David R. Koenig has been fascinated by and focused on understanding risk virtually his entire life and is recognized as a global leader on the governance of risk. He has held executive and board positions, published across multiple media (including 2 books: Governance Reimagined and The Board Members Guide to Risk), founded the DCRO (The Director’s and Chief Risk Officers Group), co-founded PRMIA (the Professional Risk Managers’ International Association) and advised many companies in a wide variety of industries and sectors, over many years. If you listen to this episode, you will understand that managing risk, in a comprehensive, forward-looking manner is an essential best practice in running any business.
Thanks for listening!
We love our listeners! Drop us a line or give us guest suggestions here.
My father introduced me to the stock market when I think I was 10 or 12 and I was just fascinated by what made stock prices go up and down. It’s, you know, it’s kind of a sad story, but that was part of what I was raised to understand.
“Any company not doing the type of risk analysis you’ve described is not really looking at its strategic plan in a holistic way. They’re missing an important piece in trying to project what it can really accomplish.”
The reason you put a Risk Committee in place is to understand the impact of let’s say cultural changes. Once you start piecing those all together and say, “where does this come back and impact us?” it becomes much more clear that it’s akin to understanding your clients better, to understanding market share better, to understanding your competitors better. You have now a much clearer picture about the things that affect the bottom line of your success and what you might do about them. That’s the forward-looking aspect of risk management and again, culture is but one example.
The really good Chief Risk Officers are the ones who think like businesspeople. They’re not control people. They are people who have the same mindset of an entrepreneur, the same mindset of the head of a business unit. In fact, the best thing that risk managers can be doing within the business units is advising those businesses on how to take risks well. Since they think like a businessperson, questions a board might ask are “What opportunities to take risks better do you see?” “Are we competitive in terms of what it’s costing us to get the capital to pursue our objectives? “What aren’t we looking at closely enough?”
I started by helping organizations to understand the risks that they could or couldn’t control and ways to change that more to their liking. I worked with airlines, endowments, portfolio managers, banks, all sorts of different entities to help them change their risk profile,
You want to understand as much of it as you can. You’re never going to understand every part of it.
Let’s, for example, look at factories that pollute. In the 1970s, I grew up not far from Gary, Indiana. We would get some of the steel mill air that would come to our town. Lake Michigan was polluted, there are places up there that you couldn’t believe people were swimming or eating fish from. But those companies weren’t being charged for that pollution. Then the Environmental Protection Agency came along, rules about clean water, clean air came along and now the Southern shore of Lake Michigan in most places is pristine and beautiful. Those firms a lot of them aren’t there anymore, or if they are they’ve significantly revamped what they were doing, and the problem was that they were not accurately paying for the cost of doing what they did. One of the things that risk management does is give you inputs that you’re generally not seeing now – which is: what is the cost of pursuing our objectives or in some cases, the cost of not pursuing something else.
I’ve been in this risk management profession for 35 years or so and most companies still don’t have formal risk management departments.
I think the question really is for a board to have a conversation about how well they understand the complexities of all the systems they depend upon for success. If they feel like they’ve got a handle on that, they can have a really deep discussion, and if they really feel comfortable that they get those complexities and how they interrelate, you may not need a risk committee. But I find it challenging to think an organization of $100MM in revenue, or maybe even half that size, can’t generate enough positive return through a better understanding of risk to justify some investment in risk infrastructure.
I’ll just talk about a company I talk about in the book what in essence was the equivalent of a Risk Committee at an executive level that was looking at the kinds of things that would threaten their ability to serve their customers. There’s a good story in Texas Monthly talking to CEO, their senior executives around sustainability and supply chains. They started looking at the possibility of pandemics back, I think, 15 years ago and so they knew what to do. They had a plan laid out.
Another example, and this is not a formal Risk Committee at the company at that time, but it would be the equivalent of such, saying, “how are we going to make sure we can stay in business?” If something interrupts our normal facilities for operation?
When I worked there in Des Moines, Iowa, which is where the company is based, it was the largest city at the time in the country to lose its entire water supply because of the confluence of two rivers flooding that overwhelmed the 30 foot high banks of their water treatment plant. Suddenly everything in downtown Des Moines was flooded and unusable because there was no fresh water. The next day I was told to meet at a specific point. I went to that point. I was handed a folder. The folder told me exactly everything I was going to be doing for the next 12 hours and over the next week. We were up and running, managing a multibillion-dollar risk portfolio in about a day and a half. If they hadn’t been thinking forward within what was the equivalent of their Risk Committee, that would have been never happened and I can’t tell you how many millions we might’ve lost, because we weren’t able to do anything about our exposure
The case for a Chief Risk officer. Once it gets up to the board, you don’t necessarily want to have business unit specific discussions about whether you’re taking the right risks. It’s really a question of how is the CEO looking at this and how is the CEO incorporating all these different moving parts? I would say the Chief Risk Officer is somebody who has that task of taking all these disparate technical skills and technical roles and bringing them into a common risk framework.
Cyber risk has become a massive concern and it’s been there for a while, but the DCRO did a survey recently and there’s a multiple fold increase in the amount of phishing attacks that companies are seeing because they have employees working home. I’ve seen people who are really smart fall for these because they’re getting really good.
To the extent that our corporations are more effective risk takers, they’re better employers, they’re better at returning into their community, they’re better at serving their customers, they’re better at serving their suppliers. All their relationships become better.
If you have a board nominating people to join the board, to replace people who are leaving, they’re almost always going to be more naturally drawn to people who are like them. We see that in our social sorting in all parts of our own lives. It’s much easier for us to be around people like us, who agree with us in times of threat when an organization’s facing a competitive challenge or crisis, like we’ve got with COVID. But lack of diversity in board composition creates risk.
