A bus driver veers off course and travels under a bridge killing and injuring several people. A natural gas pipeline containing numerous welds of smaller segments explodes in a residential neighborhood, destroying several dozen homes. A food company sells bacteria-infected meat, killing several people. An oil company’s deep water rig explodes, causing catastrophic environmental damage.
Internal controls over reporting of non-financial operational risks in moving from gross to residual risk — such as automated GPS dispatch monitored systems, safety checks for compliance, pipe construction and fatigue, segmentation of duties and oversight for cleaning food processing machines, and tests to detect hydrocarbons running up a well, all exist.
In management’s reporting of risk and the design and effectiveness of internal controls to a board, can or should a board be able to understand and identify key risks, and if necessary – in its or a committee’s discretion, particularly when it is aware or should be aware of material and anomalous safety infractions for example – require independent (internal or external) assurance over that risk? It is not the case that a CEO is not disconnected from – or should not be held responsible for – treatment of risks lower down in an organization, for a CEO holds levers of power and signals to the entire organization how risk (including the treatment of internal controls) is treated, by how similar risks are and have been treated. A CEO sets the culture as directed by the board. It is not the case that a board – or even a single director – cannot have significant influence over the CEO – in understanding and directing that CEO and other direct reports to comply with best risk oversight practices. Indeed one director or chair with leadership skills, industry knowledge and independence, can direct the turn around of the entire risk management system in a large complex organization, simply by relentlessly pressing management and building consensus with the board that the tone at the top is to be properly established. The author has seen this happen.
This question of the role of the board in risk means that a board needs to understand fully the business model of the company and its material risks. It means that directors should be recruited with a view to understanding risk. (For example, a director of an airline could be recruited with military experience who would understand internal controls over labeling (and poisoning) the pilot’s food. A director of a bank could be recruited with 25 years of risk management experience.) In addition, a director or committee overseeing risk (particularly non-financial for non-financial companies) should be empowered to seek outside assurance that management’s attestations are accurate – as a constant check on management. The Walker report in the UK came very close to giving risk committees of financial institutions this responsibility and power. King III in South Africa recommends that the audit committee of a board obtain “combined” assurance (which means management, internal and external assurance), and that sustainability risks (defined broadly to be non-financial) be “independently” assured. In addition, financial and sustainability reporting is to be “integrated”. This would mean that non-financial risks have parity in treatment and reporting with financial risks. One non-executive chair of a large American food company interviewed last week agreed with this parity of non-financial risks and indicated the most significant improvement to risk oversight by the board, other than the appointment of a non-executive chair, was to remove the oversight of non-financial risk from the purview of the audit committee and lodge it with the governance committee.