How Boards Can Understand Risk: An Interview with Charles ..

Show Me: Jump to:

How Boards Can Understand Risk: An Interview with Charles Fishkin by The Corporate Board

stock-photo-18450774-businesswoman-with-binocularsWhile the economic crisis of 2008-2009 scared boards into focusing on risk, many oversights still occur.  Charles Fishkin has an idea why.

Over a career extending more than 30 years, Fishkin has held senior roles across the spectrum of financial services.  He was hired by SEC Chairman William Donaldson to create and lead the agency’s Office of Risk Assessment, serving as its director from 2004 to 2007.

He is author of The Shape of Risk: A New Look at Risk Management (Palgrave, 2006). Fishkin Is an adjunct professor in the Masters Program in Financial Engineering at Bernard M. Baruch College of The City University of New York.

The Corporate Board: Risk has become a major concern for corporate boards, but companies still seem to fumble their risk management. Why?

 Charles Fishkin: A key reason is the dynamic nature of risk. Companies change and evolve, sometimes very rapidly. They enter new markets and new jurisdictions, develop and sell new products, and hire new staff. Markets and industries change rapidly too.

The ways companies approach governance also need to evolve. Governance is a dynamic activity. It needs to be durable, adaptable and flexible. Too often, companies continue along with a governance structure that’s inadequate, or that hasn’t evolved sufficiently to adapt to changes.

TCB: How do companies and their boards assure this risk governance change happens?

Fishkin: An important starting point is to consider the wide range of decisions that companies have to make.  When directors describe their governance, they usually talk about an organization chart that shows the reporting relationships of senior executives, and various governance committees — a risk committee, compliance committee, conflicts committee and other governance committees. They also describe the roles of the chairman, CEO, the board and the various subcommittees of the board, such as audit, risk, compensation and others.

These components are important, but they only speak to a small subset of the decisions about risk that any company makes. It’s important to distinguish between an oversight function and the people who make most of the decisions on a daily basis.

A board of directors meets a limited number of times per year. A risk committee may formally meet monthly or quarterly. Many meetings may last an hour or two, or at most a day. This means that only a few topics are discussed, and in a broad manner.

TCB: How can a board deal with this problem?

Fishkin: The board should adopt an approach to governance that anticipates potential problems. Will an existing governance process be effective under changing conditions? If not, what needs to be done at the earliest stages?

Governance involves setting strategy, allocating people and capital, making investments, designing products, hiring, paying, marketing and all the other activities that a company demands. It relies on data, the use of models and the size of a company’s risk taking. A particularly important aspect of governance is the role of process, especially as it relates to how decisions are made and approved.

TCB: Why is “process” so important to effective governance?

Fishkin: Process is structural. It involves approvals, checks, controls and scrutiny throughout an organization. Effective governance means that decisions can be made in a flexible way, but at the same time have appropriate limits and oversight. Process provides consistency and structure for these decisions that are made every day. If designed properly, process brings scrutiny and challenge that should be applied so decisions are made in a thoughtful manner.

Every decision can’t be analyzed by the senior-most management, but it defines the scope of decisions that require additional attention. Process also helps organizations act with agility.

People know what decisions they can make, and do so freely.

TCB: What about the role of company culture?

Fishkin: Culture is important too. These are the fundamental values that are important in a company. They’re expressed in various written documents, but more importantly culture also informs decisions and actions.

TCB: How does the board distinguish between reasonable risks and those the company shouldn’t take?

Fishkin: Taking the right risks is crucial to sound management. This means that a company must carefully understand the risks it’s exposed to. A decision to manage one risk may give rise to another.  You need to weigh the ramifications of every decision.

TCB: How do you ensure your risk oversight system can handle that?

Fishkin: That’s a complex question. You have to work at it, every day, across all company units. Organizations need strong controls and “checks and balances.” That means oversight processes that have their own identity and will, with strong cultures of compliance and risk management.

There has to be alignment between what management says and what management does. You need to continuously be asking, “Do we have the right staff, the right business model, the right balance between revenue creation and franchise protection?” Look at companies that stumble, and those that consistently succeed.

The difference is often found in the elements that comprise a governance program and governance-centric culture. This includes clear messages from senior management, well-defined processes, and excellent people at all levels, thoughtful pay programs and a well-resourced infrastructure.


Reprinted by


4440 Hagadorn Road, Okemos, MI 48864-2414,

(517) 336-1700 ©

2014 by Vanguard Publications, Inc.

For Reprints contact:

Reprinted in TheGRCBlueBook with permission from The Corporate Board

Related Articles

Related Premium Articles