How Should Boards Oversee Risks and Crises?

When I think about the difference between risks and crises, I consider risks problems that can generally be anticipated so plans can be put in place to lessen them, whereas crises are unexpected needs to recognize potential disruptions and stresses. Some think of risks as being in three buckets: operational risks (damage to physical structures, for instance), financial risks (lack of liquidity, for example), and strategic risks (poor business decisions). Having plans in place for all three types of risks is important.

I spoke with the former two-term governor of Indiana and two-term US senator from Indiana, Evan Bayh, who is currently a senior advisor to Apollo and an experienced corporate director: “Even companies you wouldn’t expect have geopolitical risks. I’m on the board of a hotel chain, and we have 100 hotels around the United States—what kind of geopolitical risk do they have? Probably 15 percent of the business is in the Northern California area, and because of the souring of relations between China and the United States, there are a lot fewer Chinese visitors coming to visit—and it’s actually materially affecting the business.”

I asked Senator Bayh how companies should attack geopolitical risks. “The first step is to evaluate the vulnerability of the company. It might be a second- or third-order effect instead of a direct effect, but it’s there for everyone. First, you get educated, and only then do you need to decide what, if anything, you can do about it and whether it’s worth the cost or not.”

“The last thing to keep in mind,” Bayh added, “is that in assessing geopolitical risk, you have to get outside your own culture and your own framework for decision-making, because sometimes there are irrational actors out there who will do things that will affect your business, and you think they’ll never do those things, but they’re just looking at the world from a completely different perspective.”

A crisis typically falls into one of these general categories: business, financial, physical assets, cybersecurity, natural disasters, or geopolitical. While a crisis is generally unanticipated and the board and management may well find themselves at least somewhat unprepared, senior management should have in place a list of key responders for a crisis (both internal executives and external advisors) and a general crisis response plan ready to be implemented. As a fiduciary for shareholders, a board should oversee the preparation and any updating of the crisis response plan as well as oversee the response to a crisis.

A detailed crisis management plan should have the following characteristics:

1. The plan should be developed by management, approved by the board, and put “on the shelf” in case of a sudden crisis.

2. The plan should contain a broad framework suitable for addressing an unexpected challenge while providing flexibility for an organization to adapt to a particular situation. Among other things, this should include a list of who should be contacted under what circumstances, from senior management to directors, and what advisors will be used, such as information technology experts and specialists in cybersecurity.

3. The plan should note clear roles and responsibilities for executives and employees at different levels of the company, empower the most appropriate personnel to take the most effective steps, and provide a matrix to escalate concerns and decisions as required.

4. Communications plans should be incorporated, perhaps including templates for messaging to different stakeholders.

5. The plan should be rehearsed on a regular basis to address value-threatening, company-threatening, and life-threatening situations.

Strategies are more effective if executives and key employees stress-test them in advance. Planning should be thorough and led by someone senior or a committee of senior executives. You cannot anticipate every crisis, so the plan may well have to be modified in real time as a crisis reveals itself. Even with a plan in place, management, overseen by the board, must be proactive in carrying out the steps necessary to manage the crisis.

My book, On Board: The Modern Playbook for Corporate Governance – How to Oversee Companies with Care and Loyalty, will be published by Radius in June. I’d be delighted if you would preorder it on Amazon here or contact me for bulk purchase and speaking information at jff@jonathanffoster.com