Joe: [00:00:00] Hello and welcome to On Boards: a Deep Look at Driving Business Success.
Hi, I’m Joe Ayoub and I’m here with my co-host Raza Shaikh.
On Boards is about boards of directors and advisors and all aspects of board governance. Twice a month this is the place to learn about one of the most critically important aspects of any company or organization – its board of directors or advisors.
Raza: [00:00:31] Joe and I speak with a wide range of guests and talk about what makes great boards great and makes a board unsuccessful, what it takes to be a valuable member and how to make your board one of the most valuable assets for your company.
Joe: [00:00:47] Our guest today is David Koenig. He spent the first half of his career building firm-wide and portfolio specific risk management programs for multiple companies. His work over the [00:01:00] past 20 years has focused on establishing and implementing global best practices for risk governance at the board level and the general practices of risk management.
He is the author of Governance Re-imagined: Organizational Design, Risk and Value Creation, first published in 2012, as well as The Board Member’s Guide to Risk, published just a couple of months ago in May of 2020.
Raza: [00:01:29] David is the founder of the Directors and Chief Risk Officers Group, the DCRO, which is a global collaborative of C-suite executives and board members focused on risk governance and he is one of the founders of the Professional Risk Managers International Association.
Joe: [00:01:47] Welcome David. It’s great to have you as a guest on On Boards.
David: [00:01:51] Thank you. I appreciate being here. I’ve enjoyed the episodes that you guys have had in the past and hope that we can deliver something as good today.
Joe: [00:01:57] Well, thanks so much. I’m sure this is going to be an [00:02:00] interesting conversation. I know it’s interesting to Raza and to me.
You know, you’ve spent much of your career studying, analyzing and quantifying risk in business. More recently in the context of risk management for boards. But tell us a little bit about the first half of your career creating risk management programs for companies.
What led you to become focused on risk in the business setting?
David: [00:02:24] Well, I did my undergraduate studies in economics, mathematics and statistics, and then got my graduate degree in economics and this was in the mid 1980s There was a profound interest in markets at that time. The market idea in economics, the dominance of the market, was very prevalent and, in fact, as I mentioned in my first book, my father had introduced me to the stock market when I think I was 10 or 12 and I was just fascinated by what made stock prices go up and down. It’s, you know, it’s kind of a sad story, but that was part of what I was raised to understand.
So coming out in that environment, I felt very fortunate to [00:03:00] get a job with First National Bank of Chicago. It doesn’t exist anymore. It’s part of the JP Morgan Chase conglomerate, but the work we did there, was about helping organizations to understand the risks that they couldn’t control or could control and ways to change that more to their liking.
So I worked with airlines, endowments, portfolio managers, banks, all sorts of different entities to help them change their risk profile, to something more to their liking and it was fascinating work. we were really on the cutting edge. This was when Chicago was the hotspot for markets and I would argue in some cases, risk management.
So that’s where it got started and then, as you had mentioned, I moved into doing this work for specific companies and I’m happy to talk more about that too.
Joe: [00:03:48] So, yeah, if you would, that would be great. What work did you do for the companies, for which you created these risk management tools, what was it that you did and what was the goal that they were trying to achieve?
[00:04:00] David: [00:04:00] It was all very new. I mean, you can look the actuaries and they’ve
been doing risk management for a long time, but what I would argue is that modern risk management really came into being in the 1980s, early to mid. I was fortunate that that was the time that I was starting my career. A lot of organizations, particularly financial institutions and energy companies understood the risks that they faced or understood that they face substantial risks. There was more of an openness to how you might control those things. I went to a company called Principal Financial Group. That was the first one that I did, you know, very active risk management program. It was in their mortgage subsidiary. Mortgages are such an interesting financial instrument. I think most people don’t appreciate the complexity of a mortgage, but this company was originating mortgages, had servicing rights, and they had really complex risks, but they didn’t know that they were taking risks that I think they didn’t quite understand, but there were some smart people there, in fact, the CEO is an actuary. A lot of the people running the [00:05:00] organization were actuaries. I think they understood that there was something more to it.
I came into that environment and helped them look at risks first on a portfolio basis. So the origination portfolio, servicing portfolio, and then next in what we’ll call a firm wide risk management approach which was what we used as a term back then.
This was probably around 1993. And I’m pretty sure that was the first for my risk management program in the mortgage banking business. The whole idea was to understand the moving parts of a business. What is it that drives your success? What is it internally that you do that might offset some of the changes in those drivers of your success?
What is it you don’t like about that? What is it you can change about that? What can you do internally in terms of your production mechanisms, your communication, to enhance the good stuff and what can you trade off to other people? That really fit well with what I been doing it for Chicago and in some of my other work prior to that.
That was actually one of my favorite jobs and we were really successful. The company grew in market share tremendously in part [00:06:00] because we had this really strong risk function. I think of that one as a big success. I’ll point to another one that I thought was pretty interesting too, which was right before I made this transition, that you talked about the introduction, at Piper Jaffray, which was owned by US Bank Corp.
At the time I worked for them, Piper had not been owned by US Bank Corp, except for the fact that they had a massive loss following the 1994 bond market debacle. 1994 happened to be a year that at Principal Financial Group, we did really well because we understood our risk, but Piper had some exposures to mortgage securities that they didn’t understand and it almost put them out of business.
They were over a hundred years old. The bank took them over, they knew they didn’t want these things to happen. When I went into interview with them, I remember sitting down with the CEO and the chair of the board, and then saying, first thing we want you to do is tell us if there’s anything more like this out there.
