This post is by Mary Hill Leahy. She graciously gave me permission to reprint it. Mary offers a rare combination of operational experience, strong legal expertise and the ability to see and capture market opportunities. She currently serves as Senior Vice President, General Counsel & Secretary of a NYSE-listed company.
The trend toward more depth in Board oversight of risks is a good thing, leading to Boards with a deeper understanding of business and compliance risks and Boards that are better positioned to help their company achieve long-term sustainable success. As a director, you want to understand both the strategic and operational risks for your company. And, you want to be sure that the Board provides an appropriate level of oversight.
All opportunities come with risk. So if your company’s management team or culture is primarily about avoiding risk, you’re unlikely to achieve much. Taking on risks is what business is all about. You want your management team to identify key strategic opportunities and pursue them aggressively.
This is different than taking on strategic opportunities without careful analysis of strategic or operational risks. Your strategy can be bold, but it needs to include appropriate risk mitigation controls. And some risks just aren’t worth it if your company is – as it should be — about sustainable long-term success. Ignoring basic compliance obligations also should be a “no go” and usually can be addressed as part of the risk mitigation plan.
That gets us to why culture, well-defined roles and responsibilities, and individual people matter so much. Your culture needs to support creative strategy development, as well as in depth analysis of ideas. That means that both the opportunity and risks are considered together. The Board and the management team need to value a variety of appropriately scoped roles with real input throughout the process. You don’t want a culture or process where good ideas are “vetoed” merely because someone perceives some risk. You also don’t want a culture or process where ideas from key leaders become strategies that are not grounded in reality or ignore important strategic or operational risks.
Operationally, getting it “right” presents a similar challenge, though the Board has less visibility to day-to-day issues and less of a role. But the Board should care about how culture, well defined roles and responsibilities, and individual people impact decisions. Are key leaders truly open to perspectives other than their own? Are decisions made with the right scope and level of input from both business leaders and those in risk control roles? Do business leaders know that they are accountable for properly assessing and managing risk? Do those in risk control roles understand the business strategy and needs, and are they supported in their efforts to identify and mitigate risks?
Boards play a critical role in whether or not a company’s culture, definition of roles and responsibilities, and people create sustainable business success. Directors should:
(i) Insist that strategic initiatives are vetted by management, including assessments of both opportunities and risks;
(ii) Insist that roles and responsibilities be well-defined, with risk assessment and control shared by business leaders and those in risk control roles;
(iii) Evaluate the management team’s willingness to have open dialogue, welcome challenge and support those in risk control roles; and
(iv) Evaluate those in senior risk control roles for their ability to understand and support business strategy, as well as to speak up about risk control issues.