The New Risk Paradigm for Corporate Governance

Effective risk management oversight by boards of directors — accompanied by risk-centric culture and governance — is the best defense against earnings surprises, reputational and legal problems, and financial ruin. Here are seven essential questions every board must consider.

January 3 2011 by Leo M. Tilman And David Martin

Failure to manage risk is a root cause of shareholder value destruction across industries and over time. Nowhere is this fact more evident than in the financial industry, where the recent crisis has persuasively shown the perils of pursuing growth and earnings without a proper understanding of risk. In discussions with board members on what went wrong at companies that failed, or came to the brink of ruin, one common theme stands out: the right questions were not asked at all levels of an organization. This, in turn, prevented appropriate risk remedial actions and threatened survival. The desire to not “let a good crisis go to waste” suggests an urgent need for the new kind of corporate governance – the one grounded in risk management.

Over recent decades, the business landscape has become increasingly globalized and rife with uncertainty, while companies and their products became progressively risky and complex, especially in finance. As a result, boards of directors were faced with a daunting challenge. In order to fulfill their fiduciary duty for overseeing risk and weighing in on life-and-death strategic decisions of executives, board members needed to synthesize vast amounts of information and “connect the dots” across macroeconomic and geopolitical factors, business strategy, corporate finance, risk management. Many failed to do so – largely due to inadequate risk management expertise, lack of adequate support, and outdated tools. As a result, hidden risks were not uncovered, problems were not anticipated, and risk mitigation actions, if any, proved ineffective. Meanwhile, broken organizational and governance structures and lack of common risk language and culture exacerbated the problems.

In all fairness, in failing to understand risk, boards of directors were in good company – as the same lack of knowledge, tools, and risk-based transparency plagued executives, investors, rating agencies and regulators. However, the consequences of faulty risk governance on the board level were particularly severe: by flying blind, boards of directors allowed market forces to make choices for them, and the devastating results spoke for themselves.

Effective risk management oversight by boards of directors — accompanied by risk-centric culture and governance — is the best defense against earnings surprises, reputational and legal problems, and financial ruin. Lasting stakeholder value cannot be created without a fundamentally new approach to board-level risk management and corporate governance – as well as visionary leadership in bringing about the necessary change.

The new risk paradigm for corporate governance consists of two separate aspects of risk management – strategic and organizational. The former embodies appropriate ways of thinking about risk throughout the institution. The latter entails the creation of the risk-centric culture, mindset, and empowerment – along with the need to effectively execute on the initiatives related to risk.

Strategic risk management by the board of directors entails an ongoing inquiry into the most fundamental aspects of an institution’s business model and balance sheet:

1. Do we fully understand our institution’s risk exposures?

First and foremost, every board of directors must ensure that all risks facing an institution have been properly identified and measured. This should start at the business unit level, where the management intimately familiar with the landscape should adopt the appropriate risk framework and establish an ongoing risk-based dialog with the board: the board should discuss current and emerging risks in detail and direct business units to establish risk limits and specific action triggers. As a next critical step, a holistic firm-wide view of risk – that transcends individual business segments – must be established on the senior executive and board levels. The strategic role of each type of risk must be defined and contrasted with capital adequacy and availability, with a clear understanding of how each risk ought to be managed. In order to address today’s complexity and uncertainty, in addition to business-as-usual risks, boards must also regularly devote time to discussing the so-called unknown unknowns – events and risks that are beyond the scope traditional processes and systems.

The collapse of venerable financial firms during the 2007-2009 financial crisis serves as a powerful case in point. While Bear Stearns and Lehman Brothers were generating record earnings in 2004-2006, one is led to question whether their board meetings adequately focused on understanding increasingly outsized exposures to mortgages and commercial real estate, respectively. In the same vein, as the American International Group was rapidly growing its Financial Products unit (and that unit’s contribution to the overall earnings), one may wonder how rigorously board members questioned the rationale for insuring housing market losses – quite a departure from the firm’s historical risk profile. Following the bailout of AIG, the government trustees, not surprisingly, called for “a shakeup of the company’s board of directors ” in addition to a revamp of its compensation practices in order to discourage excessive risk taking.”1

2. Are our risk exposures appropriate relative to earnings objectives, risk appetite, capital levels, and desire for long-term sustainability?

In addition to proper risk identification and measurement, strategic deliberations by the board must establish an explicit link between risk, earnings, and growth. To avoid earnings surprises and ensure that a company does not respond to pressures through blind risk and leverage, the company’s risk appetite must be fully aligned with earnings targets, and vice versa: the board must fully understand and approve the amount of risk required to achieve the stated earnings targets. In this regard, accounting earnings targets must be distinguished from desired economic performance, and short-term objectives balanced against long-term value creation.