I spent a few months looking at that, but the goal ultimately was to take risk management, which was [00:07:00] new there and frankly it was viewed by a lot of people with skepticism, turn it into a valuable tool. Over the years that I was there, yeah, I think I was there three to five years, somewhere in that range, we took it from a place where people were very skeptical about it to where understanding risk became part of the business process, the business planning process, whether it was charging for capital or putting it in planning documents, looking at every deal we were doing with this risk lens on it.
And it wasn’t a risk lens saying what can go wrong? It was a risk lens of saying how does this fit in our portfolio? Do we understand the exposures? And are we making anything on this? Given the amount of capital we have to commit to it. I thought also that was a very successful implementation of where risks can be done well.
Joe: [00:07:49] The way you’ve described it, my reaction is that any company not doing the type of risk analysis you’ve described is [00:08:00] not really looking at its strategic plan in a holistic way. They’re missing an important piece in trying to project what it can really accomplish.
David: [00:08:12] I would agree. I’m happy to go deeper into that, but it’s like any aspect of your business, you want to understand as much of it as you can. You’re never going to understand every part of it.
Let’s say, for example, look at, factories that pollute. In the 1970s, I grew up, not far from Gary Indiana. We would get some of the steel mill air that would come to our town, Lake Michigan was polluted, there are places up there that you couldn’t believe people were swimming or eating fish from. But those companies weren’t being charged for that pollution. Then the Environmental Protection Agency came along, rules about clean water, clean air came along and now the Southern shore of Lake Michigan in most places is pristine and beautiful.
Those firms a lot of them aren’t there anymore, or if they are they’ve significantly revamped [00:09:00] what they were doing and the problem was that they were not accurately paying for the cost of doing what they do. One of the things that risk management does is give you one of those inputs that you’re generally not seeing now which is what is the cost of pursuing our objectives or in some cases, even the cost of not pursuing something else.
I think the transparency that comes with an enhanced risk program does exactly what you had just said, in terms of fulfilling your ability, especially at the board level, to govern, the risk taking that the organization necessarily does.
Raza: [00:09:32] David, over the past 20 years, you shifted your focus to establishing and implementing global best practices for risk governance at the board level and general practices of risk management. What led you to shift that focus?
David: [00:09:48] I think a lot of it’s always been there, in part of just describing the work that I was doing in the first half of the career, we really were looking at big organizational issues. Sometimes they were small parts of it, [00:10:00] but it was, but it was really how the things come together. When I was at Piper, I had run, chapters in Chicago, in Minneapolis for Professional Association of Risk Managers and that association had some governance issues that collectively several of us who ran chapters around the world tried to fix. We weren’t comfortable with how that had all been fixed.
I had this sort of detour in my career where we started another professional association with a commitment to helping an education high standards of governance. In fact, the model of governance that I talk about in my first book is really what we implemented at this organization with the idea being that if we share with each other still in the infancy, this is around 2001 or so let’s say 15 years into modern risk management, if we shared with each other, what was working in Poland and Russia and China in Australia, wherever we were, we could make the profession better and we could start moving towards this place where more organizations [00:11:00] were incorporating risks.
That was the first go at that and I spent about seven years now, I guess it was about six years working on that and as I said, it was a career detour, but one that I truly loved when I handed that over to the people who I’d hired, over the years, I looked back at that organization and I saw we were really focused on how the technicians and how the practitioners of risk management can do their job better and then we were looking at how to bring that up to the C suite through a Chief Risk Officer or other means but in my work and my interest in the big picture of an organization the leap or the gap between the C-suite and the board hadn’t yet been addressed.
There were two things in that one leaving the organization I no longer was traveling the world, you know, meeting people in these roles every day I had to think to myself, how am I going to stay in touch with people? and so I started to create, this group, this DCRO that you had mentioned.
The other thing was, how do we then take this to that next level, the C-suite to the board. I’ve looked in [00:12:00] all of these places to say, where is there a need? Where can I be helpful? I’m reasonably good at getting people to collaborate on things. I try to bring people together to share their best practices.
And that’s what we did within Premia and now with the DCRO. honestly, it’s quite fun for me to do this. It’s fun for me to have these connections with people all over the world, in they’re really smart, good people. it’s a pleasure to try and contribute in a positive way to doing this.
Raza: [00:12:27] Well said David.
You recommend that boards create a separate Risk Committee and a number of companies have adopted that practice, but most have not. Why do you recommend a separate Risk Committee? Why can’t the Audit Committee, which is often tasked with this function, handle it? And isn’t it, the case that this depends on really the type of business and the level of risks a company faces? A grocery chain might be very different from high tech company?
David: [00:12:58] I’ve been in this risk management [00:13:00] profession for 35 years or so and most companies still don’t have formal risk management departments. I’d say I’m patient, but the impact of risk management is significantly greater than it was when I started at this. You can find where there was risk management programs, 30 years ago, they are incredibly more important now. Companies that would have never thought of it before have them now and they’re really helpful. I think this progression is going to take place at the board level too. I joke with some of my colleagues that I’m not sure it’s going to take place to the degree that I’m satisfied during my career, but I have confidence because this is something that has value. If you can demonstrate value to someone and doing something, eventually it’s going to come around because if their competitors start doing it, which again what happened when we were at principal in that mortgage company we grabbed so much market share because we were doing this the right way, you’re going to see that in others, others are going to follow.
