Saturday, 9 June 2012

Russian roulette risk for company boards

By Michael Dee, Published The Straits Times, 8 Jun 2012

THE 18th-century philosopher Edmund Burke said: 'Those who don't know history are doomed to repeat it.' After leaning over the edge to visualise the depths of the financial abyss only four years ago, our collective recollection of history seems rather hazy; nor do our actions evidence a searing learning experience.

The Risk Governance Guidance for Listed Boards issued by The Corporate Governance Council on May 10 has done a great service to both public and private enterprises in the field of risk governance. The committee should be commended for the thoroughness of its efforts and the document should be required reading for all enterprises, not just those engaged in business.

The report discusses a wide range of issues and articulates policies to deepen the governance and management of risk, as all enterprises have risk of various natures which change over time. But as stated in the disclaimer, 'this guidance is neither exhaustive nor prescriptive' and 'boards should exercise their own judgment' as to its applicability.

What role then should shareholders play, as owners of enterprises, in instructing their representatives on the board of directors? How should they advise board members on their roles, responsibilities and the proper procedures to be adopted under the Risk Governance guidelines?

While the report is right to clearly centre the responsibility for risk management on the board of directors, I feel it does not go far enough.

Make risk committee mandatory

SHAREHOLDERS should demand, as the owners of the business, more prescriptive measures as even a cursory reading of the Ernst & Young 12th Global Fraud Survey or the daily newspaper demonstrates.

The Guidance report considers the establishing of a risk committee of the board to be an optional feature. However, 30 years of experience has left me strongly of the opinion that a risk committee of the board aligned with shareholders should be a mandatory default requirement of all companies, regardless of their complexity. Given the sheer volume of issues with which a board of directors has to concern itself, diffused accountability can easily result in a lack of meaningful oversight of the many risks inherent in a modern enterprise.

The board of directors run the very real risk of simply becoming dominated by the hiring of more risk consultants with their myriad of powerpoint slides, 10-step plans, quantitative models, elusive jargon and procedures on paper, without the detailed, real-time, direct understanding of the risks that we as shareholders expect to receive appropriate strategic attention.

Shareholders recognise that the major impediments to the implementation and execution of sound and prudent risk management are:
- a lack of capabilities and experience in risk governance among those responsible for its management; 
- a lack of detailed knowledge of the firm and its industry practices; 
- the vast distance which can often exist in risk awareness and knowledge between the board and its hired management; 
- short-term corporate incentives which lack alignment of decision-making to prudent risk assessments; and 
- groupthink at the board and management level.
Lack of experience

TO THE first point it is worth noting that a recent analysis of JP Morgan's risk management committee by Bloomberg noted that it had only three members, each in place before the financial crisis, none of whom had prior banking experience for 25 years.

One was the director of a natural history museum who had taken personal loans from the bank and whose museum had benefited significantly from donations by the bank and the CEO's personal foundation. In the aftermath of a recent major risk management failure, these issues have been put under the microscope for criticism and have damaged the bank's historically good perception.

The point here is to ensure upfront that the right people are on the committee and that their integrity and independence are unquestioned. Risk committees, and boards generally, should only have highly skilled practitioners with direct, recent and relevant experience related to their roles, and be independent of potential and perceived conflicts of interest.

Lack of knowledge

AS TO the second and third points, boards defer far too much to management, as a result of suffering from a structural 'information deficit', a lack of defined command authority and only a few meetings per year. Without being empowered to independently gather vital information and analysis, they are rendered incapable of discharging their risk management responsibilities on behalf of shareholders, employees, customers and the community at large.

A risk committee of the board, focused and aligned, combined with overall board authority and empowered with direct access to a chief risk officer on a regular basis without management present, stands the best chance of protecting the enterprise and society. Too often boards focus on the process of risk management at the expense of the systematic and specific risks of the enterprise. This leads to a 'check the boxes' mentality rather than diving deep into the risk verticals until it's too late, when they then end up leading the post-crisis investigation.

Embed risk in pay structure

FOURTH, the only way to encourage prudent risk taking is to embed it in the compensation structure. Less cash, less options and more restricted stock with longer vesting, clawbacks and individual accountability throughout the organisation will reduce short- term, dysfunctional behaviour.

The recent trend in voting among shareholders on management's pay is a welcome move in the right direction so the board has a finger on the pulse of shareholders. Board members should be more engaged, paid more and paid in stock which cannot vest for at least five years, thus creating more alignment and engagement than a system whereby board members collect cash payments for very little effort and risk, as they are protected by director and officer insurance, and have limited financial exposure to the risks of the enterprise.

The danger of groupthink

FINALLY, the most insidious aspect of risk management is groupthink which is coded into human nature and is enabled by a desire for board cohesiveness. Groupthink is the behaviour that occurs when the desire for harmony in a decision-making group exceeds a realistic appraisal and discussion of alternatives. This leads group members to adopt conflict minimisation as a priority to reach a consensus without a proper critical evaluation of alternative ideas or viewpoints. This is a particular risk in Asian culture where conflict is to be avoided and in those situations where there is a premium on one's ability to fit in and be accepted. A critical element of proper risk governance is the creation of a culture of candour in an organisation to encourage all staff to speak up about potential risks and support them when they do so. That it is widely held among staff that to speak up is to assume career risk is perhaps the greatest risk threat to an enterprise. A risk committee should be charged with ensuring management is encouraging and supportive of employees' views and concerns and that they are brought to the committee's attention.

Proper risk management requires robust systems led by individuals willing to stand up and challenge conventional thinking and press hard against the leadership to ensure proper attention is paid to both specific and systemic aspects of risk. In high-profile failures, such as when vast amounts of oil leaked from BP's well in the Gulf of Mexico in 2010, the Columbia space shuttle exploded on re-entering the earth's atmosphere in 2003, or the financial sector which was near collapse in 2008-09, one notices that far too little attention was paid to those risks which could have been identified well in advance and addressed to prevent catastrophe.

There are many tools and systems available for risk management which should be utilised. However, none is as important as a focused, knowledgeable, independent and critical thinking group of individuals with direct access to management depth and the authority to take action.

To not have a dedicated risk management committee and a chief risk officer, in tandem with overall board responsibility, is to be playing an existential game of Russian roulette with the shareholder's capital.

The writer is a private investor and a Singapore permanent resident. He was the regional CEO for Morgan Stanley and senior managing director of Temasek Holdings.

No comments:

Post a Comment