Editor: This is the third consecutive year Clifford Chance has conducted a global survey of this type, but the first time it’s tackled the topic of risk. What drove that decision?
DiBari: In the first two years we wanted to take a closer look at how global M&A activity had been affected in the aftermath of the financial crisis and gain a better understanding of what issues were potentially standing in the way of our clients being able to eventually recapture the same levels of activity we saw prior to 2008. One of the themes that seeped into those initial findings was the view that how boards and chief executives chose to manage risk was playing a significant role in how companies chose to engage – or not engage – in growth opportunities. We see in our daily practice globally the critical importance for boards to hone their focus on risk management, and we believed we could provide the highest value to our clients by ourselves focusing on this area.
Editor: Was there a specific finding that jumped out at you?
DiBari: Since the 1980s boards and chief executives have increasingly been judged on a growing list of criteria, but at or near the top have been financial performance and shareholder returns. I start with that point as background because when we asked the survey group to tell us what their biggest concerns were in the event of a major incident or scandal, 55 percent said they were more worried about damage to their company’s reputation than the impact on share price (38 percent) or financial losses (32 percent). While the concern with reputation is not a surprise, as reputational damage can cause long-term harm to share value, it is clear that boards are looking to do more at their level to ensure better risk management. We believe that their attention is well worth the investment.
Editor: Are you able to attribute this growing focus on managing corporate reputations to anything in particular?
DiBari: The stakes have never been higher for both companies and individuals who serve on boards. Expectations and industry standards are rising. Corporate scandals are not subsiding. Senior leaders see this and want to do more and to be more proactive. They understand that dips in financial statements are often forgotten as soon as performance improves, while a stain on an organization’s reputation lives forever on the Internet and can impair a company’s competitive position indefinitely.
Editor: One of the findings that caught my eye was that 58 percent of the respondents expressed a reluctance to join boards as non-executive directors because of increasing exposure to personal liability. Is that number higher than you would have expected?
DiBari: I don’t find that result surprising, but it is disappointing because businesses, employees, shareholders and communities all benefit when companies are able to attract outstanding people to help guide them. If the pool of applicants is now shrinking, that can’t be considered a good thing. I think the decision to join or remain on a board has become much more personal in recent years. There has always been a risk of exposure to private suits against individual board members, but criminal and regulatory enforcement priorities now seek to hold the senior-most executives accountable – and that’s hard to miss. You have to believe it’s impacting the decisions qualified people are making when considering a board appointment. The current and future environment requires board members to focus much more than before on ensuring a company’s compliance framework as well as its risk management framework. Today, it is widely acknowledged that robust risk management is the foundation on which any adequate compliance program is built.
Editor: But shouldn’t we expect higher standards of behavior and performance from the most senior executives, especially at the world’s largest companies? Is it unreasonable to set a higher bar for those who run our largest corporations?
DiBari: It’s a fair question, and there have certainly been times when senior people have acted badly or recklessly and the enforcement penalties have been appropriate. But that’s not really the issue. The higher standards relate to the degree of scrutiny over executive management’s actions and proper challenge to report that all is in hand. The chief legal and reputational risks for companies today are very complex, and risk management is not a paper exercise: it requires active thought, analysis and perspective. Boards should be wary of projects that appear to be mostly “check the box” endeavors. This applies to several key areas for companies engaged in international business.
Editor: We saw the CEO of Target step down recently following a well-publicized hacking incident. Do you believe chief executives and their senior management teams feel more exposed or vulnerable in light of the growing number of new and evolving risks threatening companies?
DiBari: One of the greatest challenges boards face today is identifying and determining which risks should receive the most attention. It’s a daunting challenge if you think about the array of issues that have come to the surface in recent years. The Target example is a good one because more than half of the executives we spoke to said they’re worried about the prospect of a cyber attack on their own companies – yet only 15 percent said it’s a current risk focus, likely due to more traditional concerns like financial and legal risks, which continue to require a great deal of attention, as well as to the difficulty of actually wrapping your arms around cyber risk in practice.
