During a board evaluation there is often an elephant in the room that no one wants to acknowledge. It’s the question, “How does our Board compare to other boards? Are we really as good–or as bad as we think? If we wanted to make a comparison with others, how would we do it?” There are two ways to deal with the elephant.
The first is to ensure that your board has a regular injection of new members who have experience with other boards. That is the long and preferred way, but a topic for another day.
The shorter way is to treat board evaluation for what it is; a means of measuring year-over-year improvements in the capacity of your board to work effectively. Accepting that approach begs two questions:
1. How do we measure where are we now?
2. What actions should we take to make the greatest and most important year-over-year improvements?
To answer those questions, you need a starting point, a means of identifying what the greatest improvements should be, and an approach to measuring progress.
Typically a board evaluation questionnaire consists of a series of statements, (or questions.) Directors are asked to express their level of agreement with those statements on a multi point scale. There are two kinds of questions; those relating to board mechanisms that should be in place such as a code of conduct or a strategic planning process; and those relating to the accomplishments produced by those mechanisms. Examples of the latter would be, “Our CEO is clearly aware of what the board expects the organization to accomplish in the next year and has created a plan to do so.”
The questionnaire is completed, the results prepared, the board discusses them, and the whole exercise is put to bed ’till the next year. There is little to which to compare the report except last year’s, and only a vague suggestion of areas that could be improved.
A more directed way to manage the process is to start with a benchmark questionnaire. It uses the same statements, but for each of the statements two responses would be sought. Consider the following example. The statement on the questionnaire would read:
“The Board has established a mechanism for setting risk tolerance and monitoring risk exposure.”
The board would be asked to rate the importance of the activity to the effective functioning of the board using a five point scale.
1- Unable to assess (i.e. I don’t know enough to answer the question)
2 – Low
3 – Moderate
4 – Medium
5 – High
In the second part of the question, Directors are be asked to rate the boards capacity (skill) to accomplish this activity (i.e. Setting risk tolerance and monitoring risk exposure) again using a five point scale.
1- Unable to assess (i.e. I don’t know enough to respond)
2 – Low
3 – Moderate
4 – Medium
5 – High
Activities that require the Board’s attention show up in the results as being ranked High in importance and Low in skills. Contrary to expectations, the number of activities so highlighted by this exercise is usually relatively low.
The report provides several pieces of information.
-It identifies areas the board should examine for improvement projects in the next year and indicates a level of priority for the improvement.
-It identifies statements that are not necessary to include in future evaluation surveys.
-It identifies types of statements that should have higher representation in the survey.
A year from now, the modified survey can be run with relevant questions resulting in a true evaluation of progress in areas where improvement was identified.
Board evaluation should be about improving your board’s ability to function effectively. Employing this benchmarking approach makes that objective easier.
Monday, November 2, 2009
Friday, October 23, 2009
The Board's Bets
Adding Clarity to
The Risk Management Debate
The widespread talk about risk gathered momentum following the failure of Enron. Prior to that pivotal event, “risk management” was a generic concept that lacked much appeal beyond a few professionals. It was hard to visualize, and difficult to communicate. The definition of “risk” says it all.
A risk is an event or situation that could impact (compromise or enhance) our ability to achieve an objective.[i]
The failure of Enron and WorldCom followed by the 2008 bank failures piqued public interest about risk, and the failures of risk management. Those who thrive on hot topics and headlines latched onto the use of “hot-risk” labels to stoke the discussion.
As a result, “hot-label” risks like reputation risk, compensation risk–and the catastrophic Black Swan event[ii]–are news. For the public, they create easily understood pictures of dangerous situations that require little explanation.
Risk labels have been a boon for the media, commentators, and some consultants. The more risks they can identify the more they have to talk about. Now it seems that everything we do has a risk label attached to it. In a paper about pension plan management, the authors identified 54 different types of risk ranging from solvency risk to transition risk. But risk labels have three serious downsides. Commoditization of risk is one.
When everything is a risk then nothing is a risk and risk check lists abound. When Boards are constantly prevailed upon to deal with a litany of risks like IT risk, reputation risk, litigation risk, or fraud risk, they lose their sensitivity to risk. Boards intuitively know that everything isn’t a red light issue. But they are subject to fear.
The commentary around hot-risk topics creates fear. It discourages the prudent risk taking that is at the very centre of innovation, change, and healthy growth. Peter L. Bernstein, the recently deceased guru of risk management[iii], emphasized that “Risk doesn’t mean danger. It simply means not knowing for certain what the future holds.” Events we encounter as we execute our plan could cause the outcome of our bet to be better than we expected, or worse.
“The secret of success lies not in avoiding risk but in managing risk; avoiding “bet-the-company” types of uncertainties, developing contingency plans for identified risks in the event they materialize, and closely monitoring progress in order to respond quickly if the “bet” is threatened.”[iv]
Risk labels misdirect our efforts at risk management. They focus on the back end of the problem rather than the front end. Reputation risk is a good example. While the label “reputation risk” seems logical, threats to reputation are not a risk. They are a secondary impact, activated only by a risk event or situation occurring somewhere else in the system.
