Managing Risk — What Directors Need to Know
Helen Mallovy Hicks
This episode features three guests: Mike Harris, leader of the Corporate Governance practice at PwC; Brenda Eprile, a partner, Risk Practice Leader for the GTA and National Internal Audit Practice Leader at PwC; and John Clappison, a former PwC partner and current director of a number of boards. The group explores why the role directors play in risk management may be more important now than ever before.
Dean: Welcome to Strategy Talks with Dean and Helen, part of the PricewaterhouseCoopers Managing in a Downturn podcast series. I'm Dean Mullett, co-head of our Restructuring and Distress Strategy Group, and a member of our Credit Crisis Task Force.
Helen: And I'm Helen Mallovy Hicks, a Partner in the Advisory Practice of PricewaterhouseCoopers in the Dispute Analysis & Valuations group.
Dean: The current state of the economy is understandably of great concern for most Canadian businesses. This series of audio podcast discussions with a variety of subject matter and industry guests are designed to help your business weather the storm by exploring some of today's hottest issues related to the economic crisis.
Helen: Hi, this is Helen Mallovy Hicks. Dean Mullett is on the road today, and I am joined by three guests. Today, the role Directors play in risk management may be more important than ever before. Understanding this role may be crucial to the success of companies. It is important that Directors and Management vigilantly oversee risk management. They need to ensure risks are understood, consistent with the company’s strategy, and manageable within acceptable limits. In today’s episode, Managing Risk: What Directors Need to Know, I am joined by Mike Harris, leader of the Corporate Governance Practice at PwC, Brenda Eprile, a Partner, Risk Practice Leader for the GTA and National Internal Audit Practice Leader at PwC, and John Clappison, a former PwC GTA Managing Partner, and current Director of a number of boards including Cameco Corp., Canadian REIT, Rogers Communications Inc., and Sunlife Financial Inc. John, I’ll start with you. Is risk management truly becoming a bigger board priority?
John: With what’s happened in the economic times, and as well, the sort of chaos that has taken place in the financial institutions in particular, it has become a bigger priority for boards. What I’m finding more than anything else though, is that it continues to be the risk committee that is doing all the legwork and the outcome of that is that there is more time spent in understanding what happened, why the business faced the problems that it did face, in terms of write downs, in terms of these variable annuity products that it had, and with the consequence being that there’s more time being spent in educational issues, etc. As I mentioned in a recent seminar in which I participated, the board members have been invited to attend these particular sessions, and they’re taking it up with an awful lot of interest, so the bottom line is, it is becoming a bigger board priority. On the other hand though, you have to look at where this particular crisis seemed to land more than any other. In an industry such as the other boards that I’m involved with, it remains an issue of high concern, but not nearly to the extent that it is in the financial institutions sector.
Helen: Mike and Brenda, maybe you’d like to weigh in what you’re seeing in terms of boards and risk as a priority.
Mike: Sure. I think the interesting thing is nothing’s really changed from a corporate governance structural point of view. It’s still management’s responsibility over risk management in the companies, however the board has to provide appropriate oversight, so it doesn’t mean that now the board has to be more hands-on or take on a risk management function, but the landscape has changed. In this current economic crisis, there are more complex risks, you have to think about risks perhaps you’ve never thought about before, and how do you do that? The board probably needs different pieces of information that they haven’t seen before and there needs to be more interaction with management to understand not just what the risks are, but what kind of risk management infrastructure they have in place to manage perhaps what you don’t know today, but you need to think about in the future.
Brenda: I would agree with what Mike has said. I think boards are looking for more concrete information in terms of reporting on risk management. There have been a lot of dashboards reported on risk for many years, but often the information presented describing those dashboards is pretty skimpy. And so boards are looking for a lot more beef behind the various ratings and the trending on the different ratings. As well in the financial services sector, we’re seeing that the regulators like the OSFI, the bank regulator in Canada, very interested in risk management. And that’s also underscoring the boards’ concern on risk management because there’s a lot of reviews being done in that area, and global standards are being applied in terms of best practice. So I think there is a lot more attention in the financial services sector on risk management.
