Most directors don’t monitor risk well. That’s a chance that companies shouldn’t take.
What are the chances that a catastrophic earthquake could strike Japan and severely cripple supply chains? Or that a volcanic-ash cloud could turn much of Northern Europe into a no-fly zone, disrupting air travel and impairing economic activity? Or that a major financial institution could fail in the first decade of the 21st century, pushing the entire global financial system to the brink?
Until recently, such scenarios would have been considered too far-fetched to warrant much attention from corporate directors. And few, if any, directors would have considered the proactive assessment of such risks to be among their fundamental responsibilities. In the wake of these and other events, however, it has become clear that the definition of governance has broadened and that awareness of risk has become a fiduciary obligation. Directors can no longer be passive participants; the process must start with and be spurred on by the board.
In the banking sector, regulation is driving this shift. Britain’s bank regulators recently rolled out a new “reverse stress test” that requires banks to identify potentially catastrophic events and develop plans to withstand crises such as flu pandemics, disrupted food supplies, or political coups. Though opponents slam the exercise as the heavy hand of government, advocates stress the need for more systemic thinking and prudent planning — pointing to how ill-prepared banks were for the recent crisis.
In the U.S. the Dodd-Frank legislation has given shareholders more power to act as corporate owners, fundamentally shifting their relationship with boards of publicly traded companies and forcing directors to be more transparent. In the new world of social media, board actions instantly go viral. Will this increased transparency lead to better risk management?
Recent surveys offer diverging insights. One indicated that 68% of directors feel confident in their ability to monitor a risk-management plan that would mitigate corporate exposure. However, another report revealed that nearly two-thirds of surveyed directors indicated they either did not monitor the risk-management process or did so only ad hoc.
Typically boards have defined risks as strategic, operational, financial, and compliance. That universe needs to be widened to include intangible assets, such as a company’s reputation, or unpredictable vulnerabilities, such as issues facing enterprises with which the company does business. While boards cannot predict every event, it is no longer sufficient to follow a prescribed road map based on past events or assume the job has been done by checking the boxes.
When it comes to risk assessment, there is no one-size-fits-all solution. Admittedly, the process can be time-consuming and frustrating, for it is as much an instinct as it is data-driven. Some boards opt to hand it over to a risk committee. But for risk management to be effective, the entire board needs to own the process.
–Faye Wattleton is a managing director at Alvarez & Marsal and a corporate board director.
This article is from the December 12, 2011 issue of Fortune.