Yes, preparation to manage a possible threat to reputation is important. The makers of Tylenol, Maple Leaf Foods, and David Letterman, demonstrated that good management can minimize their impact. But it’s more prudent, and far less costly, to avoid the risk situations or events that could cause threats to reputation in the first place.
Consider a case of tainted meat. Listeria bacteria consumed in processed meat can cause illness or death―and threaten the meat processors reputation. The real culprit, the real risk to be managed, is the possibility of bacteria collecting in the processing equipment.
Start at the Front End
Bernstein zeroed-in on the critical starting point for risk management. Risk does not come into play until, “...we place a bet on an outcome that will result from a decision we have made.” In deciding to make our bet, we initiate a process to achieve that outcome. We can’t be certain about our success because, the activities we use to arrive at our decisions and execute our plans are imperfect.
Frank H Knight, the originator of the concept of risk as uncertainty,[v] first catalogued those imperfections.
1. We can’t accurately judge the totality of our present situation
2. We can’t assess how the future will unfold with any degree of dependability
3. We can’t accurately predict the consequences of our own actions
4. We rarely execute our plan in the precise form in which it was made
5. We can’t accurately know or predict the actions of others who could impact our plan.
To that list we add an observation from recent research by Kahneman & Tversky described in their publication, “Prospect Theory”[vi].
6. We can’t be sure that we will recognize, or take advantage of the upside opportunities that will occur as we execute our plan because we are hard-wired to be more concerned about imagined loss than potential gain.
The Risks are Few
For those engaged in risk management the fundamental downside risks are few, not many. They are generic. They apply to all bets.
1. Failure to be detailed and disciplined in the examination of the cause and affect relationships that form our current reality and trigger our decision to proceed. When we understand our current reality at its most fundamental level, our options for future action are also clarified. Some of those cause and effect relationships are specific to our business. Many are generic, common to business in general.
2. Failure to create a detailed execution plan that includes the inevitable downside risks and upside opportunities, to guide our decision-making.
3. Sloppy execution of the plan by individuals who are unfamiliar with its details or uncommitted to its objectives.
4. Failure to monitor progress against plan. “Don’t expect what you don’t inspect.”
5. Failure to act quickly when the objective is threatened.
To Bernstein, “The essence of risk management lies in maximizing the areas where we have some control over the outcome, while minimizing the areas where we have absolutely no control over the outcome, and the linkage between effect and the cause is hidden from us.”
The Board’s Bets
Boards make the most critical bets of all. They bet on a CEO, bet on a strategic plan, bet on a management team, bet on an executive compensation scheme, bet on a group of board colleagues, and bet on a set of financial statements.
Boards don’t develop plans–or execute them. That’s the CEO’s job. But when Directors approve the CEO’s plans, they place a bet. They accept a risk that prudence demands must be managed.
Increasingly Directors are expected to be more knowledgeable and more circumspect in managing their bets. That implies gathering information to demonstrate whether:
· The management team is committed to the project has taken a disciplined and detailed look at the current reality surrounding its proposal, and has developed a reasonable approach to strategic deployment?
· The execution strategy and plans consider upside opportunities as well as the downside risks and have the capacity to respond to both.
· The execution team is familiar with the plan and committed to its objectives.
· Progress against plan will be monitored and the Board will be kept in the loop? “Don’t expect what you don’t inspect.”
· If the project goes off the rails, management will respond appropriately?
In an earlier article in this Journal (Learning from the crisis: How the Board’s role in strategy fulfills a risk management responsibility, Goldie, Smith, and Stephenson, Director, 2009), we referred to a three step process for engaging Directors and the Board. The three steps, Educate, Engage, and Refresh, provide the Board with a vehicle to gather the required information and remain informed of both progress and problems. It provides Boards with a means to manage their bets.
Summary
The talk about risk has raised its profile and made the general public aware of its importance. But focusing on the hot-label risks is the antithesis of effective risk management.
Labels commoditize risk, misdirect our risk management attention, and most crucially, through fear, blind us to upside opportunities which are an integral part of risk.
Placing prudent bets on the future and managing them diligently is a precursor to any accomplishment. It is ultimately the measure of your board’s success as a steward.
[i] Conference Board Report, R1398-07-WG, Emerging Governance Problems in Enterprise Risk Management, uses the following definition for risk taken from COSO, “The possibility that an event will occur and adversely affect the achievement of objectives.” I find this definition too narrow and I believe that Peter Bernstein would have agreed since it did not consider upside opportunity.
[ii] Taleb, Nassim Nicholas (2007). The Black Swan: The Impact of the Highly Improbable. New York: Random House
[iii] Peter L Bernstein, Against the Gods, John Wiley and Sons, Inc. 1996
[iv] Senior executive
[v] Frank H. Knight, Risk, uncertainty and Profit, Hart, Schaffner and Marx; Houghton Mifflin Co., 1921
[vi] Kahneman, Daniel and Amos Tversky, 1979, “Prospect Theory: An Analysis of Decision Under Risk.” Econometrica, vol. 47, No. 2, pp 263-291
The Risk Management Debate
Is everything we call a risk, actually a risk? Is everything we chase in the name of risk management worth chasing? The answer depends on whether your board wants to talk about risk, or manage its bets.