Mike: And I think boards need to be bold enough to ask the question, if they’re not comfortable with - they haven’t seen a risk that they think should be presented to them, that hasn’t been there in the past, management – may not be that they’re trying to hide that from the board, but they just haven’t thought about it or at least thought about presenting it to the board. Examples are some of the risks that are now emerging, whether it’s the climate change, which is pretty complex, a new kind of risk to many companies, but management teams have typically thought about it, but perhaps haven’t shared it yet with the board. And not just what are the compliance issues with respect to, say, their emissions, but what are the business issues, cost related issues, around this that again are new perhaps to the board members, maybe not as new to management. But bringing those out and starting the discussion around those kinds of risks is something we see that’s starting to emerge.
Brenda: I also think that boards need to be comfortable asking the question if they don’t understand something. So in financial services a lot of the information’s quite complicated, the structures are complicated, and they shouldn’t be embarrassed to say “I don’t understand this particular line of business or product,” and in fact some companies, in the area of structured finance, management really did not understand the business and the smart ones figured it out and got out ahead of the curve.
John: One of the things that I noted, Helen, that has really changed in the last two or three years has been in board hiring and board recruiting, there is a desire to get people on the board who have even greater knowledge of the industry than perhaps others do around the table. And so I’m seeing recently retired CEOs of companies that are coming on boards, those with deep knowledge of, for example, the mining industry, professional mining engineers that are coming on the board. We had one before, but he’s recently retiring, but this is a new breed, kind of, of young executives, this is an acting CEO. And the sort of questions that they ask involving the risk from the basis of their background and as well what they’re doing on a day-to-day basis is very, very different than what I see happened two or three years ago. So there is this constant probing, and they in particular can really assess the answer that they receive and determine to what extent it’s a fulsome answer or a partial answer. And given the position that they’ve got, they have no hesitancy about pushing back. I think all of this is very positive in the marketplace today.
Brenda: John, I think having those experts on the board really helps as well in terms of the evolution of risk management because they will know the industry well enough to figure out whether management is in fact evolving their practices as they should. Which is very important in today’s environment where a lot of risks are systemic. They’re outside the organization, and so having that kind of deep industry insight is quite critical.
Helen: John, you mentioned on one board you’re on there’s a risk committee, specifically. Alternatively, boards need to have experts in the industry to recognize and deal with the risk. How do those – the committee versus the experts – how does the management of risk from a board point of view work with those somewhat separate groups, or how do you manage risk best on a board?
John: It’s interesting that the two individuals that I talked about a few minutes ago are both on the risk committee. So they can bring again their knowledge right to that particular forum. And the risk committee is quite a bit different with each of the boards in which I’m involved. Yes, a large financial institution has a risk committee – it just makes a lot of sense because of the complexity of the products that they offer, and as well, regulatory requirements. On the other hand, the mining company in which I sit on the board, risk resides with the nominating corporate governance and risk committee, that’s all one.
The individuals involved in that tend to be the chairs of the various committees of the board. And that group I think has become far more active on the risk spectrum than it perhaps was before, in such a way that I was even encouraging the company to separate risk from that particular committee so it got more focus and more attention. But they’re on to it, and management is clearly on to it, and remember, risk is not something you just cast in stone for year after year after year, it’s something that is assessed annually and then updated regularly, on a quarterly basis, etc. So we’re seeing a group getting far more involved in the risk area, and as well seeing reports that that committee is looking at now being disseminated from the board as a whole.
Mike: I think that’s interesting John, because I see the same thing even at the management level. You really need two broad sets of skills; that knowledge of the business and the business strategy, and what risks there are in terms of achieving the strategy or the business objectives, and those are very typically strategy or business people. People really understand the industry or the business well. The risk management capabilities, whether it comes from internal audit or a centralized risk management function, or board members that maybe don’t have the industry knowledge but have a risk focus, you need that as well because part of this is even if you’ve done a great job of understanding and identifying risk and you’ve got it all there, how do you make sure it’s operational? So people on the front lines are really thinking about how they conduct their activities day-to-day, within what the board and senior management team and the business should be taking on in terms of risk. That’s really the challenge; it’s why you need both, I think, both that kind of risk management focus and also the industry knowledge of the business focus.
Brenda: And I would say the same is true at the board level. So that you need board members that are going to understand the strategic aspect of risk, but also those that understand control functions, how to ensure there’s enough granularity in your control function to keep people within the risk appetite, reporting exceptions and whatnot, so it’s a very valid point for both parties.