You had asked about the difference between risk committees and audit committees. The way in which I’ve [00:14:00] described this to people is that it can be done together but an audit committee’s primary task is to be backward looking and validating. A risk committee as a stand alone, it has the primary task of being forward looking and anticipatory. You could take an Audit and Risk Committee agenda and cognitively somewhere in that conversation they have to make 180 degree shift in their thinking and I think that’s difficult for anybody to do. I think there are certain people who have a mindset that I describe as stochastic and stochastic mindsets don’t look forward and see one path, they don’t look forward and see three or four paths, like a best case, worst case, average case. They see thousands of possibilities and they actually see the steps that happen to get to those, some of the threats to those and some of the things you can do to enhance your success. Those are the kinds of people who serve really well on Risk Committees [00:15:00] and the value of risk committee, you’d mentioned grocery stores and I think high tech companies, there may be people who when they heard you ask that question, so well a grocery store that’s easy, that’s low risk and high tech company you know that’s stuff that maybe is significantly more risky, but grocery stores are like a lot of other businesses and that they operate on incredibly tight margins, they’re commoditized to some extent, they have a lot of competitors, they have high infrastructure, they have perishable inventory and they have a dependency on supply chains and on people being willing to enter their facilities. Now there’s more delivery going on now that in response to COVID, but every organization has complex risks and the complexity of those risks grows based on the number of relationships that you have. If you have third parties doing work for you the complexity of that relationship grows substantially. If you do work outside of one country, the complexity grows [00:16:00] substantially if you’re regulated. I think every organization, I know some people like to throw out a number and say, if your organizations is this big, you should have a risk committee.
I think the question really is for a board to have a conversation about how well they understand the complexities of all the systems they depend upon for success. If they feel like they’ve got a handle on that and I don’t mean feel like, yeah, I get risk, but they have a really deep discussion, maybe even guided by somebody else on the outside, if they really feel comfortable that they get those complexities and how they interrelate, you may not need a risk committee, but I find it challenging, even if I throw out a number and say a hundred million in revenue, I find it challenging to think, an organization that size, or maybe even half that size can’t generate enough positive return through a better understanding of risk to justify some investment in risk infrastructure. Probably a longer answer than you wanted, but you know, there’s a reason why I advocate for this so strongly.
Joe: [00:16:58] You said something about [00:17:00] forward-looking and anticipatory is one of the things that distinguishes what a Risk Committee might do versus an Audit Committee, that I understand and that does resonate. Give me an example of something in an actual company where a risk committee looked forward and was anticipating something that made a difference to bring it to, you know, an actual example so that people can really kind of maybe understand a little bit better.
David: [00:17:30] I’ll do is I’ll just talk about a company I talk about in the book and HEB had what in essence was the equivalent of a Risk Committee at an executive level that was looking at the kinds of things that threaten their ability to serve their customers. There’s a good story in Texas Monthly talking to CEO, their senior executives around sustainability and supply chains. They started looking at the possibility of pandemics back, I think, 15 years ago [00:18:00] and so they knew what to do. They had a plan laid out. I’ll go back to Principal Financial Group, and an as example again, and this is not, it, it wouldn’t be a formal Risk Committee at the company at that time, but it would be the equivalent of such, saying, how are we going to make sure we can stay in business? If something interrupts our normal facilities for operation? When I worked there, Des Moines, Iowa, which is where the company is based was the largest city at the time in the country to lose its entire water supply because of the confluence of two rivers flooding that overwhelmed the 30 foot high banks of their water treatment plant. All of a sudden everything in downtown Des Moines was flooded and unusable because there was no fresh water.
The next day I was told to meet at a specific point. I went to that point. I was handed a folder. The folder told me exactly everything I was going to be doing for the next 12 hours and over the next week. [00:19:00] We were up and running, managing a multibillion dollar risk portfolio in about a day and a half. If we hadn’t been thinking forward, if they hadn’t been thinking forward and what was the equivalent of their Risk Committee that would have been ever happened and I can’t tell you how many millions we might’ve lost, because we weren’t able to do anything about our exposures. Those kinds of conversations of the same things that our Risk Committee is having on a much bigger picture about the drivers of an organization.
Some of these drivers are cultural, so I’ll have conversations with individual board members, which I tend to work with individuals as opposed to boards as a whole, but those could be about cultural changes and some of those cultural changes come about because you put a Risk Committee in place.
The reason you put a Risk Committee in place as to understand the impact of those cultural changes. Once you start piecing those all together to say, where does this come back and impact us? It becomes much more clear it’s akin to understanding your clients better, [00:20:00] to understanding market share better, to understanding your competitors better.
You have now a much clearer picture on the things that affect the bottom line of your success and what you might do about them. That’s the forward-looking aspect and again, culture is one example that I think is generic enough that I can mention but we live in a time over the last three years, I would say where cultural issues have exploded for all boards. It’s not just gender, it’s not just race, the cultural issues are changing rapidly with the generations that follow, the ones we’re in and if you don’t identify that as a risk, if you don’t have somebody looking forward and saying, do you understand where this is going, you’re missing out on something substantial.
So I don’t know if those are specific enough for you, Joe, but, but I think the, the idea generally is understand what drives your success, go to the first principles of those and make sure [00:21:00] you understand them and that’s what a Risk Committee tends to be really good at. These are things the whole board should be doing, but the risk committee can refine that to what the board can most effectively spend its time focused on.
Joe: [00:21:10] Yeah, no, that is helpful.
When I’ve raised this possibility of a Risk Committee, one thing I’ve heard is There’s a danger that the Risk Committee will veer into management role. How do you make sure that the Risk Committee doesn’t do that because obviously that’s an important aspect of all governance. We don’t want the board to be doing management work and vice versa. How do you look at this in a way so that the Risk Committee does not veer into doing management’s work?