The widespread talk about risk gathered momentum following the failure of Enron. Prior to that pivotal event, “risk management” was a generic concept that lacked much appeal beyond a few professionals. It was hard to visualize, and difficult to communicate. The definition of “risk” says it all.
A risk is an event or situation that could impact (compromise or enhance) our ability to achieve an objective.[i]
The failure of Enron and WorldCom followed by the 2008 bank failures piqued public interest about risk, and the failures of risk management. Those who thrive on hot topics and headlines latched onto the use of “hot-risk” labels to stoke the discussion.
As a result, “hot-label” risks like reputation risk, compensation risk–and the catastrophic Black Swan event[ii]–are news. For the public, they create easily understood pictures of dangerous situations that require little explanation.
Risk labels have been a boon for the media, commentators, and some consultants. The more risks they can identify the more they have to talk about. Now it seems that everything we do has a risk label attached to it. In a paper about pension plan management, the authors identified 54 different types of risk ranging from solvency risk to transition risk. But risk labels have three serious downsides. Commoditization of risk is one.
When everything is a risk then nothing is a risk and risk check lists abound. When Boards are constantly prevailed upon to deal with a litany of risks like IT risk, reputation risk, litigation risk, or fraud risk, they lose their sensitivity to risk. Boards intuitively know that everything isn’t a red light issue. But they are subject to fear.
The commentary around hot-risk topics creates fear. It discourages the prudent risk taking that is at the very centre of innovation, change, and healthy growth. Peter L. Bernstein, the recently deceased guru of risk management[iii], emphasized that “Risk doesn’t mean danger. It simply means not knowing for certain what the future holds.” Events we encounter as we execute our plan could cause the outcome of our bet to be better than we expected, or worse.
“The secret of success lies not in avoiding risk but in managing risk; avoiding “bet-the-company” types of uncertainties, developing contingency plans for identified risks in the event they materialize, and closely monitoring progress in order to respond quickly if the “bet” is threatened.”[iv]
Risk labels misdirect our efforts at risk management. They focus on the back end of the problem rather than the front end. Reputation risk is a good example. While the label “reputation risk” seems logical, threats to reputation are not a risk. They are a secondary impact, activated only by a risk event or situation occurring somewhere else in the system.
Yes, preparation to manage a possible threat to reputation is important. The makers of Tylenol, Maple Leaf Foods, and David Letterman, demonstrated that good management can minimize their impact. But it’s more prudent, and far less costly, to avoid the risk situations or events that could cause threats to reputation in the first place.
Consider a case of tainted meat. Listeria bacteria consumed in processed meat can cause illness or death―and threaten the meat processors reputation. The real culprit, the real risk to be managed, is the possibility of bacteria collecting in the processing equipment.
Start at the Front End
Bernstein zeroed-in on the critical starting point for risk management. Risk does not come into play until, “...we place a bet on an outcome that will result from a decision we have made.” In deciding to make our bet, we initiate a process to achieve that outcome. We can’t be certain about our success because, the activities we use to arrive at our decisions and execute our plans are imperfect.
Frank H Knight, the originator of the concept of risk as uncertainty,[v] first catalogued those imperfections.
1. We can’t accurately judge the totality of our present situation
2. We can’t assess how the future will unfold with any degree of dependability
3. We can’t accurately predict the consequences of our own actions
4. We rarely execute our plan in the precise form in which it was made
5. We can’t accurately know or predict the actions of others who could impact our plan.
To that list we add an observation from recent research by Kahneman & Tversky described in their publication, “Prospect Theory”[vi].
6. We can’t be sure that we will recognize, or take advantage of the upside opportunities that will occur as we execute our plan because we are hard-wired to be more concerned about imagined loss than potential gain.
The Risks are Few
For those engaged in risk management the fundamental downside risks are few, not many. They are generic. They apply to all bets.
1. Failure to be detailed and disciplined in the examination of the cause and affect relationships that form our current reality and trigger our decision to proceed. When we understand our current reality at its most fundamental level, our options for future action are also clarified. Some of those cause and effect relationships are specific to our business. Many are generic, common to business in general.
2. Failure to create a detailed execution plan that includes the inevitable downside risks and upside opportunities, to guide our decision-making.
3. Sloppy execution of the plan by individuals who are unfamiliar with its details or uncommitted to its objectives.
4. Failure to monitor progress against plan. “Don’t expect what you don’t inspect.”
5. Failure to act quickly when the objective is threatened.
To Bernstein, “The essence of risk management lies in maximizing the areas where we have some control over the outcome, while minimizing the areas where we have absolutely no control over the outcome, and the linkage between effect and the cause is hidden from us.”
The Board’s Bets
Boards make the most critical bets of all. They bet on a CEO, bet on a strategic plan, bet on a management team, bet on an executive compensation scheme, bet on a group of board colleagues, and bet on a set of financial statements.
