By: Richard Leblanc
I recently spoke to directors and officers about oversight of risk management by Boards of Directors. I prepared a list of 25 reasons that risk management failure happens, based on my experience assisting Boards, including Boards that have failed and Boards that cannot afford to fail. Almost all of what follows below is based on real examples. I have never encountered a risk management failure where the Board was not at fault, based on what the Board said or did or failed to say or do.
Here are 25 reasons for risk management failure:
- Lack of enterprise risk management expertise on the Board.
- Governance gaps over a material risk(s) within the Board or across committees.
- Directors who are incapable of identifying and fully understanding the risks, or worse yet, don’t want to understand. Committees show no interest when they should be shocked.
- Internal oversight functions reporting to management instead of the Board. A complacent Board does not correct.
- Directors do not insist on a real-time line of sight over material risks and their mitigation/treatment.
- Not upgrading information systems to track, monitor, integrate risks.
- Lack of oversight of the process by which management identifies, assesses and actions the risks.
- Lack of conversations, common vocabulary and prioritization of the risks.
- Lack of internal audit, or not listening to internal audit.
- Internal controls that are weak, nonexistent or capable of management override.
- Not addressing interaction of risks, their speed and exogenous shocks in modeling and scenario planning.
- Not considering impact on reputation, which can be greater than the primary impact considered.
- Immature controls over nonfinancial material risks, especially safety, operations, reputation, terrorism, bribery, technology.
- Risk appetite frameworks do not result in known thresholds, beyond which senior management and when necessary the Board is notified.
- Lack of independent, coordinated assurance of internal controls provided directly to the Board.
- Risk culture is defective (toxicity, bullying, risk-taking behaviors) and not remedied.
- Whistle-blowing is defective (not anonymous, no independent channel, no proper investigation).
- Risk is not based on the strategy, business model and key performance indicators.
- Key performance indicators, and pay incentives and vesting of equity, are not risk-adjusted.
- The Board or committee cannot direct a third-party review of risk governance, a specific risk or a set of controls.
- Failure to anticipate and integrate risks. Pockets of acute, unknown catastrophic risk. (This item equals 13 + 6.)
- Enterprise risk management is not really implemented, but everyone thinks it is. False sense of reality.
- Tone at the top tolerates exceptions, complacency and unequal treatment. Limited downside for excessive or imprudent risk-taking. Encouragement, enabling or dependence upon high-performing risk-takers.
- No sense of urgency to remedy the foregoing.
- The Board does not know how bad it is.
The author thanks an anonymous senior risk executive for review of the foregoing items.
Professor Richard Leblanc is one of Canada’s leading experts on corporate governance and accountability. He is an award-winning teacher and researcher, lawyer, public speaker, consultant, and specialist on boards of directors. He has taught at leading universities including Harvard University. He is a former recipient of Canada’s Top 40 Under 40™ award; received a teaching award as one of the top five university teachers in Ontario; and was named to Canadian Who’s Who.
Dr. Leblanc brings to business and professional audiences a depth of information from his extensive research and work with over 150 organizations; and training, assessment and development of over 1,000 directors and managers. He is engaging, dynamic and personable. Because of his work with leading companies and current research, Richard is always on the cutting edge of emerging global developments.
Dr. Leblanc possesses an extensive and diversified professional network. He is the founder of the LinkedIn Group “Boards and Advisors,” with over 14,000 members globally, which is the largest and most active online corporate governance group. His work, directly or indirectly, has impacted companies throughout the world, including those that have used Richard’s methodology to strengthen their governance effectiveness and accountability practices.
Dr. Leblanc possesses a Bachelor of Science degree, an MBA, Canadian and American law degrees, a Masters in Law, and a PhD focusing on corporate governance.Published by Conselium Executive Search, the global leader in compliance search.