as a pathogen and potential danger in the wake of the financial crisis. In this environment, the continual challenge for directors is still to identify the tipping point between opportunity and peril.

According to a recent report, Calculated Risk? from recruitment business Korn/Ferry, boards are now beginning to challenge their own views on risk management to see if they have become too risk-averse in the wake of the financial crisis. However, this revision must be accompanied by greater oversight and engagement at the board level.

The survey – which features the views of directors from organisations in the UK, Europe and the US – suggests that some companies wrongly believe that risks to the business have largely been eliminated if they have been identified and disclosed. It is also clear that not all executives fully understand the term “board oversight”.

“There is a lack of clarity as to what board oversight really means,” says Xavier de Sarrau, chairman of French multi-national media conglomerate Lagardère and a contributor to the report. “Board oversight is a grey area. It is up to the individual board to interpret the degree and extent of their oversight.”

The line between governance and management is a difficult one to maintain. David Sidwell, member of the board of directors at UBS, warns that there are potential dangers in taking an approach to risk oversight that is too active and intrusive.

“The dangers of an intrusive board are twofold,” says Sidwell. “Firstly, it seeds confusion in the business as to who really makes the decisions. Secondly, if the board becomes a de facto decision maker, it can no longer fulfil its primary purpose: to provide an objective oversight.”

Risk committees

Sidwell suggests that some boards might benefit from having a separate risk committee, largely because executives cannot deal with all aspects of risk management themselves. According to Sidwell, boards should decide upon a risk oversight structure appropriate to the complexity, risk appetite and regulatory requirements of the business. Businesses with highly complex risk profiles may also need to work on risk at the committee level for practical reasons, but the whole board must ultimately be both engaged in and accountable for risk management.

“I do not think it is reasonable to expect a full board to devote the time necessary to understand all the complex risks a company faces today,” he says.

However, other directors interviewed by Korn/Ferry disagree and prefer to retain responsibility at the full-board level. According to those who fall into this group, risk is too important to be devolved.



“We had the debate on a separate risk committee and said no. Risk must be the responsibility of the whole board, prepared by the audit committee. We think that there is a danger in losing focus,” says Daniel Bernard, chairman of DIY retailer Kingfisher.

However, if boards are to become more active contributors to the risk debate, the quality and detail of the data and intelligence on which they rely must improve, says Korn/Ferry.

Full control

Many board members express scepticism about the risk reports they receive. They offer little opportunity for directors to dig into the assumptions of the reports. This limits the board’s ability to contribute, says Ian Tyler, chief executive of engineering and construction company Balfour Beatty.

“The board often cannot add anything to the evaluation of risk because it does not have the data to do so,” he says.

Rick Haythornthwaite, chairman of Network Rail, suggests that some boards might be better served by questioning the people behind the data. “There is only one way that we are going to find out what is really going on, and that is by bringing the right people within the company to our board discussions and generating the right kind of dialogue with them,” he says.



The Calculated Risk? report provides guidelines that boards can consider as part of their role in the organisation’s approach to risk management:

1 A board’s approach to risk needs to suit the company’s scale, strategy and regulatory situation. Precise boundaries between oversight and decision-making should be explicitly agreed upon

2 Final accountability for risk oversight rests with the whole board, even for those with risk committees

3 Boards must ask if they receive the right data at the outset, and whether they get that data in a form in which they are able to easily assess the risk assumptions of the business

4 New directors – particularly non-executives – should be recruited with risk in mind. Boards should ensure their directors bring a good mix of industry experience, risk instincts, strategic minds and diversity to the table

Related reading