The New Rules Of Risk

No one knows exactly what lies ahead—but you can still plan for it.

One thing is certain coming out of 2020: The global pandemic and recession will be followed by new challenges in the years to come—and if the past year-plus has taught boards anything, it’s that they have to find better ways to forecast those financial and non-financial risks and opportunities. As the world slowly returns to some semblance of normal, boards are engaging in some fundamental introspection about how they could have been better prepared, and how to best anticipate what might still lie ahead.

“The very first question on the minds of every board and every executive team is, how are we conceptualizing this ‘new normal’?” says Leo Tilman, author of Financial Darwinism. “There are so many moving parts, and one of the key questions is, what are the changes—in the market environment, in consumer behaviors, in the B2B landscape—that are permanent and which ones are transitory. A lot of conversations about strategy and big-picture pivotal decisions are based on the answer to this question.”

But given the many new risks facing companies, including the proliferation of cybercrime, the heightened focus on ESG and the reputational and brand risks in the era of cancel culture, boards must work with management to find opportunity in the uncertainty. “It’s not, how do you assume a better fetal position so you can withstand the next outrage, but how can we dominate environments like this?” says General (Ret.) Charles H. Jacoby Jr., Fifth Commander of United States Northern Command and the 22nd Commander of North American Aerospace Defense Command, who spoke recently at CBM’s annual Board Risk Summit.

To do that, boards have to resist spending too much time focused on the past, says Evelyn Dilsaver, director with Tempur Sealy, Health Equity and Ortho Clinical Diagnostics, who recommends looking at the headlines of negative events happening to other companies “and really peeking around the corner to see what risks are not being covered, whether broadly through the company or within the committee structures.”

Jacoby, who, with Tilman, coauthored Agility: How to Navigate the Unknown and Seize Opportunity in a World of Disruption, offers a military lesson directors would do well to heed: “We’re brought up to believe that the worst thing we can do is to be planning to fight the last war and not the next war.” He says the military does three things well—and which companies need to do better at—to forecast risk:

1. Intelligence. While information overload is certainly real, the data companies really need about clients, competitors and the market are not always readily available, which is why Jacoby and Tilman coined the phrase, “Fighting for risk intelligence,” says Tilman, “to emphasize that this is a very concerted, proactive process and you need to commit resources and orient everybody to that.”

2. Planning. Boards and executives realized the deficiencies of traditional corporate planning processes when they had to redo their strategic plans weekly between March and June of 2020. “They were literally redesigning and re-estimating their strategic plans, which told us that not only their baseline assumptions could have been wrong, but there was no contingency planning around it.”

3. Practice. Like tabletop exercises, war-game simulation looks at the repercussions of a particular scenario to help quantify risk—but goes a step further, putting participants in role-playing positions and testing the robustness of their assumptions and the consequences of their decisions. A critical tool for military preparedness, war gaming works best when the goals are very clear from the outset. “One good way to look at this is where are there critical relationships between levels or between silos or between the lines of business where I need to make sure that we are linking arms with capability and have clarity in our strategic alignment and in how we are going to respond purposefully,” says Jacoby.

Who Owns That Risk?

One key way boards can improve their risk oversight is by ensuring that they not only have the appropriate risks on their radar, but also that the right committees or directors are responsible for monitoring them. For some companies, that means establishing a separate risk committee, says Agnes Bundy Scanlan, director with Truist Financial, NewTower Trust and AppFolio. “Obviously, it depends on the institution and their strategy and mission, but I do believe in a separate audit and risk committee.”

The two committees approach risk with very different lenses—one backward looking and the other forward, says Joseph Prochaska, Jr., director with Synovus Financial. “Audit committees also tend to focus on a set of rules: Are we in compliance with GAAP? Are we in compliance with Sarbanes-Oxley and the different control mechanisms? Whereas risk tends to be more freeform from the standpoint of, what should we be concerned about?”

The risk committee can also focus more on forward-looking opportunities and not just the dangers ahead. “So, that’s how do you use risk to your advantage?” says KPMG partner Jackie Daylor, who adds that if a board does have a risk committee, it needs to beware of thinking that all risk is owned by a single committee. “It’s so important to continue to play a team sport as you look at board structure and how the committees work together.”

For small and mid-cap companies, where the board is seven or eight directors, it may not be an option to carve out a separate risk committee, says Dilsaver. “So, audit just has to do both jobs.” She adds that nonfinancial risks are divided along ESG lines, with environmental discussed at the full board level, social risks monitored in the compensation committee and governance in nom/gov.

Those relatively small boards can also appoint one director to be the resident expert for one specific risk, says Dilsaver. “Cybersecurity, for example—the board needs to make sure [that director] has the resources to be able to talk about it intelligently within the board meeting because most of us did not grow up with that stuff. Even knowing the right questions to ask when you’re sitting in the boardroom is really important—and then hearing the answer and knowing it’s a legitimate answer.”

If the expertise doesn’t currently exist on the board—and often, even if it does— it might make sense to bring in outside experts to educate at the committee level, says Scanlan. “Then, they can help educate the rest of the board.”

Risk Management in Real Time

While boards may be getting better at anticipating and reacting to crises, these dramatic events now play out in real-time, at warp speed and in full view of activist investors, online campaigns and citizen journalists, who are all too ready to call the company, and the board, out. Add to that the expectation that companies will take a vocal stand on political and social issues and things get even more challenging. “This is going to be the issue du jour of 2022,” says Richard Levick, a guru of crisis communications, who offers the following advice to boards:

1. Take a lesson from Delta. Ed Bastian, CEO of the Atlanta-based airline, made an initial statement praising aspects of Georgia’s new and very controversial voting rights legislation. But after he and the company were pilloried on social media, Bastian released a new statement, this time a forceful condemnation of the law. “In the second pronouncement, he was very Martin Luther King-ish in terms of his messaging,” says Levick, adding that the first response was likely initiated by public affairs or legal—which failed to accurately gauge how the wider public would receive it.

2. Understand perception is everything. If Delta had understood the way its response was being perceived, “if they had had a diversity officer involved, if they had had brand more heavily involved, I guarantee you, they would have looked at the Georgia legislation differently, at least in terms of their public pronouncements,” says Levick. “We have to blow up our silos. Silos have worked for 70 years—HR, GR, PR, legal, all separate—but thabut t’s not how your critical audience looks at things. They see the interconnectivity of all this.”

3. Use your peace time wisely. When your company is not under attack, that’s when management and the board should be looking at crises happening to other companies and study what they’re doing. “You see American Airlines, you see Dell looking at what’s happening to Delta, and they’re saying, ‘How do we get ahead of this?’ That’s your laboratory.”