Boardroom: Understanding the Board’s Role in Risk Management

Fall 2021

By David Halwig

shutterstock_1627347547.jpgI am a trustee at two independent schools and have a background in strategic transformation, leadership development, and governance. I became a trustee at St. George’s School (RI) in 2003, and in 2009, I was asked to chair the audit committee. In 2018, I became an unaffiliated trustee for The Langley School (VA) and assumed the same committee role. In each chair role, I looked for ways to enhance the value of the committee work for the school and the board as well as to optimize the use of committee members’ time and talents.
 
I had previously joined the KPMG Audit Committee Roundtable group and began to explore the changing landscape of risk management. I saw an emerging array of safety, litigation, and reputational exposures that, when played out in public, could transcend traditional compliance with established procedural, regulatory, and legal norms, elevating considerations of brand and reputation in the fiduciary scope. New concepts such as enterprise risk management (ERM), risk appetite, strategic risk, institutional resilience, risk maturity, and the like all suggested opportunities that could enhance the board’s ability to understand and execute its fiduciary responsibilities. We rebranded the St. George’s committee the “Audit and Risk Management Committee” (ARM), expanded the charter, added trustees with relevant points of view, and launched into a new concept for ERM at the school.
 
Not far into this transformation, the risk landscape and attendant fiduciary world changed for the independent school community at large. The financial meltdown, litigation that was uncommon in the past, and other events introduced levels and types of exposures rarely experienced before. Risk management could no longer substantially be limited to the finance, audit, and investment committees. The governance challenge was to develop nimble and agile methodologies to address broader risk issues such as increased emphasis on personal safety, data, brand integrity, litigation, public scrutiny, and so on.
 
Reflecting on the ERM journey I’ve led at St. George’s over the past 12 years, at The Langley School (VA) for the past three years, and with other enterprises both institutional and commercial along the way, I’ve learned that each entity is unique in its own risk profile, capacity for risk management, risk appetite, governance structures, and other factors. But there are some guiding principles to help schools understand the board’s role in assessing and mitigating the most common risks.       

Make the Change

It’s important to be adaptable and innovative, and to recognize that something new and different will come from this process. Eliminating risk is not realistic, so the key is to thoughtfully and deliberately pick your acceptable level of risk, assess your capacity to take on the scope of commensurate risk management, and develop an appropriate response. As we pursued this thought stream at each school, we identified some basic tenets to help frame our work as well as set some important expectations.
  • Reinventing the wheel isn't necessary. Historically, schools have been considered very safe environments, led and staffed by people who consider safety to be second nature. But there have been some wake-up calls in areas such as student safety, cybercrime, regulatory compliance, and litigation exposures. Proceeding with an ERM approach is as much about leveraging, organizing, and consolidating individual risk efforts as it is about identifying and plugging gaps in the safety net and reimagining our approach to various risks.
  • Updating processes isn’t just procedural. I decided that my work as a trustee at each school needed to be generative and transformational in order to create new ways of assessing things. We needed to develop a core knowledge base both on the board through the committees and throughout the school at key risk junctures. To do this, it is critical to build a team of advocates both on the board and in the administration. At both St. George’s and Langley, the strongest advocates from our most formative stages have been the heads of school, board chairs, and directors of finance. We engaged more committee members and administrative leads as we went along. The end game was to foster a school-specific culture around ERM that permeated the various board committees and the school organization.
  • Managing risk is the responsibility of management; ensuring the adequacy of that management is the responsibility of the board. We had to keep this critical governance tenet in view, even as we recognized that in the formative stage, a more collaborative, interactive relationship was the best way to get to sustainable risk-focused governance structures. However, the ARM concept thrives best when it creates a forum for collaboration and not the basis for a committee that only evaluates management efforts.

Get Clear on Scope

When undertaking this kind of effort, most organizations start by listing all manner of risk until they have an unmanageable collection of items that far exceed the school’s ability to individually address and the board’s capacity to collectively evaluate. Organizations must first define the scope of the risk landscape, create manageable risk packages, settle on methodologies, and define the path forward.
 
I find that most risks do not live alone. To address this, I developed a basic model that highlighted the interrelationships among major operational risk areas, organized by the broad areas of fiduciary scope.
 
