In this podcast, James Beasley, Senior Director at Nasdaq Governance Solutions, discusses how organisations and boards can evolve their risk management practices in response to a changing risk landscape.
Nasdaq Governance Solutions
Nasdaq empowers business leaders with technology and intelligence to innovate, grow and stay ahead of the changing markets. We offer an integrated suite of market intelligence, analytics, and collaboration solutions that support corporate executives, investor relations, and governance professionals around the globe. https://www.nasdaq.com/solutions/governance
In this podcast, James Beasley, Senior Director at Nasdaq Governance Solutions, discusses how organisations and boards can evolve their risk management practices in response to a changing risk landscape. James outlines how non-financial risks are becoming more prominent and discusses the challenges in managing these less tangible, more complex risks. He argues that their universal nature means that organisations can no longer afford to forgo risk oversight and governance. James describes how many organisations are innovating to ensure they are equipped to manage what is becoming an increasingly complex space.
JB: Thanks, Rachael. To introduce myself, my role is to lead Board Advisory and the Nasdaq Center for Board Excellence in Europe, Middle East and Africa, with a focus on board effectiveness and board advisory support.
Risk governance for me is always going to be an important topic. It's come to the fore in recent years as the risk universe, if we can call it that, expands and becomes more complex and more opaque. Think[ing about] the traditionally understood quantitative risks, when we think about typical risks that have a financial connotation, they’re easily quantifiable, they remain. But now non-financial risks such as people risks and cyber risk seem to be taking up increasing time and being far more prominent in the top risks reported to the board.
We sometimes refer to those as not easily quantifiable risks. There's a reason for that: they're difficult to put an appetite and tolerances around. If you think about the traditional approach to risk governance and risk oversight, it's been [about] defining the risks that apply to the organisation and any subcategories of those. Defining an appetite, i.e., quantifying how much of [a risk] you're willing to take. And defining some tolerances around that in terms of where you are happy to flex.
As we've come to understand risk a lot more and practices have been put in place to define, insofar as we can, those less easily quantifiable risks, that's really challenged some of those assumptions and traditional ways of working. [This has then affected the] the board where they've had to figure out how to deal with them.
A default [approach] might be to ensure there's an expert in the most prominent risks on the board or ensure the board has standing access to experts in that area. Time again, it is these risks that are being referenced in board evaluations as the things that keep non-executive directors up at night. Some organisations, frankly, have not historically been in a leading or even comfortable position around risk oversight. It's been an area of challenge for a number of organisations for many years. In the regulated world, it's often something that external parties look at a bit more closely, and in the listed world, in order to use risk governance as a case study.
It's particularly been an issue in industries where risk hasn't necessarily been seen as a priority. If we think about the prevalence of board-level risk committees outside of something like financial services, where that might be a standard, there are clear hotter spots and clearly, much, much cooler spots.
The new world, if we can call it that, gives no quarter in this regard. There isn't really a lot of room and a lot of time to wake up to good risk oversight and understanding risks as they apply to an organisation. Any company can be subject to a cyber attack, be impacted by supply chain issues or geopolitical risks, such as the war in Ukraine. People risks from a tight labour market and new working patterns.
JB: I think you can start to break down some of those [risks] in a little more detail and some are more easily manageable or easily controlled than others. Those are the ones I would really highlight as coming through as priorities for the boards that we work with when we're having board evaluations. For example, it is cyber, it’s geopolitical risks and supply chain matters, it’s people and talent.
Going back to that point in terms of you can then break them down a little more. Under people and talent, [there’s] succession risk, if you can define it as that, is something that is coming up time and time again. It's a sub-characteristic of a tight labour market, but it's an incredibly impactful aspect. When linked into governance, so you could put it under people, you could sit it between governance and people risks. When you link it to governance, these things become quite critical in terms of the ability of the board to discharge its role in effectively overseeing and charging management. It's critical for senior leaders in the organisation to have a handle on [succession risk] so that they don't lose key people at the least convenient time.
JB: I think reputational risk is one of those very interesting risks, which then leads into or has touchpoints with lots of other risks. It can almost be consequential to certain other risks. It's a perfect example that you provided with the geopolitical risks, for example. Reputations were damaged for organisations with their response to the war in Ukraine. It depends on the stakeholders that you're answerable to and you're focused upon and affected the most by.
Things such as reputational risk are critical [for] an organisation to try to understand. Those touch points with the other risks and the causes for increasing reputational risk based on those other risks are really where that focus at the board level needs to be.
JB: Yes, and no. The board and its committees sit at the top of the pyramid. It's the board's responsibility to oversee the risk profile of the organisation, focusing on the top risks. And ensuring that it has an effective framework for managing risk, including things like sound governance, independent monitoring, a defined appetite. Strong boards set up the framework well and keep it under regular review as part of the responsibilities apportioned under that framework.
JB: Both, in practice. Setting up a risk committee, or an audit and risk committee, doesn't absolve the board of its responsibilities. But it does provide a focused forum that can better inform the broader board. In practice, if we're thinking about what those different bodies do, there should still be risk reporting to the board. But it will likely be coming through the risk committee in that kind of setup, or the audit and risk committee. Where there's been a board-level debate on the risks, the takeaways from that debate, and some of the key messages from the management information that has been provided, should be played to the wider board’s agenda.
