Norman Marks on Governance, Risk Management, and Internal Audit

Two recent pieces share the thoughts of board members and advisors.

McKinsey had a podcast and published an edited transcript in The role of the board in preparing for extraordinary risk. It makes the point that “Risks that threaten a company’s existence require unique interventions from the board”.

A senior McKinsey advisor, Celia Huber, reported:

We run an annual global board survey of approximately 1,500 corporate directors, and we found that directors are not pleased with their performance on risk management. In fact, only 7 percent of the respondents believe that over the past year their boards were “most effective”—the highest rating—at risk management, and only 40 percent say their organizations are prepared for the next large crisis.

A McKinsey consultant answered the question of where board should focus their attention.

It’s the high-consequence, low-likelihood events, such as the pandemic, that can cause long-term economic impact, significant reputational damage, and leadership changes. But you also want to consider the certainty of that impact. This is not about looking for “black swans” but identifying events that would have significant ramifications for the core of your organization and value proposition. If you provide cybersecurity, for example, a cyberattack will be a core piece of that value proposition. Identifying those predictable surprises is where boards should focus their energy and time.

This is followed by the statement that:

A goal for corporate boards is to ensure management identifies and addresses predictable surprises that could affect the whole company.

That statement is consistent with the focus I have been recommending to understand how a risk or opportunity might affect the achievement of enterprise objectives.

The board member in the conversation makes a very important point:

It is tempting to look at risks individually, but there are benefits to considering scenarios where multiple risks hit at the same time. That’s what COVID represented: we had a health crisis, a financial crisis, and a social crisis. Companies that take on significant financial risk, with high leverage, should consider the operational risk. During the pandemic, retailers with high leverage whose stores suddenly closed faced bankruptcy because of a combination of risks rather than individual risks.

Too many not only manage risk rather than the business, but err even more by managing individual risks in a silo rather than all the things that might happen.

Predictably, the podcast is only talking about the bad things that might happen. But good things can happen and need to happen if the organization is to succeed.

I recently recorded a short message for the Institute of Risk Management in India (where I am on the advisory board). In it I talked about the need for practitioners to help decision-makers not only understand each source of risk and opportunity, the things that might happen, but weigh them together. Only then can an informed and intelligent decision be made.

A second piece was published in Forbes, Cybersecurity And The Role Of The Board, written by Betsy Atkins, a board member at Wynn Resorts and elsewhere.

Her focus is on cyber, following a presentation to her board by one of the audit firms.

She posits questions for a board in response to new regulations that are coming from the SEC.

• Does the board have a cyber expert? What are their credentials and how was their expertise determined?
• How does the Board execute its oversight of cyber-risks?
• Does the company consider cybersecurity risks in its business strategy, financial planning, and capital allocation processes?
• Do you have a Chief Information Security Officer? Where does that person report? What are their credentials?

She doesn’t answer any of these questions, or other questions that she suggests may be inferred by the proposed regulations.

But, they are good questions for discussion by the senior management of the organization, replacing “the board” with “the senior management team”. Then, the CEO can facilitate a discussion by the board.

I remain strongly of the opinion that the board should look to the CEO (with support from the CIO, CFO, COO, and others) for risk and cyber understanding.

If the CEO cannot explain how risks (and opportunities) are considered in strategy and objective-setting and then in daily operational and strategic decisions, there is a problem.

If the CEO cannot explain whether and why the organization has adequate cyber measures in place, there is a problem.

The role of the board is NOT to be the expert. It is to ensure that management has the expertise it needs to run the business effectively to achieve the objectives and longer-term purpose of the organization.

Practitioners can help:

• Enterprise risk practitioners can help decision-makers have, understand, and weigh the information they need about what might happen so they can consider their options and act where appropriate.
• InfoSec practitioners can work with business management to understand how a breach might affect the business and its success, the achievement of enterprise objectives, assess whether that is acceptable, and then work with others (like enterprise or compliance risk practitioners) to ensure that is one of the risk and other factors considered in decision-making.
• Audit practitioners can make sure all of the above is happening. If not, they can not only report the risk that this presents but stimulate action. Where needed, they can facilitate discussions among the various group, serving as translators between technobabble and business language. (They can also perform or make sure others perform the white-hat penetration testing recommended by Betsy Atkins.)

I welcome your thoughts.