David: [00:21:40] I think it’s no different than the board. In the environment we’re in right now where boards and organizations are under threat, there’s substantial pressure towards forming what are called tight cultures. Michelle Gelfand has written a book on tight and loose cultures. Tight cultures are ones that try to set rules and limits and you get tight and tighter [00:22:00] cultures when there’s a threat.
If you’re somebody who is moving towards more tightness at the board level, you want more control. Most of your people on the board are successful people who’ve run businesses. That means they want to or they’re going to be driven towards trying to interfere more with the management of the organization.
Just because you’re looking at risk , I don’t think it’s any different and your board colleagues are going to do a good job of telling you, Hey, we’re crossing the line into management. I haven’t been on a board yet where somebody didn’t start to ask a management question and somebody else in the room, didn’t say, “Hey, that’s management, not us,” but not always right when they say that, but I think there’s that personal check on each other.
If you’ve got somebody on a Risk Committee who’s had some experience in a risk role and I don’t think that that’s necessary, but if you do, we all understand what that’s like too. We don’t want somebody coming in and telling us how to manage risks. I’ve had that experience. It’s I don’t enjoy it. Nobody’s in the trench, like a Head of Risk or somebody who’s doing the risk management. It’s still like [00:23:00] any other board position it’s incumbent upon other board members to make sure you’re not crossing that line. You know how important that is because it’s a breach of trust and there’s a huge, there’s a huge trust element to the board empowering the CEO, to achieve and pursue the goals that the board has set within the boundaries. As soon as you cross that they don’t have accountability anymore. You have to be adamant about maintaining the trust of that handoff or you can no longer hold them, hold them accountable.
The same is true of risk.
Joe: [00:23:31] Yup. That makes sense. Let me ask you just a little bit about the Chief Risk Officer. Traditionally, as I understand it, the Chief Security Officer CSO has been responsible for physical security and safety of employees, assets, facilities, et cetera. While the Chief Information Security Officer has been responsible for protection of data may have, you know, an IT systems or an engineering background.
Why should a company move to a Chief Risk Officer rather than a [00:24:00] CIO or a CISO, you know, what’s the case for that?
David: [00:24:03] And I don’t think it’s a rather. Everybody has specializations. The Chief Risk Officer, one of the things that they’re able to do is to aggregate and bring it all into a common framework. A CISO is going to be concerned or a CIO are going to be concerned more than just about the impact of risk taking on the bottom line of the company. I mean, there’s some very technical issues that they’re involved in the head of risk management say in, an investment portfolio, they have a different set of technical things that they’re working on, but their work, their reporting, their analysis looking forward needs to roll up in some sort of a framework where the organization can look at itself at a big picture.
Once it gets up to the board, you don’t necessarily want to have business unit specific discussions about whether you’re taking the right risks. It’s really a question of how is the CEO looking at this and how is the CEO incorporating all these different moving parts? I would say the Chief Risk Officer is [00:25:00] somebody who has that task of taking all these disparate technical skills and technical roles and bringing them into a common risk framework.
Raza: [00:25:09] So David then, from the board’s perspective or the risk committee’s perspective, what do board members want to hear from CROs CSOs CISOs what is the kind of information that should be coming up to that function?
David: [00:25:24] Well, the really good Chief Risk Officers are the ones who think like business people. Okay. They’re not control people. There are people who have the same mindset of an entrepreneur, the same mindset of the head of a business unit. In fact, the best thing that risk managers can be doing within the business units is advising those businesses and how to take risks well.
The questions that come back to the board, Risk Committee or board as a whole are really ones about the whole picture. Let’s take the Chief Risk Officer, put them in a Risk Committee meeting and I think some questions that that Risk Committee might ask of that person on a regular [00:26:00] basis, a couple of examples are: what’s changed in our risk taking since you last talk to us. It’s pretty open question, but that person, if they’re a good Chief Risk Officer, they’re already going to have been thinking about that. They already have things that concern them or things that are interesting to them that they’re going to want to share with you. Since they think like a business person, one of the other questions you might ask is “what opportunities to take risks better do you see? “Are we competitive in terms of what it’s costing us to get the capital to pursue our objectives? That’s a really critical one. “What aren’t we looking at closely enough?” Again, getting to this idea, something more that, that maybe at the board, it hasn’t popped up yet.
I think another really important one, because sometimes there’s a conflict in risk management with the business units is “what can we be doing to support you?” So does the Chief Risk Officer feel like they’re being supported within the organization and by the board or do they need something more? And then one, I think that’s [00:27:00] really critical is, “is there a free flow of information in the organization? “
Raza: [00:27:04] If you extend this, then, some people would argue that at the end of the day, isn’t it the case that the CEO of the company is really the Chief Risk Officer?
How does a Chief Risk Officer in a company that doesn’t have any real impact on them if the risks that they’re tasked to manage blow up, is the risk management job, even real without any skin in the game?
David: [00:27:28] An answer to your first question it’s yes, especially from a board perspective, the Chief Executive Officer is the ultimate Risk Officer for the organization
There are some countries in some jurisdictions where Chief Risk Officers are hired by the board where Chief Financial Officers are hired by the board. And I think what we wind up doing at that point then is again, diffusing, accountability. The board has the responsibility to validate what’s being represented to them. That’s different than hiring the Chief Risk Officer. If I want to ask a question of the [00:28:00] Chief Risk Officer to validate what’s being represented to me by the CEO, that’s not just fine, that’s part of your fiduciary role.
This question about skin in the game: there was a time when risk managers were seen as owning the downside. Well, if risk managers own the downside, then that means the business unit owns the upside. Again, accountability goes away. Because why didn’t my risk manager take care of that?