Boards don’t develop plans–or execute them. That’s the CEO’s job. But when Directors approve the CEO’s plans, they place a bet. They accept a risk that prudence demands must be managed.
Increasingly Directors are expected to be more knowledgeable and more circumspect in managing their bets. That implies gathering information to demonstrate whether:
· The management team is committed to the project has taken a disciplined and detailed look at the current reality surrounding its proposal, and has developed a reasonable approach to strategic deployment?
· The execution strategy and plans consider upside opportunities as well as the downside risks and have the capacity to respond to both.
· The execution team is familiar with the plan and committed to its objectives.
· Progress against plan will be monitored and the Board will be kept in the loop? “Don’t expect what you don’t inspect.”
· If the project goes off the rails, management will respond appropriately?
In an earlier article in this Journal (Learning from the crisis: How the Board’s role in strategy fulfills a risk management responsibility, Goldie, Smith, and Stephenson, Director, 2009), we referred to a three step process for engaging Directors and the Board. The three steps, Educate, Engage, and Refresh, provide the Board with a vehicle to gather the required information and remain informed of both progress and problems. It provides Boards with a means to manage their bets.
Summary
The talk about risk has raised its profile and made the general public aware of its importance. But focusing on the hot-label risks is the antithesis of effective risk management.
Labels commoditize risk, misdirect our risk management attention, and most crucially, through fear, blind us to upside opportunities which are an integral part of risk.
Placing prudent bets on the future and managing them diligently is a precursor to any accomplishment. It is ultimately the measure of your board’s success as a steward.
[i] Conference Board Report, R1398-07-WG, Emerging Governance Problems in Enterprise Risk Management, uses the following definition for risk taken from COSO, “The possibility that an event will occur and adversely affect the achievement of objectives.” I find this definition too narrow and I believe that Peter Bernstein would have agreed since it did not consider upside opportunity.
[ii] Taleb, Nassim Nicholas (2007). The Black Swan: The Impact of the Highly Improbable. New York: Random House
[iii] Peter L Bernstein, Against the Gods, John Wiley and Sons, Inc. 1996
[iv] Senior executive
[v] Frank H. Knight, Risk, uncertainty and Profit, Hart, Schaffner and Marx; Houghton Mifflin Co., 1921
[vi] Kahneman, Daniel and Amos Tversky, 1979, “Prospect Theory: An Analysis of Decision Under Risk.” Econometrica, vol. 47, No. 2, pp 263-291
Wednesday, April 1, 2009
Your Board Can Make Time For Risk Management
Authors note. The ideas in this article parallel the ideas presented in, “How the Boards Role in Strategy fulfills a Risk Management Responsibility,” featured in the April, 2009 edition of Director magazine, written by Hugh Goldie of the Exchange Group, Ken Smith of SECOR Consulting, and Peter Stephenson of Meridian Consulting.
________________________________________
Risk is a hot topic for boards and they are being challenged to make the time to become more involved in risk management. This article illustrates how boards can make the time.
Risk is like the “elephant” in the Indian legend, The Blind Men and the Elephant. The six men experienced the elephant as something small, like a snake, a spear, or a rope. They didn’t experience the big picture; the whole elephant. They were like those in the financial services marketplace who were aware of the bubble in their own corner, but failed to see the industry-wide risk contagion.
What does the “Risk Elephant” look like?
________________________________________
Risk is a hot topic for boards and they are being challenged to make the time to become more involved in risk management. This article illustrates how boards can make the time.
Risk is like the “elephant” in the Indian legend, The Blind Men and the Elephant. The six men experienced the elephant as something small, like a snake, a spear, or a rope. They didn’t experience the big picture; the whole elephant. They were like those in the financial services marketplace who were aware of the bubble in their own corner, but failed to see the industry-wide risk contagion.
What does the “Risk Elephant” look like?
It's bigger than we typically think. Frank Knight, (1) a University of Chicago Professor, identified two distinct types of risk. We are most familiar with “Measurable risk.” It’s the type we manage when we buy car insurance. Insurance companies measure past car accidents and use probability theory to create models that predict the likelihood that we, and the others in their insurance pool, will have an accident in the future.
The risk models used by the failed banks in the financial services market place, failed to manage this type of risk.
The risk models used by the failed banks in the financial services market place, failed to manage this type of risk.
Boards Work with Uncertainty
Boards tend to work with the second type of risk characterized by Knight as “uncertainty risk.” Probability theory has little relevance in managing uncertainty risk because we have nothing to measure. For example, if we decide to invest $50 Million in developing a new product we’re unlikely to have a large data bank on which to build a probability model to predict our success. We do know that events or situations will occur, created by the economy or our competitors, that could help or hinder our success. We can’t be sure of how or when they will appear. And we can’t be sure of how it will affect us. That doesn’t mean we can’t manage uncertainty risk and prepare for its possible outcomes.
