Association Law & PolicyCurrent Issue | Previous Issues | Advertise | Author Guidelines | Editorial Staff
The "New" Imperative for Boards: Risk Oversight
Association Law & Policy, January 2010
By: Tracey Steiner
An economic crisis shines the spotlight on risk and raises questions about whether current governance practices ensure that we deal with risk appropriately. Identifying risks and implementing appropriate systems to manage them is just one of many critical tasks that contribute to an organization's longevity and success.
The financial crisis has once again focused scrutiny on the performance of boards of directors. Lawmakers, the media, and the general public are all asking questions: Where were the directors? Why did boards not appreciate the risks involved with their companies' business strategies? Could this crisis have been avoided? And charities, trade associations, and professional societies are feeling the hit on their bottom lines.
This type of crisis shines the spotlight on risk and raises questions about whether current governance practices ensure that we deal with risk appropriately. Identifying risks, implementing appropriate systems to manage unacceptable risks, and engaging in effective board risk oversight are critical tasks that must be accomplished to ensure an organization's longevity and success, particularly through events like the current economic recession.
Engaging in effective risk oversight is also necessary to fulfill a director's duty of care to her organization. The duty of care requires that a director act in good faith and in a manner that she "reasonably believes to be in the best interests of the nonprofit corporation."1As stated in the most recent edition of the Model Nonprofit Corporation Act, members of the board—when engaged in decision making and "devoting attention to their oversight function" —must discharge their duties "with the care that a person in a like position would reasonably believe appropriate under the circumstances."2 Or, as traditionally expressed in the language of most states' statutes, the director's standard of care is that of "an ordinarily prudent person."
The American Bar Association's Task Force to Revise the Model Nonprofit Corporation Act explained that "the use of the phrase ‘ordinarily prudent person' in a basic guideline for director conduct, suggest[s] caution or circumspection vis-à-vis danger or risk."3 The drafters found this traditional language created confusion regarding the duty of care elements and the "prudent person" standard used in determining negligence. They also found the prior language "problematic given the fact that risk-taking decisions are central to a director's role" and thus changed the language to that noted above. This rationale seems somewhat ironic when recently issued governance guidelines seek to focus boards on the imperative to engage in effective risk oversight.
In October 2009, the National Association of Corporate Directors released a Blue Ribbon Commission Report titled, "Risk Governance: Balancing Risk and Reward."4 The NACD Risk Governance Report discusses both the objectives for and the role of the board of directors in performing its risk oversight function. It also makes the link between risk and strategy and helps to clarify for boards their role and responsibilities. Just as earlier corporate governance guidelines trickled down to the nonprofit community, it should be anticipated that this new guidance will do the same.
The NACD Risk Governance Report recommends 10 principles to serve as guidance to board members seeking to provide effective risk oversight, which are paraphrased and modified somewhat here for nonprofit organizations:
- Understand key drivers of success for the organization.
- Assess the risk in the organization's strategy.
- Define the role of the board and its standing committees (if it has any) regarding risk oversight.
- Consider whether the organization's risk management system, including people and processes, is appropriate and has sufficient resources.
- Work with management to understand and agree on the risk information the board needs.
- Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions.
- Closely monitor the potential risks in the organization's culture.
- Monitor critical alignments of strategy, risk, controls, compliance, incentives and people.
- Consider emerging and interrelated risks: What's around the next corner?
- Periodically assess the board's risk oversight processes: Do they enable the board to achieve its risk oversight objectives?
The first two principles clarify that risk is inherent in any enterprise, and an appropriate level of risk-taking enables the accomplishment of an organization's objectives. Boards and management must work together to define what constitutes an acceptable level of risk for the organization. As the Blue Ribbon Commission observed, "Without risk, there is no reward." Boards should therefore begin by assessing the appropriateness of a strategy and the risk inherent in it, which includes defining the organization's "risk appetite" and "risk tolerance." Risk appetite is the amount of risk the organization is willing to accept, while "risk tolerance" is the degree of variance from the level of risk the organization will accept.
To appropriately weigh risks and rewards in strategic decision making, boards should hear multiple strategic alternatives, which alternatives include management's assessment of the different risk scenarios.
The Blue Ribbon Commission states that, as a general rule, "the full board should have primary responsibility for risk oversight, with the board's standing committees supporting the board by addressing the risks inherent in their respective areas of oversight."5 For example, a nonprofit organization's fundraising committee may focus on risks that include those related to donation trends, competition for grants, solicitation methods, mandatory disclosures and recordkeeping, applicable accounting changes, and requirements to maintain tax-exempt status. The full board must bring together input from various committees and other sources and recognize interrelated risks as well as the aggregate impact of risks to the organization.
Likewise, boards must appreciate the interrelated parts of a risk management system, both people and processes. The Blue Ribbon Commission noted that while there are various approaches to risk management, it generally involves several activities:
- Risk identification. What are the primary risks facing the organization?
- Risk assessment. What is the potential severity, probability, timing and cost of the impacts associated with these risks?
- Risk management. What strategies will be employed to avoid, manage or mitigate risks?
- Risk monitoring. What methods will be used to monitor risk and evaluate the effectiveness of management strategies?