A few minutes earlier, I was talking about this idea of the risk managers, having this role, where they’re advising, they’re advising on risks that maybe the business unit doesn’t understand well, they’re advising on how they might be able to get the capital to pursue this risk better, they’re advising on possibilities of doing the same thing in a different way. Ultimately, it’s still the head of the business unit or roll it all the way up, it’s the CEO who has to decide what the portfolio of activities is going to be that makes the best use of that capital. Then the risk manager has skin in [00:29:00] the game because the risk manager is compensated when there’s success and they also pay the price when there’s failure. You want them to have an interest in the upside. If a risk manager thinks their career is based on not having loss, guess what they’ll pursue.
There was a time in the 1990s, I don’t know if you guys remember Proctor and Gamble and Gibson Greetings, and a few other places that had massive derivative losses. Well, I had a role during that time as a very short period of time, they had this role where the risk manager was supposed to be the cop. Find everybody who’s doing stuff that’s out of policy and make sure they don’t do it. That’s a horrible relationship. I mean, those relationships just don’t last and they’re not very fun.
I really advocate for this idea that business lines and businesses own the risk and the risk capital is something that the organization owns. You compete for risk capital. You compete for the capacity to take the risk and pursuit of what you want to do as a business unit. And sometimes times your ideas don’t pass muster and part of the reason they don’t pass muster, just because [00:30:00] you have a good risk management person telling you the cost of taking those risks. Sometimes the risk manager says, Nope, you’re not taking enough, go for it. This is a great risk to take, especially given what we do in other parts of our business. I think that gives them skin in the game and I think it’s a really good question Raza. You want everybody, everybody who has some business mindset to them, to have skin in the game.
Joe: [00:30:22] What should board members look for in management with respect to risk reporting? What should they see? What are helpful tools? What’s the dialogue like? Can you talk a little bit about that?
David: [00:30:36] Yeah. So again, it’s like that question before. It depends on what the organization’s structure is and the kinds of risks that they face and that’s going to shift throughout time.
You know, cyber risk has become a massive concern and it’s been there for a while, but, one of the things that the DCRO, we did a survey recently and I want to say, I’ll get the number wrong [00:31:00] here, but let’s just say there’s a multiple fold increase in the amount of phishing attacks that companies are seeing because they have employees working home. I’ve seen people who are really smart fall for these because they’re getting good. If you’re on your iPad and you click on a link, and you can’t mouse over that link to see what the link takes you to, you’ve just fallen over for that phish. Cyber risk is something that organizations have to have pushed farther forward now.
Reporting on the human story, what are we doing in terms of understanding our customers different needs in the pandemic and what those needs might be two to three years from now? What is it that we’re seeing financially? Are there changes in the financial flows that we’ve heard based on some outside event or some internal event that gets into more of the data. You’ve heard people talk about heat maps and ways for people to summarize things they should be concerned about by making them red, green, [00:32:00] and yellow. I find those to be shortcuts that take away the value of a discussion of why somebody thinks you should be looking at an issue positive or negative.
I’m not a big fan of these heat maps. Ultimately what we’re trying to get to is this transition from risk is downside or I get risk because I’ve been successful in my business to saying risk is something that costs us money. It’s much harder to see it because it doesn’t necessarily appear on an income statement, but it does cost because either in reputation or financial cost or borrowing, whatever it might be, you need all sorts of forms of capital to pursue whatever your goals are. Ultimately what we’re trying to get at is to say through the reporting back to the board, how do we know that we’re making the most effective use of this really scarce thing we call capital [00:33:00] and human capital, technical capital, IP, financial capital, whatever it might be. How do we know that we’re getting the most use out of that and without crossing that line, that you talked about management, the answers that you’ll get will tell you whether you should have faith in what’s being told to you because the CEO should know this is being allocated and how they’re making those decisions.
They ought to be able to spell it out, in ways that are clear for the board. I think it’s a dynamic process, just like every board discussion I’m sure you’ve been part of Joe. The things that are there change each meeting based on the environment that you’re faced with, but I like discussion, I like the qualitative analysis maybe more so than the quantitative analysis.
Raza: [00:33:40] David, we talked about it earlier, you’re the founder of DCRO, can you tell us what led you to create that group?
David: [00:33:47] When I left PRMIA before was to look at that next gap between the Chief Risk Officer and the board and the C-suite and the board. DCRO stands for Directors and Chief Risk Officers group. [00:34:00] It’s a collaborative, it’s a non-revenue entity. You could call it my hobby but it’s something I really enjoy and we have members now about 120 countries. It’s a couple thousand, maybe 2,500 members, and we collaborate by sharing our best practices.
I have a podcast, similar to what you guys do to talk about specific risk governance issues. We’ve put out best practice documents to help people create board Risk Committees, Compensation Committee, Risk Governance, Cybersecurity, how you find the right kind of people who have this stochastic mindset that I talked about and our goal there is to raise the practice of Risk Governance at the board level, because if you think about some of the social issues that exist, all of our organizations have relationships that extend way beyond the legal boundary of our company, to extent that our corporations are more effective risk takers, they’re better employers, they’re better at returning into their community, they’re better at serving their [00:35:00] customers, they’re better at serving their suppliers. All of these relationships become better. My wife was a pastor. It was much easier for me to point to the things that she did to make lives better than what I did. But I could thru about three or four different steps go through to the point where what I’m doing today can make people’s lives better. I think a lot of the people we have in the DCRO are smart giving, people who want to see us all do better in whatever it is that we’re pursuing.
Raza: [00:35:27] Talk a little bit more about what DCRO offers its members and how do people get involved and engaged?