Boards tend to work with the second type of risk characterized by Knight as “uncertainty risk.” Probability theory has little relevance in managing uncertainty risk because we have nothing to measure. For example, if we decide to invest $50 Million in developing a new product we’re unlikely to have a large data bank on which to build a probability model to predict our success. We do know that events or situations will occur, created by the economy or our competitors, that could help or hinder our success. We can’t be sure of how or when they will appear. And we can’t be sure of how it will affect us. That doesn’t mean we can’t manage uncertainty risk and prepare for its possible outcomes.
Lighting the Road
We manage uncertainty risk in order to light the road we follow in executing our plans. Managing uncertainty shines a spotlight on the dark corners and rough turns we may encounter so we can attempt to avoid them or minimize their affects (downside risks). It sets up beacons that can help us find the smoother stretches that could hasten and expand our our success (upside opportunities).
We manage uncertainty risk in order to light the road we follow in executing our plans. Managing uncertainty shines a spotlight on the dark corners and rough turns we may encounter so we can attempt to avoid them or minimize their affects (downside risks). It sets up beacons that can help us find the smoother stretches that could hasten and expand our our success (upside opportunities).
Brains not Computers
Managing uncertainty is a forward-looking, intuitive process done by a human brain (not a computer) on the basis of its knowledge, imagination, capacity for solving complex problems, tolerance for ambiguity, ability to see the bigger picture, and ability to learn from previous experience. Managing uncertainty risk requires us to think objectively and with an open-mind in order to see possible trends, patterns, and relationships presented by the data which may not be readily apparent in any documentation.
These are the attributes of skilled directors. They are the reason why a skilled, experienced, and balanced, board is so important. They are the reason why, for boards, risk management is a legitimate task.
The Challenge.
Managing uncertainty is a forward-looking, intuitive process done by a human brain (not a computer) on the basis of its knowledge, imagination, capacity for solving complex problems, tolerance for ambiguity, ability to see the bigger picture, and ability to learn from previous experience. Managing uncertainty risk requires us to think objectively and with an open-mind in order to see possible trends, patterns, and relationships presented by the data which may not be readily apparent in any documentation.
These are the attributes of skilled directors. They are the reason why a skilled, experienced, and balanced, board is so important. They are the reason why, for boards, risk management is a legitimate task.
The Challenge.
Skill is only one factor in the governance equation. Time is another. Ten years ago time was not an issue for directors. With today’s increasing demands from shareholders, regulators, and their own workplaces, directors are hesitant to add to their workload.
The Question.
The Question.
How can your board make better use of director time to engage in managing uncertainty risk?
The Answer.
The Answer.
Make management of uncertainty risk the explicit method for executing your board’s responsibilities. Doing so will formalize an approach which many boards are already using by default. Channel your board’s agenda, the mindset of directors, and the understanding of the CEO, into a formal approach for managing uncertainty risk. You will build on existing director skills, clarify the relationship between the Board and CEO, and create better governance as a result.
Three steps are required.
1. Build uncertainty risk management into existing board activities and processes.
2. Better use available director time by adding additional resources to gather data, and to analyse and prepare risk assessments.
3. Ensure directors have the skills and experience required to work in this new reality of managing uncertainty risk.
Build Uncertainty Risk Management into Existing Board Activities.
Three steps are required.
1. Build uncertainty risk management into existing board activities and processes.
2. Better use available director time by adding additional resources to gather data, and to analyse and prepare risk assessments.
3. Ensure directors have the skills and experience required to work in this new reality of managing uncertainty risk.
Build Uncertainty Risk Management into Existing Board Activities.
Your board likely uses some or all of the processes necessary to manage uncertainty risk. They are strategic planning, CEO oversight, management succession, board development, and the audit of management’s regulatory submissions.
1. Create a formal map for each process including expected outcomes. (You likely have the map for audit review and use it every year)
2. Define each process step in terms of the calendar timing, expected outcomes, and task responsibilities for both the board and the management team.
3. Create a “process introduction” for use just prior to the start of activities for the year. This will put both the board and management on the same page as the process begins.
Identify the Data Required and the Means for Analysis.
1. Create a formal map for each process including expected outcomes. (You likely have the map for audit review and use it every year)
2. Define each process step in terms of the calendar timing, expected outcomes, and task responsibilities for both the board and the management team.
3. Create a “process introduction” for use just prior to the start of activities for the year. This will put both the board and management on the same page as the process begins.
Identify the Data Required and the Means for Analysis.
Most boards rely on data provided by the CEO. They are reluctant to bypass the CEO or to incur the additional cost to engage outside sources. Effective management of uncertainty requires access to a broader understanding of the issues; including industry issues, and a need for independent perspectives beyond those of the CEO and management. Boards need assistance in gathering and assessing this broader spectrum of data.
1. Define the data required in each process for the boards understanding of the issues, the source(s) of the data, and resources required for analysis prior to use by the board. Sources could include the CEO, the Internal Auditor and external experts.
2. Establish the time and means for presenting data to the board for its understanding and assessment. This includes the typical board package and presentations by the CEO, but may also include outsider presentations or individual interviews with directors outside of board meetings. The usual board meeting routine may change.
