David R. Koenig has been fascinated by and focused on understanding risk virtually his entire life and is recognized as a global leader on the governance of risk.  He has held executive and board positions, published across multiple media (including 2 books: Governance Reimagined and The Board Members Guide to Risk), founded the DCRO (The Director’s and Chief Risk Officers Group),  co-founded PRMIA (the Professional Risk Managers’ International Association) and advised many companies in a wide variety of industries and sectors, over many years.  If you listen to this episode, you will understand that managing risk, in a comprehensive, forward-looking manner is an essential best practice in running any business.

Thanks for listening!

We love our listeners! Drop us a line or give us guest suggestions here.

Links

http://www.linkedin.com/in/davidrkoenig

https://dcro.org/

https://davidrkoenig.com/the-board-members-guide

Quotes

My father introduced me to the stock market when I think I was 10 or 12 and I was just fascinated by what made stock prices go up and down.  It's, you know, it's kind of a sad story, but that was part of what I was raised to understand.

“Any company not doing the type of risk analysis you've described is not really looking at its strategic plan in a holistic way. They're missing an important piece in trying to project what it can really accomplish.”

The reason you put a Risk Committee in place is to understand the impact of let’s say cultural changes.  Once you start piecing those all together and say, “where does this come back and impact us?” it becomes much more clear that it's akin to understanding your clients better, to understanding market share better, to understanding your competitors better.  You have now a much clearer picture about the things that affect the bottom line of your success and what you might do about them. That's the forward-looking aspect of risk management and again, culture is but one example.

The really good Chief Risk Officers are the ones who think like businesspeople. They're not control people. They are people who have the same mindset of an entrepreneur, the same mindset of the head of a business unit.  In fact, the best thing that risk managers can be doing within the business units is advising those businesses on how to take risks well.  Since they think like a businessperson, questions a board might ask are "What opportunities to take risks better do you see?” "Are we competitive in terms of what it's costing us to get the capital to pursue our objectives? "What aren't we looking at closely enough?"

Big Ideas/Thoughts

I started by helping organizations to understand the risks that they could or couldn't control and ways to change that more to their liking.  I worked with airlines, endowments, portfolio managers, banks, all sorts of different entities to help them change their risk profile,

You want to understand as much of it as you can.  You're never going to understand every part of it. 

Let's, for example, look at factories that pollute.  In the 1970s, I grew up not far from Gary, Indiana.  We would get some of the steel mill air that would come to our town.  Lake Michigan was polluted, there are places up there that you couldn't believe people were swimming or eating fish from.  But those companies weren't being charged for that pollution.  Then the Environmental Protection Agency came along, rules about clean water, clean air came along and now the Southern shore of Lake Michigan in most places is pristine and beautiful.  Those firms a lot of them aren't there anymore, or if they are they've significantly revamped what they were doing, and the problem was that they were not accurately paying for the cost of doing what they did. One of the things that risk management does is give you inputs that you're generally not seeing now  - which is: what is the cost of pursuing our objectives or in some cases, the cost of not pursuing something else.

I've been in this risk management profession for 35 years or so and most companies still don't have formal risk management departments.

I think the question really is for a board to have a conversation about how well they understand the complexities of all the systems they depend upon for success.  If they feel like they've got a handle on that, they can have a really deep discussion, and if they really feel comfortable that they get those complexities and how they interrelate, you may not need a risk committee.  But I find it challenging to think an organization of $100MM in revenue, or maybe even half that size, can't generate enough positive return through a better understanding of risk to justify some investment in risk infrastructure.

I'll just talk about a company I talk about in the book what in essence was the equivalent of a Risk Committee at an executive level that was looking at the kinds of things that would threaten their ability to serve their customers.  There's a good story in Texas Monthly talking to CEO, their senior executives around sustainability and supply chains. They started looking at the possibility of pandemics back, I think, 15 years ago and so they knew what to do.  They had a plan laid out.

Another example, and this is not a formal Risk Committee at the company at that time, but it would be the equivalent of such, saying, “how are we going to make sure we can stay in business?” If something interrupts our normal facilities for operation?

When I worked there in Des Moines, Iowa, which is where the company is based, it was the largest city at the time in the country to lose its entire water supply because of the confluence of two rivers flooding that overwhelmed the 30 foot high banks of their water treatment plant. Suddenly everything in downtown Des Moines was flooded and unusable because there was no fresh water.  The next day I was told to meet at a specific point.  I went to that point.  I was handed a folder.  The folder told me exactly everything I was going to be doing for the next 12 hours and over the next week. We were up and running, managing a multibillion-dollar risk portfolio in about a day and a half.  If they hadn't been thinking forward within what was the equivalent of their Risk Committee, that would have been never happened and I can't tell you how many millions we might've lost, because we weren't able to do anything about our exposure

The case for a Chief Risk officer.  Once it gets up to the board, you don't necessarily want to have business unit specific discussions about whether you're taking the right risks.  It's really a question of how is the CEO looking at this and how is the CEO incorporating all these different moving parts?  I would say the Chief Risk Officer is somebody who has that task of taking all these disparate technical skills and technical roles and bringing them into a common risk framework.

Cyber risk has become a massive concern and it's been there for a while, but the DCRO did a survey recently and there's a multiple fold increase in the amount of phishing attacks that companies are seeing because they have employees working home.  I've seen people who are really smart fall for these because they're getting really good. 

To the extent that our corporations are more effective risk takers, they're better employers, they're better at returning into their community, they're better at serving their customers, they're better at serving their suppliers.  All their relationships become better.

If you have a board nominating people to join the board, to replace people who are leaving, they're almost always going to be more naturally drawn to people who are like them. We see that in our social sorting in all parts of our own lives.  It's much easier for us to be around people like us, who agree with us in times of threat when an organization's facing a competitive challenge or crisis, like we've got with COVID.  But lack of diversity in board composition creates risk.