David: [00:35:34] Let me talk generically about the DCRO, the whole goal there when I’m working with individual board members and then pushing these documents out to boards as a whole, is to get them to think about what they’re doing differently. Where I come in and work with individual board members, the conversations might be here is the situation I’m facing this week, how do you think I might address this with my board members?
I’d mentioned cultural issues or we’ve got [00:36:00] this emerging challenge in our subsidiary in Latvia. I don’t have any clients who have subsidiaries in Latvia, so I’m safe, but I can have a perspective that I bring from conversations with these people all around the world, or if I don’t have that perspective, what I’m able to do is to reach out to somebody in the DCRO and say, Hey, do you mind if we have this conversation or even better, I connect those two people and they have the conversation together.
When I try to work with boards, I try to introduce people to each other because, you’ve got a boards that you serve on that there are companies, yes, that would be similar enough, but are not direct competitors that you might find it. Interesting to talk to a board member about it.
If you go to an NACD meeting or the same kind of organization and other countries, one of the most valuable things you’ll do there is meet other board members and you have a one off conversation and that conversation takes you down a path you’d never anticipated, and it might be a relationship you have for years but you get something good about that interaction. We’re really [00:37:00] trying to do that. When I work with individual board members is to say, here’s some resources you may or may not have known of and here’s some things you might want to think of. Here’s some stuff that I’ve done or seen others do and I find that when I work with the individual board member and they bring that to the board themselves, that’s much more effective than having a consultant come in to meet with the board as a whole, because regardless of whether the board is hiring that consultant, that consultant is still an outsider and when the change comes from within when the change it comes from somebody they’ve worked with and the respect, I think it’s much more, more successful. Sometimes these things take two, three years to come to fruition. I’m like a counselor. It’s nice because I do have a lot of people I can connect people with and I’ve seen a lot of different ways of doing things and so I’ve generally been pretty good at being able to conne people.
Joe: [00:37:50] David, Raza and I both really enjoyed reading your most recent book: The Board Member’s Guide to Risk. I thought it was comprehensive and accessible [00:38:00] and that’s really what makes it, I think very valuable. Why did you decide to write the book and who is your target audience?
David: [00:38:07] Well, I appreciate those kind words and one of the words, particularly that you use, that I appreciate most is accessible. So it’s easy for people in risk management to start getting into technical speak. And, even if you, if you read my first book, I mean, my first book has some pretty deep ideas in it and you know, my wife made it through maybe the third chapter. I can’t remember. She never finished the whole book. and I told her I wasn’t offended by that, but you know, it’s, there’s, it’s still out there and I still remember that.
But if you can’t get people to a common point of using language or understanding people will resist talking about something. So if I walk into a boardroom and I start rattling off about risk topics that I’ve worked on for 35 years, I guarantee you at least a third, if not two thirds of that board won’t understand much of what I’m talking about [00:39:00] and because they don’t want to sound like they don’t know what they’re talking about, the discussion won’t go any further.
So one of the key objectives of this book was to create something that is small enough, accessible enough to use the word that you had used, nontechnical enough, that you could almost have a book club at the board and say, we’re all gonna read that this book, if you understand risk, you can read this book in an hour and a half, if you don’t understand risk, it’s going to be maybe two and a half hours. So you’re not looking at a huge commitment of time but in the same way that people who are in book clubs come back to a discussion and say, well, what are the key things you took away from this? What are the key ideas we think that resonated with each other that starts a great discussion about risk.
The other thing about it which was really important to me was that we get away from this idea that risk is about loss or uncertainty and in particular, that risk and opportunity are two different things. As soon as you take [00:40:00] risk and put it in the realm of loss only, it becomes a negative, it’s framed negatively, we have all kinds of social psychology studies on how people respond to negative framing of discussions and questions. We’ve got to get past that and we know that organizations have to take risks or they go away. I mean, that’s essential for the long-term survival of any organization, so let’s make sure we take risks smartly.
The first chapter in the book is about that. It’s about coming from where we likely are today, which is risk as loss and getting to a place that’s much more positive learning an essence to embrace risk.
Joe: [00:40:38] One of the things that really struck me was your discussion about risk in the context of group think. Which creates risk, you know, on this show and, and really everywhere in governance we talk about the importance of diversity on a board, and there’s so many reasons for that, but I love the way you put it in talking about the risk [00:41:00] that would you refer to as group thing creates.
Can you talk about, how that again makes the case for the importance of diversity at the board level?
David: [00:41:11] And we talked just a little bit about this earlier. I hinted at it a little bit earlier when we talk about some of the issues of, of boards under threat, but, you know, you had asked in the last question and I don’t think I ever answered it with the target market was for the book. but it’s boards C suite the MBAs, like I had, I’ve mentioned before.
In part, because we need to have this change of mindset about risk, but two things happen at a board that can stimulate this kind of, well, maybe three things that can stimulate this kind of group think. One is that we really like people who are like us. Generally, we do. So if you have a board nominating people to join the board, to replace people who are leaving, they’re almost always going to be more naturally drawn to people who are like them. We see that in our social [00:42:00] sorting in all parts of our own lives. It’s much easier for us to be around people like us, who agree with us in times of threat when an organization’s facing a competitive challenge or crisis, like we’ve got with COVID. I mentioned how we’re pushed towards these sort of tighter controls. We also were pushed then to be more like each other and to not want to do anything that’s different when times are really good though. We have a similar problem in that we stop listening to other people, particularly outside of our group, because we’re so good at what we do. I want to challenge you guys to tell me where the closest Kmart is. Did you guys have Kmarts out there? I’m not sure if you had Kmarts out there
Raza: [00:42:43] We did, the last one, I know where that one was.