3. Establish the criteria and means by which the board will accomplish its evaluation of each issue.
Acquire Directors Whose Skills and Experience Reflect the New Reality
The Institute of Corporate Directors (Canada), the National Association of Corporate Directors, (USA), the Institute of Directors, (Britain) the Institute Company Directors, (Australia) and the Institute of Directors in New Zealand Inc. have adopted “Director Competencies.” This document specifies sixteen desired competencies and the board tasks to which they relate. They match the needs for risk management. We recommend Director Competencies as a guide for director recruitment.
Risk is a hot topic for boards.
Increased board involvement in managing uncertainty risk is a legitimate challenge for boards. Your board can respond positively by adopting uncertainty risk management as the explicit means by which it executes its responsibilities. Better governance will result.
________________________________________
Hugh Goldie is a Director, and Past Chair of the Manitoba Chapter of the Institute of Corporate Directors. His recent book is titled, Confidence at the Board Table; How Directors Manage Risk and Deliver Superior Governance. Hugh is an Associate of the Exchange Group and can be reached at hugh.goldie@exg.ca.
(1)Frank H. Knight. (1885 -1972) Professor of Economics, University of Chicago. First book published in 1921, Risk, uncertainty and profit. He was responsible for injecting reality into risk management.
1. Define the data required in each process for the boards understanding of the issues, the source(s) of the data, and resources required for analysis prior to use by the board. Sources could include the CEO, the Internal Auditor and external experts.
2. Establish the time and means for presenting data to the board for its understanding and assessment. This includes the typical board package and presentations by the CEO, but may also include outsider presentations or individual interviews with directors outside of board meetings. The usual board meeting routine may change.
3. Establish the criteria and means by which the board will accomplish its evaluation of each issue.
Acquire Directors Whose Skills and Experience Reflect the New Reality
The Institute of Corporate Directors (Canada), the National Association of Corporate Directors, (USA), the Institute of Directors, (Britain) the Institute Company Directors, (Australia) and the Institute of Directors in New Zealand Inc. have adopted “Director Competencies.” This document specifies sixteen desired competencies and the board tasks to which they relate. They match the needs for risk management. We recommend Director Competencies as a guide for director recruitment.
Risk is a hot topic for boards.
Increased board involvement in managing uncertainty risk is a legitimate challenge for boards. Your board can respond positively by adopting uncertainty risk management as the explicit means by which it executes its responsibilities. Better governance will result.
________________________________________
Hugh Goldie is a Director, and Past Chair of the Manitoba Chapter of the Institute of Corporate Directors. His recent book is titled, Confidence at the Board Table; How Directors Manage Risk and Deliver Superior Governance. Hugh is an Associate of the Exchange Group and can be reached at hugh.goldie@exg.ca.
(1)Frank H. Knight. (1885 -1972) Professor of Economics, University of Chicago. First book published in 1921, Risk, uncertainty and profit. He was responsible for injecting reality into risk management.
Saturday, October 4, 2008
What Directors Should Know About ... Managing Risk
Do bankers know how to manage risk? Did the boards of Lehman Brothers or AIG recognize that a financial crisis was impending? Did they ensure their companies were strong and could preserve shareholder’s equity when the crisis occurred? If that’s the objective against which you judge their risk management performance, then the answer for them, and those that failed with them, must be no.
Boards manage risk. It’s their only job. The measures used to judge their performance are the strength of the company and the value of their stock. So what happened? Part of the reason for failure was their approach to managing risk.
Computers don’t manage risk—People manage risk
Banks rely on computers to “manage risk.” So do many others. But computers can only use an algorithm to massage data, compare the results to a benchmark, and report whether the data deviates from the benchmark. When the characteristics of the situation extend beyond the assumptions of the algorithm, then the data is worthless and worse, misleading. You experienced the result. Computer programs don’t manage risk. Humans manage risk.
Managing risk is a forward-looking, intuitive process done by a human brain on the basis of its knowledge, imagination, capacity for solving complex problems, tolerance for ambiguity, ability to see ourselves in the world around us, paranoia, and previous experience. And the deeper the paranoia, and more painful the experience, the better. Managing risk takes place against a set of objectives. It looks in all directions. It takes time. It becomes suspicious when, “everyone is doing it,” or “it looks too good to be true.” It isn’t loyal to old friends for loyalty sake. It’s best done in a group where the experience is diverse (but relevant) and where the members can freely discuss their views, and challenge the views of each other. Some call this kind of group a Board of Directors.
The directors of Enron failed in their duty to shareholders. Kurt Eichenwald’s book, Conspiracy of Fools: A True Story, told the tale. The stories of what happened at Bear Sterns, AIG, Fanny Mae, Freddie Mac, and Washington Mutual have yet to be written. Will those stories reveal that their directors failed as well?
Let’s stop right there. It’s not my intent to criticize. I don’t know that the boards of Enron, Lehman Brothers, or AIG were the fat cats and uncaring people that some have portrayed them to be. I doubt they were. What I do know is that the expectations placed on directors changed dramatically with the demise of Enron and the introduction of Sarbanes-Oxley. And the challenge for boards ever since has been to find a means to effectively meet those expectations.
How can they do that?