According to recent analyses, total mortgage losses at Fannie May and Freddie Mac could cost taxpayers hundreds of billions of dollars, suggesting that the firms’ capital levels were vastly insufficient for the inherent balance sheet risk.2 It was the responsibility of their boards to ensure that the firm’s risk taking, ability to fulfill their dual mission of promoting homeownership and supporting the mortgage market, capital, and risk mitigating activities were all aligned. Clearly, whatever was done have proven insufficient. And in an even more extreme example, such an alignment seems altogether unattainable if the cornerstone of a firm’s strategic vision entails “dancing while the music is playing,” as it was the case with Citigroup’s Chuck Prince.3

3. Is our organization adequately dynamic from the viewpoint of risk management?

Lack of organizational dynamism – a company’s ability to detect crises and environmental changes, understand their potential impact, and react in a timely fashion – was one of the main characteristics of failed companies during the recent financial crisis. Boards of directors can and should play an important role in ensuring that a company is well-prepared to withstand volatility, crises, disruptive technologies, and other changes in the competitive and market landscapes. An integrated risk management framework, early warning systems, and comprehensive contingency plans must be continually reviewed by the board of directors – and used in strategic discussions.

British Petroleum’s response to the recent environmental catastrophe stemming from an explosion of one of its deep water wells is a good example of a lack of organizational dynamism – at least as far as crisis management is concerned. While such major disasters usually involve multiple control failures, the company could have had a better chance to effectively respond to the problem if the board of directors demanded – and periodically reviewed – the firm’s early warning systems, risk management dashboards, and formal contingency plans.4 On the other hand, accounts on how Goldman Sachs developed a negative view on the housing market and implemented a derivative hedge to protect the firm paint a picture of a highly dynamic organization as far as risk management is concerned.5

4. How do risk and uncertainty factor into our strategic decisions?

The recent financial crisis has revealed profound disconnects between executive decision making and risk management. Despite the dominant role of risk in the profitability of financial firms, some non-financial companies, and institutional investors, strategic decisions often remain largely focused on business and customer strategies, new product development, pursuit of market shares, and enhancement of earnings profiles. In this regard, risk management has remained an afterthought, a policing function that checks on safety and soundness after strategic and investment decisions were already made. As a remedy, the role of risk in an institution’s business model must be continually reevaluated by the board, thus making risk management an input into strategic decisions and governance. Continually asking fundamental questions in rigorous yet practical ways vastly improves the effectiveness of boards of directors, helping them fulfill their fiduciary responsibilities and steer their firms through the exceptionally difficult environment at hand.

Consider the deeply-held belief by the CEO of Wachovia that “growing deposits is perhaps the most profitable thing that a retail and small business bank can do.” From this perspective, Wachovia’s merger with Golden West Financial may have looked like an attractive opportunity consistent with the firm’s strategic vision. Questioning Wachovia’s bankers and the management team on the risk management due diligence of Golden West’s balance sheet should have been a priority for the board of directors, especially after a warning from a senior executive about the high risk of buying Golden West whose risk exposures proved lethal for Wachovia once the housing crisis stuck.6

Organizational risk management by the board of directors is equally critical, since it is no longer adequate to assume that risk is being properly measured and managed just because formal risk guidelines, reports, and processes in place. Organizational risk management entails its own set of important questions:

1. Do we have an integrated firm-wide risk management process?

Effective risk management is achieved through comprehensive risk reporting, governance policies and limits, escalation procedures, action triggers, and dynamic and integrated firm-wide process. As a pre-requisite to the above, the company must possess an analytical system capable of properly identifying, measuring and aggregating all risk on the enterprise-wide level. Equally importantly, the appropriate “risk mindset” must exist throughout the firm. Dominant risk exposures and the risk analysis of key business initiatives must be routinely discussed with the board. The board must ensure that relevant risk measures are among the key metrics monitored by business managers on a daily basis. Last, the board must fully understand if risk matters are handled proactively and communications across business units are open and effective. In this regard, red flags to be watched and immediately addressed include excuses that specific risks do not lend themselves to quantitative measurement, that certain risks are the “nature of the business” and therefore should not be monitored or managed, as well as such phrases as “don’t worry”, “this is a low probability event,” or “local managers have it all under control.” Instituting a rigorous firm-wide risk process ensures that directors do not start probing senior managers about the risks that the corporation has undertaken when it is already too late.

