Private company boards have an important role to play in overseeing company risk identification, prioritization and mitigation. Here, we’ll discuss the ways that boards approach their role and how that role is applied at different companies.
Owners, Boards and Leaders
Owners develop a vision, values and expectations for company performance. Commonly, private enterprise owners describe a purpose to create economic value for shareholders and employees and perceived value for customers and suppliers while also investing time and money in the communities where they operate.
The board sees that the company is well-run in accord with the owner’s vision, values and company performance expectations. Typically, the board’s role is to share experiences, act as a sounding board, and contribute fresh ideas and insights in areas like:
- Shareholder vision, values and company culture.
- Strategic direction and competitive positioning.
- Shareholder returns and risks.
- Sources and uses of capital.
- Ownership interests and succession.
- CEO development, feedback processes, compensation and succession.
- Discussion of important initiatives, acquisitions and divestitures.
They can also serve as a supportive guide, validator and accountability forum.
The CEO reports to the board and they, along with other leaders, are responsible for living company values. The chief executive creates plans, carries them out and tracks performance. He or she is also accountable for achieving results that meet or exceed board-approved goals that are designed to meet owner expectations and keep the company financially healthy now and in the long run.
Relating to risk, the owner’s role is to define expected returns and the risks they’re willing to undertake. The board’s role is to oversee company risk identification, prioritization and mitigation. The CEO and other leaders create and carry out plans and produce outcomes that meet shareholder goals within established parameters for risk.
Strategic Planning
In building value, what matters most is the future. A board encourages leaders to consider not only what will most likely happen, but also the range of possibilities for what could happen. What are the potential risks and associated returns? What are the probabilities and potential impacts? Leadership is responsible for creating the strategic plan that is reviewed, discussed and approved by the board.
A board chair likened the process to climbing a mountain. The expedition leaders proposed to sponsors a goal to climb to the summit of a mountain. Most likely, the ascent would be in July, but it could be in August. The most likely route would be over a glacier and up the southern face. But if the weather turned out to be unseasonably warm, an ascent up the north face would be favorable. In that case, there would be no need to cross a glacier with the dangers of hidden crevices. To keep both options open, lead climbers would need to install anchors. Is that double-investment worth it? If the weather is not favorable for the safer north face ascent, can the expedition wait until the next summer? Is the risk of focusing only on the southern face ascent acceptable? In this case, the sponsors and the expedition leaders agreed upon the investment needed to keep both climbing options open.
As in the mountain climbing story, a business board starts by understanding the owner’s goals. Then the board considers alternatives for achieving those goals. What are their risks and returns? What are the probabilities and likely impacts? Finally, what are the priorities and plans for moving forward?
Risk Categories
Risk is a familiar topic among privately held businesses. A 70-year old founder said to younger leaders, “You’re not going to try that new idea with my money!” In this example, the risk of fast growth advocated by the younger generation was tempered by caution in the older generation. Or circumstances can be the reverse. A founder exclaims, “We got this far by taking risks. So, let’s take some more!” Instead, the younger generation suggests, “Let’s consolidate some of our gains and take a little less risk in the future.”
Owners of any age often find themselves in discussions about debt. Should we have debt? If we do, how much debt are we willing to risk as a proportion of our total capitalization? How can we continue to keep up with competition without taking on a reasonable level of debt? On the other hand, how can we ensure the ability to make it through the next recession if we increase our risk with more debt? These are common concerns related to risk.
But risk and risk management are much broader than those familiar ways of thinking. Here are some of the risk categories that can be considered at the board level.
- Geopolitical. War, trade barriers and government subsidies.
- Cyber. Data breaches, ransomware and generative AI.
- Government. Regulations, money supply/debt and taxes/subsidies.
- Marketplace. Competition, acts of God, recession/inflation and reputation.
- Operational. Talent attraction/retention, supply chain, safety and security.
- Financial. Owner alignment, leverage/capital and revenues/returns.
Just keeping a full range of risk categories in front of the board can help directors think broadly about risk and its implications for the business enterprise.
Dealing with Risk
Companies deal with risk differently depending on the structure of their business and the marketplace where they compete.
Let’s say a company constructs and maintains power lines. Line installers and repairers face dangerous risks that can lead to severe injury or even death. In this example, the board sees that workers are well-trained and that a culture of safety is maintained.
A U.S.-based company is manufacturing in mainland China where the plant leaders hail from Taiwan. The board sees that contingency plans are in place to shift products from that plant to another plant in Vietnam if warranted by potential circumstances.
New innovations drove high growth for a currently thriving company. The company’s talent and speed to market were the basis for company success. To help keep that advantage in the future, the board is encouraging company leaders to create an internal generative AI network, pulling in large quantities of data, combining it with their own and walling off their network from outside access.
How the board of a particular company deals with risk depends on the most prominent risks that they face. That varies widely among companies and their industries.
Anticipating and Mitigating Risk
Anticipating and mitigating risk starts with understanding how the company or line of business wins in the marketplace and what could hinder success in the future. Identified risks can be assessed to determine both likelihood and impact. Those risks can be ranked. The board can see that mitigating actions are developed for high-ranked risks and that those mitigating actions and the risks themselves are regularly monitored.
A company rated the risks within the geopolitical, cyber, government, marketplace, operational and financial areas. It turned out that “data breaches” was both the highest probability risk and the highest impact, so it ranked as the company’s number 1 risk. Risk-mitigating actions included the hiring of a third party data security firm, two-level verifications, breach practice events and learning sessions for users.
A company cannot mitigate every conceivable risk. Nor should it try. But a methodical approach that identifies and prioritizes potential risks is useful. Necessarily limited resources can then be directed toward mitigation of the highest priority risks with the biggest impact.
Organizing the Board
Considering and prioritizing potential risks and returns is an important role for every member of the board. It’s the board’s role to see that company leaders consider alternative scenarios and the risks they represent. Boards see that risks are prioritized and the most important risks are mitigated.
The board chair can give priority to risk identification, prioritization and mitigation in the way the board agenda is set up. A variety of board members, board committees and leaders may feed into the process of risk review and discussion at the board level. The board chair can create a regular cadence for risk review and discussion.
Some boards decide to give risk management a focus by establishing a risk committee of the board that includes directors and leaders. Other boards add risk explicitly to an existing committee, sometimes an audit and risk committee or a strategic planning and risk oversight committee.
Any of these approaches can work so long as ultimately all board members feel responsible for seeing that potential risks and returns are considered and the highest priority risks with the biggest impact are mitigated and regularly monitored.
Know Your Owner’s Goals
Companies deal with risk differently depending on the structure of their business and the marketplace in which they operate. But a common thread is that boards can start by understanding owner goals. The board can consider alternatives, their risks and returns, the probabilities and potential impacts, and the priorities and plans for moving forward.
Risk and risk management are much broader than the familiar ways of thinking about risk relating to how fast the company should try to grow or how much debt it should take on. The board can inspire company leadership to think broadly about risk and risk management. Ultimately, all board members are responsible for seeing that potential risks and returns are considered and the highest priority risks with the greatest potential impacts are mitigated and regularly monitored.