Strategic Risk Management: Why Boards Must Continuously Evolve

In 2022, one of the largest financial firms in the world, Credit Suisse, found itself in a massive crisis, not because of one poor decision but due to a series of overlooked risks. The firm was caught up in scandals involving Archegos Capital and Greensill Capital, which resulted in losses amounting to billions of dollars. Despite its size and reputation, the board failed to fully comprehend the extent of the risks the company was exposed to, ultimately leading to significant damage to its financial position and reputation.

This incident serves as a reminder of the board's crucial role in risk oversight. In an ever-evolving business landscape, directors must not only understand the risks but also actively oversee how they are managed to prevent such catastrophic failures. It’s not just about reacting to risks but proactively engaging in risk management as part of the company's strategy.

In this article, I delve into how boards can effectively oversee risks and why continuous improvement in risk management practices is essential to avoid missteps like those of Credit Suisse.

Defining Risk Oversight: A Board’s Core Duty

Risk oversight isn't merely an administrative task for the board; it is a cornerstone of corporate governance. The role of the board extends beyond setting a company’s strategic direction to ensuring that risks to those strategies are identified, assessed, and managed. Credit Suisse’s debacle highlighted how poor risk oversight, especially in relation to the financial market and operational risks, can lead to significant losses. The board's failure to engage deeply with its risk governance structure allowed systemic issues to remain unchecked until they became too big to ignore.

 According to Deloitte’s 2018 Audit Committee Resource Guide, risk oversight is a fundamental board responsibility. To manage this effectively, the board must ensure that risks are regularly discussed and assessed. It is essential for directors to establish a governance structure where the most pressing risks are brought to the full board, while others can be delegated to appropriate committees.

For instance, human resources and compensation risks can be delegated to the compensation committee, while financial risks are typically managed by the audit committee. However, with risks becoming more complex, boards must continuously evaluate if the existing governance structure is sufficient or if adjustments are required to respond to new threats.

Governance Structures: Continuous Adaptation is Key

Many boards have clearly defined governance frameworks, but these frameworks must be agile enough to evolve with new challenges. The collapse of Wirecard, a prominent German fintech company, in 2020 exposed the company's board's failure to oversee financial and operational risks. Wirecard’s internal controls were weak, and the board didn't identify these gaps until it was too late. This highlights the importance of continuously reassessing risk governance frameworks and adapting them to handle emerging risks.

One best practice is for management to maintain a comprehensive list of enterprise-wide risks. This list should be mapped to specific committees for oversight, ensuring each committee has the necessary focus and expertise to manage its assigned risks. For example, audit committees should be charged with reviewing financial risks, while risks related to cybersecurity and IT can be overseen by technology-focused committees.

 The Rise of Cyber Risk: Learning from the Marriott Breach

In 2018, Marriott International suffered one of the largest data breaches in history, compromising the personal data of over 500 million guests. The breach was the result of inadequate risk management following Marriott’s acquisition of Starwood Hotels, whose database had been compromised years prior to the merger. Despite acquiring the company, Marriott’s board failed to ensure a thorough review of Starwood’s IT and cybersecurity risks.

The Marriott case underscores the growing importance of cyber risk oversight. In today’s tech-driven world, cybersecurity is not just an IT issue but a business risk that can threaten a company’s reputation and financial health. Boards must stay ahead of these risks by regularly discussing cybersecurity strategies, monitoring threats, and engaging with management and technology leaders.

In companies where the audit committee oversees cyber risks, it is essential that the committee members have a clear understanding of the risks involved and the expertise to assess them. The board must also establish regular communications with the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) to stay updated on the latest cyber threat landscape.

Critical Questions Boards Must Ask

The downfall of companies like Theranos, which failed to recognise the risks inherent in their business model and technology, has highlighted the need for boards to ask the right questions. Effective risk oversight isn't passive; it requires continuous inquiry and engagement with management.

• When assessing the company’s risk management framework, boards should consider the following:
•  Which risks are being overseen by specific committees, and are the committees equipped to manage them?
• Does the board regularly discuss the relationship between strategy and risk, especially when pursuing new initiatives or acquisitions?
• Does management provide the board with sufficient information to evaluate the company’s risk management processes?
• Are the company’s emerging risks, such as those related to cyber threats or regulatory changes, adequately addressed?

These questions serve as a foundation for comprehensive risk oversight, ensuring that boards are not blindsided by risks that could potentially threaten the organization’s stability.

Risk Culture and Risk Appetite: The Volkswagen Scandal

The 2015 Volkswagen emissions scandal, often referred to as “Dieselgate,” was a prime example of a company that failed to align its risk culture with its business objectives. Despite its global prominence, Volkswagen’s board did not adequately oversee compliance risks, leading to severe legal and reputational consequences. The company had prioritized market share and profitability over compliance with environmental regulations, reflecting a mismatch between its stated values and actions.

To prevent similar issues, boards need to actively cultivate a healthy risk culture within the organisation. Risk culture refers to how employees at all levels perceive and engage with risk. Boards should ensure that this culture promotes transparency, accountability, and ethical decision-making.

Risk appetite: the level of risk a company is willing to take in pursuit of its goals — must also be clearly defined and communicated. Boards need to understand how much risk the company can tolerate and ensure that management’s decisions are aligned with this threshold. When there is a disconnect between risk appetite and risk management, boards can find themselves facing crises like Volkswagen’s.

Leading Practices: Building a Resilient Risk Oversight Framework

Boards that effectively manage risk are not reactive; they are proactive and forward-thinking. Some leading practices include:

Regular reassessment of the company’s top risks: Boards must periodically evaluate their risk list, ensuring that each risk is assigned to a specific committee and that mitigation strategies are in place.

Staying engaged with stakeholders: Regular communication with management, auditors, and external consultants can provide the board with diverse perspectives on the company’s risk landscape.

Embedding risk management into strategic planning: Rather than treating risk as a separate consideration, boards should ensure that risk management is integrated into the company’s overall strategy.

Conclusion: Learning from the Past, Preparing for the Future

Corporate failures like those of Credit Suisse, Wirecard, Marriott, and India's own Satyam Computer Services and IL&FS demonstrate the devastating consequences of inadequate risk oversight. The Satyam scandal of 2009 involved fraudulent financial reporting, with the board failing to detect the inflated earnings and manipulated accounts, leading to a significant corporate collapse. Similarly, IL&FS, a giant infrastructure lender, defaulted in 2018, largely due to poor risk management, lack of board oversight, and unchecked borrowing. These failures highlight how boards must remain vigilant, adaptive, and engaged with the evolving risks their companies face. In the end, the board’s role in risk management is not just about minimising threats but also about safeguarding the organisation’s future and ensuring its resilience in an unpredictable world. By building a resilient risk management framework and asking the right questions, boards can safeguard their organisations from potential disasters and help guide them towards a sustainable, successful future!