- Risk communication. How will risks be communicated throughout the organization.
Boards and management must understand and agree on the information the board needs to perform its risk oversight function. This includes both the type of the information and its format—how it is presented and when. The Blue Ribbon Commission notes that many boards suffer from "information overload" and also lack information that is clear and meaningful to them. Boards should receive management reports on the organization's status relative to the risk tolerance levels that have been set and that describe what actions can be taken to return the organization to acceptable risk tolerance levels when those levels are exceeded. With the board's input and approval, new tolerances may need to be set in response to changed circumstances.
For example, a trade association may have a "zero tolerance" antitrust policy that precludes any and all discussions on product pricing or component costs among members at association events or in telephone or online forums.6 A new federal grant program, however, presents opportunities for the association's members, but only if members collaborate on a project that would be eligible for a grant. The association's policy would not allow for discussions on such collaboration to occur within an association-sponsored forum or event. The board should determine whether its policy may have been set based on a risk appetite that is too low and needs adjusting, or whether the grant program is a unique opportunity and the kind of "changed circumstances" that merit an adjustment to the organization's risk tolerance level and associated procedures.
The NACD Risk Governance Report cautions that much of the risk information received by boards comes from management, and that it is appropriate for boards to look to other sources, such as auditors and legal counsel, for input regarding management's risk perceptions and assumptions. For example, in an annual independent audit, the purpose of the audit is to "obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud."7 Part of the process involves auditors making inquiries of management regarding fraud risks. In particular, Statement on Auditing Standards No. 99, Consideration of Fraud in a Financial Statement Audit, requires auditors to address the risk of management overriding internal controls. The board (or its audit committee) should ask the auditors for their opinions regarding management's involvement in the financial reporting process and, in particular, the ability of management to override information that is being processed by the organization's financial reporting system. Boards also should be willing to challenge assumptions and request more information in risk discussions with management.
The seventh recommended principle recognizes the importance of culture in risk management and oversight. While the NACD Risk Governance Report references an incentive compensation structure that is atypical in nonprofits, the cultural influences such as management style, the degree of openness and candor in communications, "tone at the top," and reputational concerns mentioned all translate to nonprofits. The Blue Ribbon Commission notes, "Directors are in a unique position to monitor these risks and take prompt action when required."8 For example, if the board of directors has no policy, or fails to follow its policy, regarding board and chief executive expense payment and reimbursement, this sets the tone for staff that following policies and being prudent with expenses is not taken seriously by the organization. It can also raise tax compliance concerns.9
The report also recommends that boards monitor and test "critical alignments on a regular basis."10 Here, the Blue Ribbon Commission is recognizing that changes in people, processes, technology, etc.—create risk. Small deviations from strategy formation to execution also can build up over time, creating a misalignment that can pose serious risks to an organization. Boards should ask whether management has a process or processes in place to "connect the dots," that is, identify and link these changes with their associated risks.
In addition to looking at what changes are presently occurring, boards also need to look out for what's next. Because independent board members bring a perspective that is less insular than management's, the Blue Ribbon Commission notes that boards can provide a value-added perspective to their organizations on emerging risks.
The last principle in the NACD Risk Governance Report urges boards to not only monitor and test how well management is doing but also to examine their own processes and capabilities for engaging in risk oversight.
Effective risk oversight has many components. It requires boards to identify risks and how they are interrelated, understand potential impacts, and always be aware of current and future changes that will necessitate some risk management system recalibrations. A board that is not attune to its risk governance responsibilities can lead to numerous problems, not the least of which include financial difficulties, regulatory noncompliance, and even legal liability, such as breach of fiduciary duty. With an economy that continues to sputter, putting more stress on organizations, the time is now for boards to focus on risk oversight. The NACD Risk Governance Report should be a helpful guide for boards of directors who want a better understanding of their role and responsibilities in this critical area of governance.
Tracey Steiner is senior corporate counsel for the National Rural Electric Cooperative Association in Arlington, Virginia. Email: firstname.lastname@example.org
 American Bar Association, Model Nonprofit Corporation Act § 8.30(a)(2) (adopted Aug. 2008).
 Id. at § 8.30(b).
 Official Comment to § 8.30.
 NACD Risk Governance Report at 8.
 The December 2009 Association Law & Policy newsletter discussed the recently issued Federal Trade Commission consent order involving the National Association of Music Merchants, in which the FTC settled charges that NAMM's practice of promoting pricing strategy and related discussions at NAMM meetings violated Section 5 of the Federal Trade Commission Act.
 NACD Risk Governance Report at 17.
 The 2008 Internal Revenue Service Form 990 requires tax-exempt organizations to disclose on Schedule J the payment or reimbursement of the listed benefits or expenses. Further, Schedule J asks whether the organization followed a written policy and required prior substantiation for the payment of expenses. See, lines 1a, 1b and 2 on Schedule J, available here, and the Schedule J instructions, available here [PDF]. Answering "no" to these questions could invite scrutiny by the IRS.
 Id. at 18.
Rate this item:
Please Sign in to rate this.
More Articles From Association Law & Policy - January 2010