The growing mix of issues that now have to be managed underscores the challenges boards and C-suites are facing today. Board members are often selected for the decades of core business experience they bring to the table. But that type of experience doesn’t necessarily equip them to understand the pratfalls brought on by social media, for example, or to know the difference between tweeting and twerking. There’s a real assortment today of both predictable and unpredictable risks, and many of the unpredictable ones are tied to – and being driven by – how fast technology is moving. To their credit, increasingly boards have identified their gaps and addressed them. In fact, 92 percent of our respondents said their boards have appointed, or will appoint within two years, non-executive directors with expertise in dealing with specific risks facing their organizations.
The good news is, most boards today get it – they know the types of risks they face are multiplying and require more attention. In the U.S. specifically, 82 percent of respondents told us more time has been invested in risk management by their companies’ boards during the past two years, and 86 percent reported their companies to be much better equipped to address the principal risks facing their industries. These are strong results that indicate senior leaders are not only aware of the new risk paradigm but are engaged in managing them. That bodes well for them and their organizations, less so for the other 18 percent.
Editor: One area we haven’t touched on is the potential impact risk is having on corporate growth initiatives. As we began the interview you mentioned that Clifford Chance’s first two global surveys were focused on M&A. What impact have board attitudes towards risk had on mergers, acquisitions, joint ventures and other investments in growth?
DiBari: On a global scale, 40 percent of respondents said they were concerned their board had become too risk-averse and that it was slowing business growth. That perspective was shared most strongly in this country – a somewhat predictable outcome given the rise in U.S. enforcement actions.
In my view, the issue isn’t risk. There always is and always will be risk, and increase in risk is unlikely to slow. Risk, though, is opportunity, and the more risk the higher the opportunity for return. The key is risk management. Companies with the best risk management systems will have a competitive advantage. I’ve discussed this with our Corporate partners, and we're in agreement that, although it’s imperative that directors take necessary steps to manage risks and protect their organization's reputation, allowing space on the agenda for longer-term business development and expansion has to be part of the mix.
Editor: You appear to be advocating a top-down approach to managing risk – is that a fair statement?
DiBari: Yes. Ultimate responsibility for managing risk ends at the top. The more successful companies understand that it begins there as well. Ultimately, though, risk management needs to be embedded in an organization’s culture – its DNA. Every person in an organization needs to understand that he or she is responsible not only for acting in an ethical and compliant manner, but for maintaining wide peripheral vision on risk. If every employee eye is open, or at least most of them, and there is a system to take advantage of that tremendous amount of information and insight, it would be difficult for risk to sneak up on that company. We note though that only 27 percent of global respondents told us risk management is currently flowing below the management level, and only 33 percent have made it a measurable element of staff performance. So there’s still a lot of work to be done.
Editor: I would imagine your firm in particular would have a pretty good handle on this question because of your global footprint. As companies continue to expand globally, to what extent has it increased the difficulty of understanding and avoiding risks?
DiBari: That’s a great question. It reminds me of an old Star Trek movie, The Wrath of Khan, in which Kirk defeated Khan because Kirk, in their battle of starships, thought in three dimensions, while Khan, a leader from a prior century, was focused on a two-dimensional battle. Operating internationally takes that analogy and increases the permutations exponentially. Not only do you have the additional risks arising directly from business in the new jurisdiction, but you also have new cross-border risk associated with extraterritorial application of law from one jurisdiction to the next, including potential conflicts of law. And that’s not all. Often simple cultural differences inadvertently create cross-border legal risk. This was validated by the survey, where two-thirds of global respondents said cultural differences across their organization’s international operations make ensuring a uniform approach to managing risk more difficult.
Editor: David, thanks for taking the time to sit down with us and walk us through the results of your survey. Is there one key thought from all of this that you would like to leave us with?
DiBari: Well, first of all, thank you for the opportunity to share the results of the survey and our insights based on these findings – we’re pleased to be able to share some of the highlights with your readers while also sharing them directly with our clients in the U.S. and across the world.
I suppose a good way to sum up what we’ve discussed today is that risk is not something you can or even want to eliminate: risk is what you take on in exchange for a return. Nevertheless, profit ultimately comes from how you mitigate and smartly manage that risk. The overall data we looked at from our survey indicates to me that boards and chief executives understand that. Risk management involves a confluence of information and informed judgment. That’s why it’s incumbent on boards to ensure they have adequate information to make informed judgments. Building a risk assessment mechanism that’s tailored to each company and business line is a big job, no question about it. But ultimately, risk management is what we’re all responsible for and what we’re paid to do as leaders.