They can start by recognizing that boards are risk mangers, and that risk management is their only job.
1. Risk management is an organized process in which Directors (not computers) routinely examine major risks critical to the business. Those risks are simple and straight forward. Moreover, most everyone knows them. The just don’t take the time to execute them well; the risk in the CEO and the CEO’s management of the business, the risk in the strategic plan at time of formulation and execution, the risk in the senior management team, the risk in the composition of the board, and the risk in the creation and presentation of financial information. Boards are the last stop in the risk management process, the endpoint in the company’s Enterprise Risk Management program.
2. Make risk management a proactive process in which Directors, like smoke detectors, are always sampling the air and checking for bad smells. They never go off the air. They are always listening, watching, and analyzing the results for events or situations of that could stop or deter their company from reaching its objectives. That’s the definition of risk, “An event or situation of that could stop or deter the company from reaching its objectives.”
3. Engage the company’s internal auditor to be the board’s eyes, ears, (and nose,) reporting directly to the board; operating with the board’s direction. The job is simply too big for ten, drop-in-directors, to do the investigation themselves.
4. Change the relationship between the Board, the internal Auditor, and the CEO. The preservation of the corporation and shareholder’s equity requires a team effort. There is no room for egos or petty jealousies.
Boards manage risk. It’s their only job. The measures used to judge their performance are the strength of the company and the value of their stock. So what happened? Part of the reason for failure was their approach to managing risk.
Computers don’t manage risk—People manage risk
Banks rely on computers to “manage risk.” So do many others. But computers can only use an algorithm to massage data, compare the results to a benchmark, and report whether the data deviates from the benchmark. When the characteristics of the situation extend beyond the assumptions of the algorithm, then the data is worthless and worse, misleading. You experienced the result. Computer programs don’t manage risk. Humans manage risk.
Managing risk is a forward-looking, intuitive process done by a human brain on the basis of its knowledge, imagination, capacity for solving complex problems, tolerance for ambiguity, ability to see ourselves in the world around us, paranoia, and previous experience. And the deeper the paranoia, and more painful the experience, the better. Managing risk takes place against a set of objectives. It looks in all directions. It takes time. It becomes suspicious when, “everyone is doing it,” or “it looks too good to be true.” It isn’t loyal to old friends for loyalty sake. It’s best done in a group where the experience is diverse (but relevant) and where the members can freely discuss their views, and challenge the views of each other. Some call this kind of group a Board of Directors.
The directors of Enron failed in their duty to shareholders. Kurt Eichenwald’s book, Conspiracy of Fools: A True Story, told the tale. The stories of what happened at Bear Sterns, AIG, Fanny Mae, Freddie Mac, and Washington Mutual have yet to be written. Will those stories reveal that their directors failed as well?
Let’s stop right there. It’s not my intent to criticize. I don’t know that the boards of Enron, Lehman Brothers, or AIG were the fat cats and uncaring people that some have portrayed them to be. I doubt they were. What I do know is that the expectations placed on directors changed dramatically with the demise of Enron and the introduction of Sarbanes-Oxley. And the challenge for boards ever since has been to find a means to effectively meet those expectations.
How can they do that?
They can start by recognizing that boards are risk mangers, and that risk management is their only job.
1. Risk management is an organized process in which Directors (not computers) routinely examine major risks critical to the business. Those risks are simple and straight forward. Moreover, most everyone knows them. The just don’t take the time to execute them well; the risk in the CEO and the CEO’s management of the business, the risk in the strategic plan at time of formulation and execution, the risk in the senior management team, the risk in the composition of the board, and the risk in the creation and presentation of financial information. Boards are the last stop in the risk management process, the endpoint in the company’s Enterprise Risk Management program.
2. Make risk management a proactive process in which Directors, like smoke detectors, are always sampling the air and checking for bad smells. They never go off the air. They are always listening, watching, and analyzing the results for events or situations of that could stop or deter their company from reaching its objectives. That’s the definition of risk, “An event or situation of that could stop or deter the company from reaching its objectives.”
3. Engage the company’s internal auditor to be the board’s eyes, ears, (and nose,) reporting directly to the board; operating with the board’s direction. The job is simply too big for ten, drop-in-directors, to do the investigation themselves.
4. Change the relationship between the Board, the internal Auditor, and the CEO. The preservation of the corporation and shareholder’s equity requires a team effort. There is no room for egos or petty jealousies.
Thursday, September 18, 2008
What Should I know about CEO Evaluation
Background
CEO evaluation is not an end in itself. It is a major step in managing leadership risk, and building and maintaining excellent leadership that propels the organization into the top 20 percent.
Stephen R. Covey said, "I am personally convinced that one person can be a change catalyst, a transformer in any situation, and organization. Such an individual is yeast that can leaven an entire loaf. It requires vision, initiative, patience, respect, persistence, courage, and faith to be a transforming leader.
Leaders, whether we call them CEOs or Executive Directors, are the catalyst of any organization’s performance, whether significant change is required or not. They are the catalyst for the vision that ignites the enthusiasm of employees, clients, funders and other stakeholders. They are the pathfinders that guide the accomplishment of the vision. They are the pillars that provide resilience when the going gets tough.