We then analyzed how a single event, in this case a data breach, could play out across the various risk areas. Clearly, a risk event like this could not be defined as just an “IT problem” anymore. We tested this in other scenarios and found that it provided a versatile basis for truly understanding risk at an enterprise level. This framework also facilitated ERM-oriented communications with the board as a whole.
 
Critically, we adhered to a series of basic questions that provided a consistent means for trustees and the school to develop the appropriate management elements: What is the risk? Do we manage it reasonably or better? How do we know? Can we prove it to ourselves and others? How do we respond to issues? How do we stay current?
 
There is no one-size formula. Critical consideration needs to be given to how and to what degree the trustees and school leadership must, should, and want to manage risk. In general, this includes three major factors: mandates, which must be incorporated (based on laws, codes, standards, insurance requirements, etc.); influencers of risk management choices (best practices among peers, constituency expectations, risk of litigation, consequences of options, and budgets); and judgement factors (cultural preferences, emerging conditions, experience, and insight). Whatever the decisions are, they need to be defensible if challenged by circumstance.
 
Once each school assembled its risk control groups and basis, we established a multiyear schedule for reviewing each group, internally and externally. Periodically, the ARM committees intentionally review their schedules and practices as a form of continuous improvement.

Align Resources to Mission

Organizations that effectively align resources to address a significant change should embrace the principle, “sometimes you use the best that you have, and sometimes you have to get as good as you need.” The successful ARM transformation will rely on aligning the appropriate resources to the task. If you have the appropriate skill set among your current trustee pool, you may be able to populate an ARM committee with available people.
 
For the St. George's ARM, over time we recruited an attorney, a medical doctor, a university administrator, a compliance officer at a national bank, various accomplished financial professionals, a technology executive, a top-flight strategic communications professional, and a professional in risk-based mergers and acquisitions and construction. When COVID-19 hit, we assigned a trustee with a deep biosciences background to the committee. We also learned it was highly effective to deputize individuals to address specific review needs.
 
No matter how talented your board population, there will be areas of particular risk and specialization (sexual misconduct, discipline, regulatory compliance, health care and the like) where you will need to engage an outside professional to review and update policies, for example.
 
This talent pool requires periodic refreshing, which in turn requires the chairs of an ARM committee and the committee on trustees to assess term expirations against evolving needs for expertise. If your board is not currently recruiting for this kind of diversity, you may not be as well-equipped for the new fiduciary challenges as you should be.

Balance Prevention with Response

The incident response group must be thoroughly prepared to quickly react, contain, and resolve major incidents that might occur. This includes having specific procedures in place as well as knowing the cast of players who might be called upon when needed—emergency personnel, law enforcement, various attorneys, strategic (crisis) communications professionals, internal management, and the like. Similarly, the response group
 
should know when and how to contact the head of school, ARM committee chair, the board chair and others both inside or outside the school. Rehearsal and scenario discussions are vital, and since two incidents are rarely identical, after-action assessments are critical to improvement.

Agility is Key

Perhaps most important, an ARM program needs to be able to adapt and respond to changes in conditions and priorities. The effort required to build, execute, and maintain these programs falls on school management as well as the board. Accordingly, the value of making our institutions safer needs to accrue to both. To that end, the most effective and impactful annual committee plans are developed in close coordination among the ARM committee chair, the head of school, and the board chair to reflect a shared sense of priority.
 
Specific reviews need to be framed for participating management team members as discussions, not judgmental inquisitions. In my experience at both schools, this approach has led to more productive discovery and more robust recommendations as well as appreciation for the opportunity to participate from the people who are being reviewed. Equally important to ARM success is being available to address unexpected issues or risk-related questions as they occur.
 
Looking forward, schools must expect to continue to encounter unexpected events such as the pandemic, emergent cybercrime, and others that will clutter the fiduciary landscape with new risks requiring nimble, agile approaches to both prevention and response. The heads and board chairs of both the schools I support know they can rely on their respective ARM committees and work in partnership on overall enterprise risk management and institutional resilience. 
 
Author
David Halwig

David Halwig chairs the ARM Committees for St. George’s School in Middletown, Rhode Island, and the Langley School in McLean, Virginia. He is a founding member of the George Mason University Chief Risk Officers Council.