The Board and Risk Management

A recent business headline in the newspapers reported that foreign investors pulled N846.5 billion from the Nigerian Stock Exchange as a reaction to the uncertainty about the Nigerian economy arising from the cocktail of falling oil prices, a massively depreciating Naira and fears of post-election violence. Similarly, the share price of some financial institutions is falling as some allegedly have between 20 and 40 percent of their portfolio exposed to the embattled oil & gas industry.   These are risks that companies should have foreseen. Presently, companies without a clear risk management strategy in place will be sitting scared.

In today’s business climate, strategic enterprise-wide risk management must become a core management framework and as with most things, the board is responsible for providing oversight to ensure that a risk framework is adequate and effective. Increasingly, high performing firms are shifting from ad-hoc risk management to an enterprise-wide risk management system, which is a holistic view of the risks facing an organization.

Risk- management should no longer be a mere compliance term given the potential impact of contemporary business risks such as a fall in product demand, data security, business partner defaults, declines in commodity prices, swings in foreign exchange rates and in today’s Nigeria, terrorist attacks on business personnel and promises.

Before a risk management strategy is put in place, a company must first of all determine its risk appetite. This is best done with an understanding of its risk capacity and how much of the capacity it is willing to expend. Management consulting company, Mckinsey defines Risk capacity as “a company’s ability to withstand risk when it materializes, while avoiding unwanted effects such as cancelled projects, damage to the company’s reputation, rating downgrades, and defaults and insolvency.”

A company’s risk appetite will then go on to inform a company’s business strategy and risk management response. For example, companies may decide to exploit risks for business success, mitigate risks by trying to reduce the likelihood of occurrence for internal risks or reduce the severity of impact. Other risk-management strategies may be to transfer risks through insurance or indemnification contracts or to reject some categories of risks altogether by exiting a business.

The Board is responsible for overall risk oversight and must assure itself that management has established effective enterprise risk management in the organization.  The board may choose to perform this function either by formulating a specific risk management committee, as is the case with most financial institutions. Alternatively, the board may ask standing committees such as audit, nominating and compensation committees to address risk oversight in their functional areas. However, in all cases, the board should reserve strategic or critical risk issues in the full board discussion because ultimately the board collectively has the responsibility for risk oversight.

In order for board members to fulfill their risk oversight role successfully, it is important that they understand the key business risks facing the company. In fact, it is desirable if the selection of at least one director includes risk management capabilities within the industry or at a similar company. Risk education should be included as part of the training and induction process for new directors. During their tenure, board members should receive periodic updates about key risk issues from business managers of strategic business units. A less preferable alternative is using external consultants to apprise directors of the risk environment a business faces. If they are however not receiving enough information about the risk management in a company, the board should be proactive in asking for more.  This information should be used in judging and advising on the adequacy and effectiveness of management’s risk management strategy.

In sum, “while ERM is not a panacea for all the turmoil experienced in markets in recent years, robust engagement by the board in enterprise risk oversight strengthens an organization’s resilience to significant risk exposures.”-  The Committee of Sponsoring Organizations of the Treadway Commission, US