About Gene Kim

I've been researching high-performing technology organizations since 1999. I'm the multiple award-winning CTO, Tripwire founder, co-author of The DevOps Handbook, The Phoenix Project, and Visible Ops. I'm an DevOps Researcher, Theory of Constraints Jonah, a certified IS auditor and a rabid UX fan.

I am passionate about IT operations, security and compliance, and how IT organizations successfully transform from "good to great."

Most Popular
SEARCH BLOG
« Talk notes: NACD Director Professionalism: Identifying Issues In Financial Statements | Main | Talk: NACD Director Professionalism: Fiduciary Duties of Corporate Boards »
Tuesday
Jun082010

Talk notes: NACD Director Professionalism: Risk Governance

DateTuesday, June 8, 2010 at 9:39AM

Director Professionalism
Philadelphia, PA
June 8-9, 2010

Course description at at the NACD website here.

Risk Governance

Peter Gleason, Managing Director and CFO, NACD
Director, the Patriot Fund

Interestingly, I just found out after meeting Peter that I'm very familiar with some of his work, "What Boards Needs To Know About Information Security," which Peter headed up as the NACD head of research in 2002.  The visionary behind this was the late Tom Horton, former chairman of NACD.

This talk centered around the NACD Blue Ribbon Commission report, "Risk Governance: Balancing Risk and Reward" report, which can be purchased for $50 at the NACD bookstore here.

I'm a little frustrated, as the information is at a very high-level: like 90K feet.  I'd love some practical examples of how to operationalize this, where people don't waste their time for three years in meeting, without any material change in how the business operates.

Best advice during the talk:

  • On directors and how they should get information from people closer to those doing work.  the more levels down, the better.
    • "at board dinners the night before, don't have dinners with the board: have dinner with people a couple of levels down: ask 'what is like working here?'  You know the C-level folks very well, so get to know the people below that level well."
    • "director education: 'give them a book, and book them a flight to walk the floor at various sites where money is made.  Home Depot example"
  • And analysis of BP risk management is at the bottom of the post.

Notes are below:

 

 

  • "enterprise risk management is just management"
    • Everyone has seen the "COSO Cube"coso cube.jpg
    • So what is the board's role?
    • Had roundtables at many of the 22 chapters
    • resulted in the Blue Ribbon commission "Risk Governance: Balancing Risk and Reward" report. Commission included Oxley, PCAOB staff, etc.
  • Agenda
    • Understanding balance between risk and reward
    • Categorizing risks
    • Roles of board and management
  • Without risk, there is no reward
    • "a car in neutral goes nowhere"
    • Determine risk appetite based on
      • foreseeable risks
      • possible rewards
      • shareholder expectations
      • available capital
      • strategic alternatives
      • acceptable volatility
  • Risk is a team sport
    • only 30% attendees here have primary responsibility to audit committee, down from 60% from last year
    • audit committees are so overburdened that risk needs to be integrated into to full board
    • standing committees support the board
    • if created, risk committees should aggregate/analyze risk
    • notes that "most companies that ended up on the beach in trouble had risk committees", so real question is how to effectively manage risk
  • Categories of risks (spectrum from board to management)
    • Governance risks
    • board-approval risks
    • critical enterprise risks
    • emerging risks and non-traditional risks
    • business-management risks
  • Board responsibilities
    • Understand balance between strategy and risk
    • ensure management has a system to manage risks
      • identify, assess, mitigate, monitor and communicate
    • provide oversight thru committee structure
    • realize the interrelationship of risks
      • "a lot of little yellow flags can add up to a big red flag" -- especially when it's across a lot of divisions
      • "SEC now requires board to discuss role with regard to risk"
  • Create dialogue around three critical areas
    • risk appetite
    • aggregation and integration
      • "often in dialogues with internal auditors, because they're in the trenches and can bubble up information"
      • "certain risks gets folded into comp committee, reporting up into the full board"
      • "are we incenting the wrong behaviors?"
      • Question: "assuming you could quantify risk, are there guidelines of ranges? Say, 3:1 upside/downside?" "that's management's job, bringing in consultants."
    • underlying assumptions in management's strategy
      • have appropriate skepticsm: "what are the other alternatives?"
      • Question: "what does risk look like for non-profits?" -- talked about looking at funding sources. Post-Enron failures, many non-profits failed because funding pool disappeared
      • Question: "I don't like the term 'risk appetite,' because it sounds like a buffet. There are situations where many risks we have no choice but to accept. We all operate in a policy environment. Maybe 'risk or policy climate?'"
  • Management responsibilities
    • Identify and disclose risk to the board
      • focus on material risks
      • implement risk mgmt within strategic plan
      • don't be afraid to bring news
    • Have risks changed since the last board meeting?
    • Ascertain likelihood and significance of risks
    • Who in management "owns" the various risks?
    • Establish key metrics
  • Improving risk communication
    • Map risks to managers
    • map committee oversight responsibilities
    • identify significant non-financial risks
    • educate directors about financially sensitive risks
    • consider overlapping committee memberships/attendance
    • ensure committee is reporting (including minutes) to full board
    • encourage informal discussion among directors
      • "directors should get information from people closer to those doing work.  the more levels down, the better."
      • "how?"
      • "at board dinners the night before, don't have dinners with the board: have dinner with people a couple of levels down: ask 'what is like working here?'  You know the C-level folks very well, so get to know the people below that level well."
      • "director education: 'give them a book, and book them a flight to walk the floor at various sites where money is made.  Home Depot example"
  • Every board should be certain that
    • risk appetite in the business model is appropriate
    • the expected risks are commensurate with the rewards
    • management has implemented a system to manage, monitor and mitigate risks
  • Question: "What should BP have done?" "BP had ten fail-safe mechanisms in a one-mile pipe. That's an execution problem. From a crisis management perspective, clearly there's something wrong -- they didn't think about the mitigation efforts and what happens when something goes wrong. If it doesn't work, then what do we do?"

TODO: get book "Why Great Leaders Don't Take 'Yes' For An Answer: Managing For Conflict and Consensus" by Michael Roberto.

 

AuthorGene Kim | CommentPost a Comment | Reference17 References |
tagged , , in , ,

References (17)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Notify me of follow-up comments via email.