It’s Thursday September 6th and our latest edition of the Feagin Company Weekly Risk Report: What you need to know to stay current in risk management. Visit our website at feaginllc.com.
Social Media – The “meta data” you don’t consider but others will
I recently received a call from the CEO of an organization whom we provide managed services. He said, “I received information that Facebook has labeled me ‘very conservative,’ what should I do?” Supposedly you can turn this “feature” off; I can’t imagine Facebook making it difficult! My simple answer, “download all your history and delete Facebook or live with the consequences of a free platform where YOU are the price.” Truth is, this is scary, not to mention that social media platforms in general track many meta labels on individuals. I’m sure they don’t tell you every label they attach to you…race, color, sexual preference, to name a few. Now, imagine if this information were obtained by a tyrannous government or terrorist organization and then used against certain population segments. Dissidents and targets could be purged (tortured/killed) efficiently based on their political and religious views, sexual preference, etc. (see Takedown Section). Supposedly Senator Marco Rubio is concerned about this scenario with China and “other governments.”
Committee Structure – Board Risk Committee
I will focus on non-financial publicly traded companies…It’s a general rule of thumb that the full board has overall responsibility for risk management since it oversees the strategy of the organization. The Dodd-Frank Act Section 165(h) Risk Committee sets forth requirements to establish a risk committee. In many cases, boards combine the risk committee with the audit committee…a.k.a. the Audit and Risk Committee. Under pressure from activists, institutional investors, and regulators, many boards are installing a separate risk committee. Another contributing factor is increased litigation against boards alleging failure to conduct their fiduciary responsibilities to adequately oversee risk management.
What is the responsibility of the risk committee according to Section 165(h)?
- “be responsible for the oversight of the enterprisewide risk management practices…”
- “include such number of independent directors as the Board of Governors may determine appropriate…”
- “include at least 1 risk management expert having experience in identifying, assessing, and managing risk exposures of large, complex firms.”
What is not the responsibility of the risk committee?to own and manage the risks that have been identified. This is the role of senior leadership and the company.
- Don’t confuse the Risk Committee responsibilities with those of the full board. The full board must set the tone and senior leadership must provide assurance that risk management practices are adequate and that the right risks are being identified and addressed.
Note: President Trump signed into law on May 24, 2018, revisions to Dodd-Frank. The revisions don’t change the above fiduciary requirements.
While our survey is not scientific, it did reveal that Enterprise Risk Assessments among respondents are typically conducted once per year or ad hoc…inline with our experience.
One of the hallmarks for strong risk management capabilities is the organization’s willingness to identify and address risks as part of their daily activities.
Strengthen “risk culture” by encouraging the identification and management of risks vertically and horizontally across the organization on a daily basis. You can accomplish this through the alignment of people supported by the right policies and tools. Use caution when hiring a firm to change your risk culture. True change comes from within. External help in the form of teacher, coach, mentor can be helpful.
Assessing Capabilities – Risk Management
There are many assessment tools available to assess risk management capabilities but independent, non-advocate assessments are lacking. Many consulting companies see these assessments as a way to get “sticky” with the C-suite and Directors so they can peddle other services at the top. Scrutinize providers and use caution.
Here are 5 pillars that every risk management capabilities assessment should evaluate:
- Risk Management Ownership (oversight)
- Risk Understanding (how well are risks identified, understood, and managed)
- Coordination and Communication
Follow this link for a deeper understanding and breakout of the 5 pillars. Conducting a review annually or at a minimum, once every two years could significantly enhance the organizations ability to TAKE RISKS and seize opportunities.
- Nike shares took a knee on Tuesday over their decision to use Colin Kaepernick as the new face for the “Just Do It” campaign. No doubt their board signed off on this strategy which some believe is an appeal to their younger base.
- Well known litigant and “activist investor” Shiva Y. Stein has filed a lawsuit against the Board of Directors at Nike… it’s not for disregard of risk management fiduciary responsibilities, that may be next, but for assumed losses due to an alleged “boys club” culture.
- Meta data: On this day in 1941, Germany announced that all Jews living in the country must wear the Star of David…extermination of the Jews started that year.
- Jeff Bezos gave $10MM to a Super Pac fund who’s goal is to put more vets in Congress.
- The UK has formally charged two Russians for the Skripal poisoning. My hunch, they won’t be extradited and no one cares…unfortunately.
- Idlib (last week’s geo political discussion): Russian and Syrian jets bombed the outskirts…killed 10 civilians and injured 20 others. “White Helmet” rescuers are real heroes.
- Typhoon Jebi slammed Japan…most powerful storm in decades. Watch supply-web disruptions and increased cost of goods.
- Peak hurricane “climatology activity” is around September 10th each year according to the National Hurricane Center.
- February 6, 1858…the date US Congressional members cleared the benches in a melee over the pro-slavery Lecompton Constitution. Kavanaugh hearings on the same vector?
- Innovations that are changing the ability to manage risks
- Geopolitical analysis
- The Takedown