Testing for 'risk' in your governance culture: here are the key issues for concerned directors in creating a governance culture that manages risk and compliance.

• Author: MacDougall, Andrew J.
• Position: Spencer Stuart Governance Letter

RECENT EVENTS have made it clear that an organization's passive or cursory view of corporate risk can be highly threatening to shareholders. As Warren Buffett pointed out in this year's shareholder letter in the Berkshire Hathaway annual report, while a handful of companies have been singled out, "there is no shortage of egregious conduct elsewhere in corporate America." High-risk conduct can be well within the bounds of acceptability, and even beneficial to an organization, to the extent it creates competitive advantage and innovation. But for any firm, hidden or unreported risks put the board and the executive group in difficult situations.

When we review the issues and public dialogue surrounding firms that are currently under the microscope, our discussions inevitably lead us to the qualities, style and oversight of human capital, or as we would describe it, the governance culture. Ultimately, human capital and the governance culture are a company's first line of defense against inappropriate risks. Boards will have to evaluate whether their governance culture is right for their business. That is, does it effectively manage risk and minimize the probability of value-destroying events?

Knowing your governance culture

How can a board know if the firm has an appropriate governance culture? The corporate governance culture broadly encompasses many organizational and leadership activities at the board and the management levels. The key questions directors of corporate boards need to ask are: Does the company promote behavior that accurately quantifies and manages risk or does it continually push the envelope without adequately defining or protecting against the downside? Does it ensure that compliance is there when it should be?

A firm simply cannot, and should not attempt to, monitor all employees and executives around the clock. Directors cannot possibly micromanage either the executive leadership or the day-to-day activities across the firm. Yet with so much business complexity and globalization, how can a director or management team determine whether the company is managing the risks that emerge in a decentralized or far-flung organization?

This is a particularly difficult issue to address in a rising market that tends to hide risky behavior, or even more so given the risks present during an economic downturn -- when managers are driven to meet the continuing demand for earnings performance. But recent events have reminded us that it takes an organization-wide commitment to identifying and managing risks to create a culture that minimizes the damage that can occur when the tide, so to...