Corporate boards are taking their oversight mandate more seriously; that’s why they need ERM.
Today’s corporate boards need to fully understand the risks a company faces as well as their relevance to its strategy and risk appetite. That’s been the case since 2009 when the SEC started requiring disclosure of a board’s role in risk oversight, including the qualifications of its members and a description of how the board administers its oversight function.
- The risks revealed by COVID-19 make this a good time to probe how enterprise risk managers fit into this picture.
ERM’s role. ERM can help the board fulfill its mandate and gain satisfaction that the right risks are being addressed. That was among the takeaways from a discussion led by Dr. Paul Walker, executive director of the Center for Excellence in ERM at St. John’s University. It is the ERM function that can collate all the risks of the company and drill down to the most important ones.
- Dr. Walker added that practitioners can provide the satisfaction the board is looking for by benchmarking with peers and uncovering possible risks through conversations and other interactions with company managers. This risk discovery process helps ERM to map the connected risks of the company. Dr. Walker said ERMs should take those connected risks and “boil them down to a story.” It’s more art than science, he admitted, but it can be done.
Ultimately, Dr. Walker said, these efforts will further arm ERM with the right answer when the board eventually asks: “How do we know we’re looking at the right set of risks?”
Here are some of Dr. Walker’s recommendations for engaging with the board:
- Know the laws. Corporations have a growing list of requirements on risk and governance best practices. This is a chance to show your risk expertise.
- Don’t go overboard. Some ERMs can give too much information or create big presentations; boards and presenters can end up in the weeds. The truth of the matter is, ERM will probably get 15 minutes in front of the board or even a subcommittee (i.e., risk committee), so make it concise.
- Whisper campaign. With that brief amount of face time, try sharing any other risks concerns with colleagues. If those colleagues are going to report to the board, whether they be audit or other compliance functions, “whispering” the issues to them can help. “Maybe they’ll mention it to the board in their report,” Dr. Walker said.
- Know your audience. Dr. Walker said getting to know the board, what they read, what they want or expect, can be especially useful. Who likes data? Who likes reports? Who likes visuals? This will require a bit of sleuthing on the part of ERM.
- Ahead of the curve. More gumshoeing here: Stay ahead of the board’s expectations and questions.
In the end, Dr. Walker said, “Don’t give vanilla if they want chocolate chip cookie dough.”