JB: There's something called the three lines of defence model, which is applied in a lot of listed, regulated organisations where risk has been a focus for a long time. Essentially, it means that the first line of defence is the business. It's the people making the day-to-day business decisions: who to work with, what to charge people, how they operate as an organisation, how they deliver their products, their services. The view is that those are the individuals responsible for managing risk, they take the ownership because they're at the coalface; they're at the frontline. Those decisions can be taken within the business structure through the different levels of management and up ultimately to the CEO.
The second line [of defence], if we're talking gold standards and we're thinking about three lines of defence; the second line is a risk function, or a risk and compliance function. They should be independent from the first line, from the business. They should be able to do the hypothetical ‘peering over the shoulder’ – looking at the behaviours, looking at the things that are happening within the business. Looking at the numbers, what's coming out of the business that is being transacted. And [to] say, ‘that is in line with what we're supposed to be doing, or that's in line with [our risk] appetite’ or otherwise.
There can be [for this function], particularly on the compliance side, something of an advisory element to the business. They typically own the overall framework in terms of [they] write the policies or own the policies for application that should be followed. But most importantly, they have a monitoring role. As I said, looking over the shoulder, they define that in a formal plan year on year where they might look into individual risks, individual aspects of the business, to then get an understanding of how risk is actually being managed and how that should apply to the firm. In that structure, the risk function is headed by a chief risk officer (CRO) or a head of risk who is independent, who has a reporting line separate to the CEO, where they can escalate. They’re of a suitable seniority to have access to the board, to be asked for opinion by the board.
The third line of that is internal audit as a function. It's providing the independent assurance over those first and second lines, the two things that come in front. The board sits over the top of that structure, where it can receive reporting through its committees or directly from the three lines and can get the picture of how those things converge and make sure they're asking the right questions where there might be potential conflicts, where there might be disagreements between the different lines and allocate the different actions to be taken.
The three lines of defence model is a bit like capitalism: it’s not perfect, but it's the best we've got. I think that's the view! There's always learnings; it needs to be applied proportionately. But that's the most effective way of doing so.
JB: I think boards are trying to manage the ever-growing risk universe and ever-evolving threats that they see. That's demanding a number of things in terms of changing behaviour. I think we are seeing increasing prevalence of independent risks functions and chief risk officer roles. Many of those chief risk officers sit on the board, they have a board seat, just like the CEO or the chief financial officer (CFO) traditionally. We're seeing them needing to be day in day out sitting on the board, taking the collective accountability, giving vital input.
It's posing a challenge to organisations where they might be having to set up a completely new way of thinking about risk, which comes with a lot of time and effort and resource investment. We are seeing evolving management information with more focus on tailoring to audiences. [For example,] what the ExCo sees should not be the same as what the board-level risk committee sees, which should not be the same as what the board sees.
We're definitely seeing an evolution towards much more forward-looking trends analysis. Not just saying, ‘this is the risk profile of the organisation, this is where we were last week, or last month, or last quarter and this is where we are now.’ Much more focusing on [thinking about] these are the top risks as they stand today, this is where we're expecting them to go based on the trends that we're seeing and based on the up-to-date information, these are the other ones we think you need to be thinking about, because they're not necessarily on our radar at this level, but the trends are indicating that they should be.
We're seeing a lot more opinion from risk functions as well. We're seeing boards are looking for that person internally that they can trust, who has that degree of independence, going back to the three lines of defence model, where they can say, ‘what is your view on this?’ We're seeing chief risk officers, even in cover sheets on management information, having a little box for their own opinion on management proposals, for example, which is quite interesting. And very powerful. It shows that the chief risk officer in those scenarios really has gravitas and authority, which is very important when thinking about effectively overseeing risk.
We're seeing risk committees, which are dedicated to potentially those top risks or those top risk categories, and even working groups which cross the board, executive and management levels. If you think about how an executive risk committee might be an overall effectively enterprise risk committee chaired by the CRO, then underneath that you might traditionally have an operational risk committee, or a credit risk committee, or market risk committee, whatever it might be. We're seeing that a bit more even at the board level now. Boards are thinking, ‘even if it's not a formal committee of the board – a subcommittee as it would be of the of the board – we need a working group where we get certain people who are authorities on this on the board, maybe together with some of the folk from management, who are the experts on this, to have some form of working group where they discuss some of these topics, they share learning and insights, so that we can get ahead of this stuff that ultimately gets covered at the board committee and at the board.
People [are] looking outside the box to tailor their governance to that evolving risk landscape. That involves a bit of commitment that your committee structure isn't necessarily permanent. If you set up a working group tomorrow, [it] doesn't mean it needs to be there forever or for the next ten years or so. It might just be that right now, we think the right thing to do is, we're facing an acute risk here and we need to make sure that it's getting the attention that it gets. The only challenge with that kind of structure, of course, is we need to make sure that this remains a board thing or a board-lead thing, and it's not crossing that line into day-to-day management of the firm.