For owners, the presence of strong leadership is the most convincing measure of the Board’s capacity to act on their behalf.
The challenge for Directors
Directors manage risk
The most significant challenge for any Board is to ensure that the organization’s leader is the right catalyst, the right pathfinder, and the right pillar for the time and the situation. A significant part of the challenge is finding internal candidates who fit or can grow into the profile. The Board manages leadership risk and ensures the right leadership is in place?
How Directors manage the risk
For more on this topic go to my website
CEO evaluation is not an end in itself. It is a major step in managing leadership risk, and building and maintaining excellent leadership that propels the organization into the top 20 percent.
Stephen R. Covey said, "I am personally convinced that one person can be a change catalyst, a transformer in any situation, and organization. Such an individual is yeast that can leaven an entire loaf. It requires vision, initiative, patience, respect, persistence, courage, and faith to be a transforming leader.
Leaders, whether we call them CEOs or Executive Directors, are the catalyst of any organization’s performance, whether significant change is required or not. They are the catalyst for the vision that ignites the enthusiasm of employees, clients, funders and other stakeholders. They are the pathfinders that guide the accomplishment of the vision. They are the pillars that provide resilience when the going gets tough.
For owners, the presence of strong leadership is the most convincing measure of the Board’s capacity to act on their behalf.
The challenge for Directors
Directors manage risk
The most significant challenge for any Board is to ensure that the organization’s leader is the right catalyst, the right pathfinder, and the right pillar for the time and the situation. A significant part of the challenge is finding internal candidates who fit or can grow into the profile. The Board manages leadership risk and ensures the right leadership is in place?
How Directors manage the risk
For more on this topic go to my website
Wednesday, September 10, 2008
Drop-In Directors
Being a Director is like buying a house—and not being allowed to go inside to look around. Would you buy a house if the only way you could see what was inside was to look through the windows? That’s, in a sense, what every Director is required to do.
Directors aren’t around day-to-day, unlike the CEO and senior management. They can’t observe events as they unfold. Instead, they “drop in” to attend six to eight Board meetings a year that last from two to ten hours, and they review information prepared by the CEO.
How can Directors fulfill their responsibilities for monitoring and supervising the CEO? How can you be held accountable for the reputation and financial well-being of the enterprise you serve when you’re only an outsider looking in? What windows do you look through to gather and assess the information you need to “buy the right house”? That’s the challenge faced by all Directors, from non- profits to major corporations.
How can Directors fulfill their responsibilities for monitoring and supervising the CEO? How can you be held accountable for the reputation and financial well-being of the enterprise you serve when you’re only an outsider looking in? What windows do you look through to gather and assess the information you need to “buy the right house”? That’s the challenge faced by all Directors, from non- profits to major corporations.
To bridge the time and knowledge gap, effective Boards rely on their capabilities as risk managers. They specify the information they want to see through ten risk windows that give the Board an almost compete view of the inside of the house. By examining the CEO’s management through each risk window, the Board can monitor and supervise the CEO, contribute to the CEO’s decisions, and fulfill its mandate of preserving the reputation and financial well-being of the enterprise.
Risk management is a key skill for Directors. Fortunately, it’s a skill at which you’re probably already proficient. You’ve been identifying and managing risk for most of your life. With experience you’ve learned to apply it to complex situations like buying a house, considering a promotion, or making an investment. You assess the risk, weigh your options, and consider the consequences. With each decision, you become more skilled and confident in your ability.
For more information on the risk windows and how to use them, visit our website at www.GovernanceTools.com.
Wednesday, August 27, 2008
Confidence at the Board Table
The value others see in us as Directors is what we contribute to the combined wisdom of the board, and to the success of our organization. It takes confidence to be a contributor.
You may have reached this site looking for information that would help you contribute, with confidence, at your next board meeting. Were you looking for Strategic planning? Board evaluation? There are lots of websites that talk about how to create a strategic plan, or the importance of board evaluation. Good for you for working to be prepared.
But is the confidence you are looking for, built from knowing the mechanics of strategic planning or board evaluation? Will knowing how to prepare a plan, help you with the questions you will have to answer when the board is asked to approve the plan?
Do you believe this plan is the best for our organization? Do you believe this plan can be successfully executed? Do you believe that risks in this plan are acceptable? Will you vote “yes”?
While knowing how to prepare a plan is valuable, Directors are concerned first about risk, not mechanics.
1. Boards manage the risk in management’s proposal and actions
2. Directors contribute by bringing their experience with risk situations to the board’s discussion.
3. Your value to the board discussion is your ability to identify and manage risk.
Risk management is a Director’s fundamental skill. Knowing risk management is the foundation for director confidence. When you see yourself first as a risk manager, then the rest of your role as a Director becomes obvious and makes sense. It’s the dividing line between the role of the Directors and the role of the CEO.
This site will help you build your skills as a risk manager and build your confidence at your board table. It’s designed around specific topics such as strategic planning or board evaluation.
Subscribe to:
Posts (Atom)
