Risk management oversight is one of the most important roles of the board. The board must have processes and policies in place before a problem arises and the CEO needs immediate guidance.
“It’s most important to have a very robust governance process as well as an overall mindset within the company around compliance and risk management,” says Bill Goings, a director for Penn Mutual Life Insurance Company. “Then, this risk management approach should be filtered through the company strategy.”
With a foundational risk management oversight process, boards can be prepared for a number of different crisis scenarios.
“When we’re having conversations around supply chain management, part of my job is to help us not only to see potholes, but also to not drive into them,” says David Motley, a director of private companies Armada Supply Chain Solutions, ALung, Inc. and Forest Devices. “I think all of us have been guilty of both seeing and then driving into potholes. Asking the obvious question and looking for explanations provided by the leadership team in layman’s terms, forces that leadership team to dig a little deeper and perhaps look around corners that they hadn’t before.”
Another risk management approach that Motley has seen is the creation of three teams: one focused on “now,” one on “next” and one on “beyond.” He says that kept each of the teams focused on one stage of a crisis and prevented any from being overwhelmed.
“You need to deal with the crisis, you need to understand what’s on the other side of the crisis and you need to have that medium- to long-term view that is much more strategic than tactical,” he says. “The companies that did that — those are the companies that really did the best, in my opinion, in 2020.”
In a crisis, the board should lean in to help management, he adds.
“I think that during times of stress, everyone basically takes a step down. The board becomes a bit more like the C-suite and the C-suite becomes a bit more like the operating managers, and on down the chain. Then the challenge is, once you have addressed and moved beyond that existential threat to the business, to then define what’s the new normal. The new normal is not going back to business as usual; it is transitioning into something different than when you were in the three-point stance trying to survive the threat.”
There is no time to rest after a crisis is over. Goings says he’s already spending more time preparing for cyberattacks.
“On the cyber side, boards frequently come in and do what they call tabletop exercises, working with and aligned with management,” he says. “We have a hypothetical breach. What do we do about it? Who do we call? What is the decision tree around what we’re trying to mitigate or resolve? This sort of best practice, if you will, can be applied to any risk that you’re trying to mitigate, understand or be prepared for.”