John: One of the boards I’m on, the CEO sends us a monthly report, operations report. It’s quite in depth, covers a variety of topics. The most important one being, the first item on the report that the CEO writes about is people and safety and health and environment, it’s obviously in the mining industry. He’s proud of the fact that we have no lost-time injuries, or proud of the fact that we won these environmental awards, or things of that nature. That is top-of-mind to the CEO because top-of-mind to the CEO – it’s amazing how much it becomes top-of-mind of the other members of the executive team, and then the employees as a whole. One of the corporate objectives overall is to have a very strong metric on we shall this many – we want zero, clearly, but we shall have no more than this many lost-time injuries in all of our facilities. It’s leadership, culture, tone at the top, we’ve all heard it before, but it’s alive and kicking in that situation.
Helen: And very important to have performance metrics to measure the key initiatives and objectives. John, it’s been said there’s some concern that the heightened focus on risk will lead boards and management to become too risk averse. Any thoughts on that?
John: I think it’s very easy for that to happen. You’re looking at situations that exist and opportunities that exist where the easiest thing for board members to say is no, or keep asking questions until they get enough information that they feel comfortable with. I don’t believe in this particular situation from what I’ve seen, that management, in fact, and boards, are becoming too risk averse. I think risk is top-of-mind and management is presenting materials in such a way that deal with these particular issues right at the beginning. The risk of a transaction, the risk of the products that they’re involved with, and other ancillary risks that may exist in the business. In some instances, I particularly think in the United States, we’re not seeing a lot of M&A transactions. I think people are just scared that they don’t know what they’re going to be getting. I think there’s a lot of skittishness in the US marketplace, for obvious reasons. But in Canada so far, in terms of my experience, yes, there’s a greater focus on the risks involved, but I would not say it’s risk averse.
Mike: I might add that I think it really comes down to if you don’t have a lot of robustness to your risk management processes, if you haven’t articulated that risk appetite, if you don’t have a vision to what you’re doing around risk management, you have no choice but to just go with your gut. And today, I think most people’s guts are on the risk aversion side of the equation. When you read the paper every day, that’s all you think about, is what thing am I not thinking about, and I better avoid it. So if you don’t really have in your mind how you’re managing risk in the organization, or a vision for it in enough detail, I think then companies are probably more likely, in this environment, to be more risk averse, but are very comfortable with the kind of information they have to be able to manage risk in the organization. They can be more confident and take those risks. You know the old adage, with every opportunity that’s there, there’s risk with it, and if you don’t take any risks, there won’t be any opportunities. So risk aversion obviously is an issue, but you need the right kind of information in front of you to feel confident, to go forward.
Brenda: You know what I think has happened to some companies where they haven’t had adequate risk management in the financial services sector, they’ve had some major surprises of a negative sort. It’s damaged their reputation, and then there’s tremendous pressure from shareholders to move that entity to the very conservative end of the risk spectrum, and they don’t get out of the penalty box for a long time. So even though there may be good opportunities for them to do other things, they really end up having to shift to a very conservative position, as a result.
John: You know at times I worry that management may become too risk averse. A company’s got a desire to grow, and the board’s pushing management to bring forward more M&A opportunities and, well we don’t like this business, we think it’s got too much risk attached to it, whatever the case may be, and it needs a balance here, but I think with the sort of wounds that have been sustained in this most recent battle, I see management as being very, very cautious. In time that will heal and they’ll move forward, but it’s a challenge.
Brenda: I can understand why management would be gun shy. Do you think some of that, John, may relate to concerns about risk management decisions in the future being tied into their executive compensation?
John: Could very well be, Brenda, I think that’s one issue. I think as well they don’t want to be tarnished in terms of their careers. They may be getting towards the twilight of their career and they don’t want to leave with their head low as opposed to held high. Why should I do this now, I’ll leave this to my successor. By the way, my compensation, my stock options are based upon results; my results are okay, let’s keep a steady ship, let’s not rock it for right now, so that when I retire I can then make a decision what I want to do with my stock options. There’s some of that that comes into play, but compensation will certainly become an important issue going forward as risk management gets a higher profile in measuring the performance of executives.