David: [00:42:47] Yeah. In the Midwest, they dominated and, They knew what they were doing, right. They lost, they lost perspective that somebody might know what they’re doing better than, than those people did because of their success.
In our trading rooms, we [00:43:00] used to have this expression, the gods first make proud of those they would destroy. It was really helpful to have somebody else in the room, tell you that at the time that you thought the most of yourself, because it was a good reminder that things can go wrong. When you push for and when you demand diversity again, not just gender and race, but experience. When you push for that diversity among a board, you make it far less likely that any of these situations take hold because people come from problems and come to problems with a different set of experiences. So it’s one of the great challenges in our lives, right? One of the great challenges in our lives is to develop an understanding of where somebody else has come from. And to listen and learn from that. That’s one of the reasons why diverse boards are better generally than non diverse boards. And again, it’s diversity across all sorts of measures. It’s because people come to problems with a different set of experiences to [00:44:00] solving problems and since they’re on the board, they’ve probably been sitting successful at solving problems in a different way than the others. So when we have to be nimble, when we have to change, we have to innovate. We have to be able to respond in a competitive environment, or even at nonprofits, honestly, to have these diversities of experience and perspective and incredibly important to have that an openness to hearing those and learning from those, our boards become better.
Joe: [00:44:28] So essentially you’re saying there is an inherent risk and having a board that’s undiverse, because people are thinking of like, they’re going to miss something.
David: [00:44:38] It’s one of the reasons why I don’t like when publicly traded companies try to make it difficult for shareholders to nominate people to the board because the people who the board is bringing, yeah, they may, they may be great for the board and the board may have gone through nom gov and said, we need this talent set. We need this skill set. We need this experience set. But there are [00:45:00] people who have every interest in that organization succeeding the same, if not more interested in that organization succeeding as the existing board does, who may have people, they think it would be even better for the board at this time, because they’re looking at it differently. So yes, it’s critical in order for the organization to achieve its best.
Raza: [00:45:17] David. I have my favorite story from the world of risk, where a Turkey is fed every day, reliably, and every day the Turkey gets food makes the Turkey believe that they will get the next meal, and their belief even stronger in that, of course it goes on until the Wednesday before Thanksgiving and then abruptly there is a catastrophic event of great impact to the Turkey. From the Turkey standpoint, it is a Black Swan event, but from the butcher’s perspective, it is not. How can boards and then, an enterprise avoid being a Turkey? What do they need to do to be able to deal with the unknown [00:46:00] unknowns?
David: [00:46:01] Well, you know, this example or this story that you cite resonates a bit more with me cause, out here in the Midwest, I happen to live near some Turkey farms. So I see turkeys in horrible conditions in cages, on the backs of trucks, going off to discover what the butcher already knew.
You know, I suppose there’s something in this that really relates to the conversation before about the gods first make proud of those they would destroy. If you’re only focused on how good things are and what you’re doing to get more of what’s good or if the good is just coming through and you don’t seem to be having to do any work for it. Turkeys, at least that I’m aware of, can’t organize and communicate. Maybe they communicate, but probably not at a level that allows them to organize if they could, it’d be a pretty dangerous thing to start putting them on that truck because they would have already thought through this now humans, we, we thankfully have the benefit of the ability to communicate.
So for us, I think the question isn’t why, or the question [00:47:00] isn’t, what’s going to happen tomorrow, but there’s a good question to ask,:”why are we getting this food? “Why is it that our customers are buying our product? Why is it that we have this market position? And then the natural conversation has to go to what could change that.
And, and so, you know, maybe your outside consultant is the butcher. And if, turkeys could organize and talk, somebody might say, you know, I’ve heard of this thing called a butcher. Why don’t we have him come in and talk to us about, you know, his job and if, and if it did, you’d have a much smarter set of turkeys.
So, so there’s, you know, maybe I’m, maybe I’m taking this analogy too far, but the idea is that that as long as we’re getting different perspectives, and as long as we’re always questioning what it is that we do well and why it is we’re being paid for what we do. I think we can avoid that fate for the most part, when you respond, let’s say they they’d also have this resiliency. They also had this problem response mindset. If the [00:48:00] truck showed up, that’s when they would organize and do something.
Joe: [00:48:02] The best answer to the Turkey question that I’ve heard yet.
David: [00:48:07] I’m glad to hear that. Thank you.
Joe: [00:48:09] No, but it makes perfect sense to me. That’s why that is the answer. Actually, you need to think beyond why is this, you know, it’s good now you really need to think about the future and asked questions about what is going into making today good and what could disrupt that? And to the extent you’re not doing that, you’re not doing your company, your business, or whatever, endeavor in which you’re involved you’re not doing any favors.
David: [00:48:36] and I think that’s part of how boards are evolving, Joe. It’s becoming more of a job. and I think that limits the number of boards people can be on now in ways that it didn’t before. So it wasn’t all that uncommon 15 years ago to find people on five, six boards of large companies, it’s pretty hard to be on more than two or three right now. And to do the role as you just described it. And I think that’s a good [00:49:00] change.
Joe: [00:49:01] Excellent.
David. It’s been great speaking with you today. Thanks for joining us. I hope you and your son and your daughter will continue to be well and stay safe, and thank you all for listening today. To onboard with our special guests, David Koenig.
Please stay safe. Take care of yourselves, your families, and your communities as best you can.
Raza, please take care. I hope you and your family continue to be well, and that you are staying safe also.
Raza: [00:49:30] Yes, Joe, we’re all staying safe. Thank you. And I hope you and your family as well.
David: [00:49:34] And thank you both. I really enjoyed this conversation.
Joe: [00:49:37] Thanks David. Thanks Raza.