What Is the Best Way for a Board to Manage Risk?
Neither public policy nor what firms actually do offer clear guidance as to the best way for a board to manage risk. Is it through the use of a dedicated board-level risk committee, or by spreading oversight across a number of board-level committees, or by delegating oversight to a committee of managers who then report directly to the entire board? All three of these risk oversight structures are evident in the public disclosures of firms.
To Have a Board-Level Risk Committee or Not?
Of course, there is symbolism to having a board-level risk management committee. The committee conveys the perception of taking responsible actions, which perhaps enhances a firm’s reputational legitimacy, regardless of the committee’s effectiveness. For example, a report from the Risk and Insurance Management Society, a premier professional organization dedicated to advancing the practice of risk management, proposes that a board-level risk committee “… is most appropriate for an organization that truly understands that management of their risks is an important ingredient for achieving strategy.”
However, results from analyzing a large number of firms, across different industries and markets, offer a nuanced perspective. An analysis of U.S. banks finds no difference in relative profitability between banks that oversee risk through a board-level risk committee and banks that do not.
An analysis of U.S. insurers finds that insurers with a board-level risk committee trade at a lower market premium over their book value compared to insurers without such a committee.
In the U.K., an analysis of financial services firms finds that firms with a board-level risk committee operate with increased risk compared to firms without one.
Use In-House Expertise
A common shortcoming of these and other similar studies is that their use of public data does not capture fully the quality of support a board-level risk committee can have from the firm’s internal risk experts.
In fact, in 2016, a study that analyzed proprietary data on the way a board interacts with its firm concluded that a firm achieves more tangible risk management outcomes when the entire board oversees risk while maintaining a robust communication with the firm’s senior risk experts.
Thus, the empirical evidence suggests that, to be effective, those who oversee risk in a firm need to understand the full complexity of the firm.
Some have argued that as firms respond to external demands for independence in their directors, the board’s understanding of the firm’s complexity suffers. In fact, board-level risk committees tend to be exclusively, or almost exclusively, comprised of independent directors.
The Issue With Independent Directors
For example, according to public filings, in 2016, just over 95% of the total membership of board-level risk committees were independent directors among the property, casualty, life and accident insurers trading in the market. But independent directors face steep learning curves to master a firm’s risk complexity — especially in the tightly coupled and dynamic system that is a large modern firm.
A line of reasoning holds that managing risk creates value not by reducing overall risk, but rather by prudently allocating the firm’s risk.
Regardless of how the board officially oversees risk, it is the in-house risk specialists who effectively mastermind the firm’s stance on risk.
This reasoning relies on the fact that, in a freely competitive market, firms can earn economic profits only for activities in which they have a costly-to-replicate competency. Creating value, then, is not about how much incremental risk a firm takes, but rather whether the firm generates sufficient wealth given its total risk.
The Value of Company Expertise
Regardless of how the board officially oversees risk, it is the in-house risk specialists who effectively mastermind the firm’s stance on risk.
Consider three hypothetical companies. The entire board of the first firm oversees risk primarily through its Risk and Return Oversight Committee and its Audit Committee, along with where senior managers attend the meetings of each those two committees.
The second board exercises its risk oversight through a dedicated board-level Risk Management Committee in conjunction with an Executive Risk Management Committee. The firm’s chief executive officer is a member of both the Board-Level Risk Management Committee and the Executive Risk Management Committee.
The third board assigns its risk oversight responsibilities to the Audit Committee and to the Investment and Capital Committee, which in turn receive recommendations from a Management Risk Committee.
The first board acts on regular risk reports it receives from the firm’s chief risk officer, other executives and outside risk experts on retainer. The second board relies on a decision-making group, which consists of the chief executive officer, the chiefs of key line functions and the heads of select staff functions. The third board reviews (and generally accepts) recommendations from a working group, comprised of senior managers across the firm’s business units and functions.
The Hierarchical Location of a Risk Committee Matters Less
What is relevant is how well risk information flows around the firm and how well information flows within the firm — it is an area that always needs improvement. At levels below the board, specialists generally develop their skills within operating silos.
Such compartmentalization, which persists, despite strong efforts to eradicate it, acts as a barrier to information, since each compartment of the firm uses its own risk language and because each compartment makes its tactical decisions mostly independently.
The Wicked Problem
One approach is to consider the question of how to best oversee risk in a firm as a “wicked problem.” A wicked problem is created by a nonlinear interaction of complexity. Unlike the traditional problems that managers are adept at resolving, wicked ones cannot be resolved by optimizing a solution and then going back and reworking the problem if the chosen solution turns out to be wrong.
Solutions to wicked problems can only be judged as “better” or as “worse,” relative to an alternative action. In this case, the wicked problem is how to best oversee risk.
Research on resolving wicked problems suggests that they require an integration of a host of trades, including tolerance for ambiguity, ability to integrate scattered facts and anticipation of inflection points. These are exactly among the trades that executives and senior managers in a firm have to hone as they rise in the firm.