Mike: You sure see how the pendulum keeps swinging back and forth, you know if you go back before the downturn, the average CEO felt if they didn’t have three or four acquisitions they were looking at, and taking enough risks, then they weren’t doing their job and they certainly wanted to see their compensation tied to that. So it goes back and forth depending on the environment, to show you why risk management’s so important, because unless you’re thinking about it, you will just go with what’s happening in the current times, as opposed to a really thoughtful approach to it.
Helen: And Brenda, you have mentioned compensation being an important way to direct management to take good risks and not make bad risk decisions. Can you give us some input as to how that compensation might be structured?
Brenda: I think companies need to have good risk management systems in place as Mike has mentioned. You have to have defined the risk appetite. If it’s not defined then you can’t really evaluate decisions that senior executives make. And so the first priority for the board is to ensure that there’s sufficient granularity around risk appetite. And then, adequate reporting on how are those decisions taken, what does the senior team do in certain circumstances, and then tie that in to the annual compensation discussion.
Helen: Mike and Brenda, maybe you can talk a little bit about this: in terms of risk and measuring it, how important it is - how can risk be properly dissected, and what tools can directors and management use to appropriately oversee risk management?
Mike: I can take a stab at that. It’s pretty complex, as you can imagine. If you’re talking about certain financial risks, your liquidity risks, there are pretty well-defined models that companies can use to calculate the risk involved. The real complexity comes when you look at other areas of risk that typically don’t have well-established numbers or models attached to them. I use the example of reputation risk with what we’re seeing whether it relates to your carbon footprint, or child labour issues with your supply chain, and how do you manage that? That’s very, very difficult to do, and as a result you do see companies struggle with it, but it doesn’t mean they shouldn’t handle it and focus on it.
And it may be very subjective, and it may be as simple as sitting down through a number of strategy sessions and talking it through. You know, what do we see our competitors doing, and what has hit them, and what have been some of the lessons they’ve learned? Where have our near misses been in this area where we thought we might have had an issue, but we solved it? Because there are sometimes good stories that people just gloss over because they’re only focused on the negative. It’s really just hashing all those things out and coming up with a way to articulate it. People are sometimes concerned that just coming up with a high low medium measurement for the risk, or a subjective way of saying it, is a concern; it doesn’t give you enough granularity, but sometimes that’s all you can come up with, and you should. But if you do nothing, then you’re really in a black hole.
Brenda: I agree with what Mike has said. Risk management is probably more art than science. Some of it can be quantified but a lot of it can’t be, particularly emerging risks, and so you really need to have a dialogue, get all the heads together to talk about it. Some risks are highly co-related, others aren’t. Some risks affect the system as a whole, so if you don’t have that qualitative discussion, you’re never going to service those issues. The other point that Mike makes which I’ve seen many times is companies really need to look at what happens across the street, because it can happen in your own house, and to run through the scenario analysis: if that happened here, how would we deal with it? Do we have the controls to address it? Very, very important to take the lessons learned from others that have accidents.
John: One of the observations I make when we’re looking at risk over the last several years, and as the crisis hit, everything moved from Quality of Earnings, ROEs, all of these numbers, to how do we know we’ve got enough money to pay our bills? And so liquidity became a major risk factor that was suddenly on the table. It didn’t exist before really because money was pouring in, whatever business we were in. In one particular situation we directed the CFO to go out and get increased lines of credit as protection. Although the CFO at the time said “we think it’s going to be too expensive to do,” we said “we don’t care, just get it as protection.” Not only did the CFO come back with one particular layer of additional credit facility, which was reasonably expensive, but it’s insurance policy more than anything else, insurance is expensive at times in difficult situations, but as well thinking that to even increase the amounts that is available and to have greater lines of credit available, so it was just all to ensure that we don’t run into the situation where we’re maxed out our lines and we’re at the mercy of our creditors and in particular our lenders. So liquidity became really a dominant risk issue of just about every one of the boards in which I sit over the last 18 months.
Helen: So there’s been plenty of discussion about what big board and large organizations do in terms of risk management. But what about the small to medium sized companies, what about the private companies? Maybe I’ll direct that question to our subject matter experts, Mike and Brenda. Can you give us some insight?