The White House situation room, for example is reputed to employ a “tripwire system” that monitors pre-determined events to ensure that strategists continually reassess their view of the environment. Meanwhile, BlackRock attributes its continuing success to the centrality of risk management to the firm’s s investment management process, where all risks are “fully understood and properly managed” at all times.7

2. Are professionals at all levels empowered to manage risk?

For a risk management of a large a complex institution to be effective, risk management must be built into the very fabric of decision making and controls throughout the organization. Several activities are especially important in this regard. Common risk language must be established throughout the organization – along with clearly delegated responsibilities for managing risk at all levels. The risk management function must be genuinely empowered, with senior risk officers gaining not only the “seat” but also a “voice” at the table where important decisions are made. Last, leadership and management structures must be correctly aligned with the firm’s business model from a risk perspective, and that the right balance must be established between competing priorities and constituencies.

It is difficult to find one public example where professionals at all levels of a financial institution were empowered to manage risk during the financial crisis. It should not be surprising that regulators are moving in the direction of having senior risk managers reporting directly to board committees and risk managers becoming more empowered throughout an organization. In that regard, it is noteworthy that J.P. Morgan attributes its resiliency during the recent crisis to “the strong and open culture,” where “employees are able to deliver candid and constructive feedback to their colleagues.”8

7. Does the company have an appropriate a risk management culture?

According to Jim Collins, the author of Built to Last and Good to Great, “companies that survive periods of great tumult and duress have an incredible fabric of values.” Given that it is precisely these values that help successful companies fulfill their mission and strategic vision – and create lasting shareholder value – boards of directors must be committed to the creation of the right risk culture. There are specific signs that a company is on the right track in this regard, with a sense of the overriding importance of risk management becoming a part of the firm’s DNA and immune system. The board assumes the ultimate responsibility for risk oversight responsibility, declares its ethical stance, and establishes clear measures of success and metrics for risk appetite and limits. The board effectively delegates responsibility with the commensurate authority for risk management. Risk training and awareness programs are in place throughout the organization, with senior line managers and risk professionals responsible for formal post-mortems of major mistakes that have been made. The board ensures that management incentives encourage responsible and value-added risk taking. Executives and board members continuously emphasize the importance of embedding risk management in the organization’s decision making and communications. Rewards are consistent with desirable behaviors, and employees know what is expected and what is punished. Last but not least, silos are broken down, open communication is encouraged, and risk successes are publicized. When this happens, employees make better decisions, keep their companies out of harm’s way, and reduce potential legal liability and reputational risk.

* * *

Risk management is the framework for critical strategic and investment decisions, not merely a policing function. Therefore, the new risk paradigm for corporate governance presents visionary boards of directors with a unique opportunity. In normal economic environments, strategic risk management of risk leads to lasting stakeholder value creation, directly enhancing earnings growth, investment performance, and share prices. During crises, it limits losses and ensures survival. Along with opportunity, however, comes hard work and the need for leadership: risk management must be transformed into a cornerstone of effective strategic actions and corporate governance – and fully inte¬grated into executive and investment decisions, organizational structures, and corporate cultures. Meanwhile, failure to adapt to the new reality can be lethal: as W. Edward Deming has famously noted, “It is not necessary to change. Survival is not mandatory.” Boards of directors have the fiduciary duty to do everything in their power to prevent this from happening.

1 Brady Dennis, “AIG Shaking Up Its Board,” The Washington Post, May 20, 2009.
2 Nick Timiraos, “Fannie, Freddie Elicit Grim Forecast,” The Wall Street Journal, October 22, 2010.
3 Reuters, “Ex-Citi CEO defends ‘dancing’ quote to U.S. panel,” April 8, 2010; Eric Dash and Sewell Chan, “Panel Criticizes Oversight of Citi by 2 Executives,” The New York Times, April 8, 2010.
4 Ben W; Heineman, Jr., “BP’s Board Has Questions to Answer, Too,” Bloomberg Businessweek, July 27, 2010.
5 Jenny Anderson and Landon Thomas, Jr., “Goldman Sachs Rakes in Profit in Credit Crisis,” The New York Times, November 19, 2007.
6 Rick Rothacker, “Top Wachovia exec warned bank against deal with Golden West,”, June 11, 2010.
7 Black Rock, website, “Investment Strategies & Vehicles,”
8 J.P. Morgan, website, “Values,”

Leo M. Tilman is president of strategic advisory firm L.M. Tilman & Co., faculty at Columbia University, and author of Financial Darwinism (Wiley, 2009).

David Martin is senior vice president of AllianceBernstein, founding chair of the Investment Company Institute’s Risk Committee, adjunct faculty at NYU’s Stern School of Business, and the author of Risk and the Smart Investor (McGraw-Hill, 2010).