JB: In short, no. When we think about composition of boards, when we look at skills or composition matrices, rarely do organisations have a lead director for each item on the checklist. Boards can't grow indefinitely in size in order to do so and nor would that necessarily add value. So, training and upskilling inevitably becomes a focus.
Formal, annually refreshed board training programmes can be hugely beneficial, as can individual development plans for non-executive directors. If you go through a board evaluation, perhaps there is an individual director view there, some 360, peer-to-peer feedback on individuals’ contribution. Those discussions as part of an appraisal or just a feedback session between the individual NEDs or directors and the board chair. They can point to areas where [the] contribution might not necessarily be meeting the expectation where the board does think it should have certain risks covered off.
It can also uncover situations where individuals might have a particular interest, even if they don't have a particularly strong background, in an individual risk or related topic, which might form part of their own personal development and kill two birds with one stone as we say. There's some powerful tools there to head off needing the [director’s] chair [to be] labelled ‘cyber risk’.
Thinking about what else can be done about it from a softer and ongoing point of view. Good onboarding practices for NEDs, to anticipate gaps and plan to fill them, are very powerful. Roles like specific risk champions can provide focus. Going back to that point where someone might put their hand up. You might say, ‘cyber risk is a particular challenge to us. We would quite like someone from amongst the board to take responsibility for diving a little bit deeper into the topic, making sure that it's represented during discussions, who can have that thing under their name tag that says cyber risk champion.’ These can be powerful initiatives.
JB: Deep dives are quite an interesting tool. If we look at individual scenarios, individual decisions, individual risks, particularly if you have a three lines of defence model, where you have an independent function to go to, or you have an internal audit function to go to, to commission the deep dive. That can provide that qualitative insight into [understanding] how well is risk being managed or overseen.
It might be that you've just had a cyber attack, or one of your peers has. I'm using cyber a lot as an example; it's on everyone's plate. You might say, ‘let's scenario test this, let's look at what would happen if, or let's look at what has just happened. Let's deep dive into exactly what steps were taken, who made what decisions, when were people informed? How? And was that all in line with our governance?’ Deep dives are a commitment, but they're a very powerful tool.
Alongside that, maybe less ad hoc, but more as a general or ongoing plan where you can have a whole host of things that you want to focus on, scenario planning and testing can be a very powerful tool for the board. You might look at something every quarter or a couple of things a year, whatever it might be. When you might say, ‘if we were subject to a cyber attack, how would that work?’ And you invite that feedback from the relevant individuals.
The other thing [is that] I would encourage boards to look at processes. To say, ‘our risk appetite setting process. Is there enough challenge on [the question of], are these the right risks that we're looking at here? Are these the right tolerances? Are we clear on the risk appetites that we've set? Given we have these less tangible risks now to cover off. Do we really know what we mean in these areas? Are the right people being invited for their input into the process? And in the right order? Is the CRO involved? Are the relevant managers involved? Is the board involved, board risk committee, ExCo?’ Again, use that not necessarily as a deep dive, but just in the same way that you look at your terms of reference every year, look at a process and say, ‘it's an annual thing, how did that go?’ let’s reflect.’ Maybe you can do that as part of a board evaluation, or some more ad hoc process.
JB: A number of things. I mentioned the role of the CRO when we were speaking earlier on and having an independent reporting line outside of the CEO. What I mean by that is a reporting line or having the ear of the chair of the board, the chair of the board risk committee. Where they're not going to be blocked from escalating by say the CEO or management if there was some dysfunction or a particular challenge that really needed flagging. [It’s about] making sure that connection is very clear. Practically, that means regular catch ups as much as being aware of each other and having the route open. There needs to be a relationship there of trust that's built over time and as a focus.
Aligned to that, the board or the board risk committee, if there is one, should have explicit responsibilities for overseeing the independence of the function, as well as specifically appointing [and] dismissing [the CRO] and agreeing the[ir] remuneration. Again, reinforcing that independence by taking that out of the pure management reporting line field, and putting that into something the board has explicit responsibility for or its appointed committee.
I talked about evolving practices earlier on with management information, for example. An important one that I wanted to re-emphasise there is around ensuring that the organisation gathers the CRO’s view, or the risk function’s view, on any major management proposals. So, inviting that input, giving the function an opportunity to say either, ‘yes, we've been involved in the process, we're comfortable, we're fine.’ Or maybe, ‘we would recommend to the board [that] they looked into this or that, or did X or Y,’ that can be incredibly [powerful].
The right for the risk function to attend all committees, as far as they're relevant, is an important one. Making sure that the risk function is suitably embedded and has that authority to, if it needs to, understand something a little bit more. Sit in on that meeting where that thing is being discussed.
Finally, having a formal monitoring plan that's approved by the board or the BRC (board risk committee) as well. Where the function can say, ‘this is what we're planning to do this year, this is what we're going to look at from a risk point of view.’ Making sure that gets signed off and sponsored by the board or the board risk committee.
Put all together, those things should really be pointing an organisation in the direction of having a robust risk function, which will only benefit the organisation and will benefit the board in allowing it to do its work more effectively.
JB: Thank you, Rachael.