Mike: Sure. I think it’s important to remember that risk management applies to every organization, and certainly small to medium enterprises, perhaps even more important, because they don’t have all the resources to think about this on a regular basis, or the compliance and regulatory framework in that public companies are almost forced into thinking about risk management on a regular basis. If we just step back, I mean risk management, if you look to define it, is often thought of as the risk of meeting or not meeting your business objectives. So that obviously is very appropriate for the entrepreneur to the larger medium sized businesses to think about. The key is how do you tap into it? Because you might not have the same sized organization or resources or board to work with, and one of the first things to turn to or think about are your current advisors and your current network within your organization. Your external auditors can be great help, or other advisors that you may have who have good insights into your risks and controls, and just use a management team, just taking a little bit of time, it doesn’t take a lot, just to sit there and think about it and process what the key risks are and how you’re going to manage it.
Brenda: There may also be industry associations that you’re part of, and you can tap into those in terms of what’s being done at some of the larger enterprises that you could tailor for your smaller organization, and possibly band together with similar smaller companies, in terms of talking about the risks that may affect your business, because risk management isn’t really a propriety secret. It’s something that often you can share with even your competitors. And so reaching outside your organization can be quite helpful in terms of what others are doing.
Helen: Actually that’s something that I’m really seeing in my practice area, because we provide independent valuations and fairness opinions, and often boards of major public companies look to fairness opinions to help them in decision-making for significant transactions. But what we’re seeing is more and more medium and small companies going outside and getting an independent opinion, which helps them make a decision. So it’s not something that goes in the public domain, It’s not something very circular, it’s really a tool for making a business decision, with some external support, a fresh set of eyes looking at an issue to provide guidance.
Mike: We see the same in our practice on, say, the internal audit side, where people want to look to their suppliers, overseas suppliers, that may conduct audits around health and safety, child labour practices overseas and whatnot, and there are organizations that provide these audits, and obviously they’re giving the same assurance to a number of different companies in an industry, or that use that supplier. We’ve seen companies get together on that, to share the cost, and ensure they’re all getting the same level of comfort together.
Helen: I think we’re running out of time now. With our few remaining moments why don’t we just go around the table and if each of you can take 30 seconds or so to give us one piece of advice to leave our audience with, that would be really appreciated. John, can we start with you?
John: Certainly. I think above all, ensure management has an appetite for understanding risk, and has developed a strategy of how to deal with risk. If management ignores the concept of risk, I think they’re facing not only a short-term career, as boards will not tolerate that, but at the same time, they’re exposing their organization. Management at times will say they’re dealing with risk and risk effectively, but the proof is always in the pudding. And so the sort of reports that Brenda’s been talking about, Mike’s been talking about, sort of analysis, sort of board discussion, is fundamentally important. So tone at the top, risk culture, but don’t go to an extreme.
Helen: Thanks John. How about you, Mike?
Mike: I guess one piece of advice would be find a way in your organization that works for you to think about emerging risks. A lot of the focus on risk management in the past has been on the known risks or operational financial risks that certainly there needs to be some work on in those areas as well, that we’ve learned about through this financial crisis, but also we’ve seen there are unknown risks, or risks that companies haven’t thought about in the past. Whether you need a separate emerging risk or strategic risk committee, or whatever works for your organization, find the venue to think about emerging risks.
Brenda: I would recommend that companies and boards keep tapped in to what’s going on in their industry on this issue of risk management. What are other boards doing in the area? What are other Chief Risk Officers doing in risk functions, or CEO’s? Because you can glean a lot from the best practices of other players, so keep networked and connected.
Helen: Thank you Mike, Brenda, and John for your insightful commentary and practical advice to our listening audience. To learn more about managing in a downturn, visit the PricewaterhouseCoopers Managing in a Downturn webpage at pwc.com/ca/managinginadownturn.
Dean: This concludes this episode of Strategy Talks, part of the PricewaterhouseCoopers Managing in a Downturn podcast series. I'm Dean Mullett, thank you for listening.
Helen: And I'm Helen Mallovy Hicks. We hope you'll join us again soon for another episode. To download or to subscribe to this podcast series or to find more information on this topic, please visit our Managing in a Downturn website at pwc.com/ca/managinginadownturn.
The information in this podcast is provided with the understanding that the authors and publishes are not herein engaged in rendering legal accounting, tax or other professional advice or services. The audience should discuss with professional advisors how the information may apply to their specific situation. Copyright 2009, PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, an Ontario limited liability partnership, or as the context requires, the PricewaterhouseCoopers global network or other member firms of the network. Each of which is a separate and independent legal entity.