Jay Heilbrunn, president of The Distributor Board Inc and a director on the boards of private companies and organizations over the years, recalls a board meeting at a company whose biggest customer represented a substantial slice of its business.
“What’s the plan for taking $2 million out of expenses next week?” Heilbrunn recalled asking the managers. “They kind of looked at me like this is really a strange question.” Heilbrunn said he persisted: “Well, when this customer leaves, we’re going to have to jettison $2 million of expenses, and where’s it going to come from?”
The managers responded that the customer was solid and wasn’t going anywhere. “Well, guess what?” said Heilbrunn. The customer left. “And now we have to scramble because we’re in crisis mode in terms of the expenses and the profitability of the business.”
Heilbrunn shared his war story while speaking on a four-person panel at last week’s event, Risk: It’s a Board’s Game, hosted by the start-up New York City chapter of the Private Directors Association. “I’ve run into concentration risk many many times with businesses I’ve been involved with,” he said. “And they can be very devastating.”
Concentration risk belongs on any good list of business risks that boards need to be aware of. Such a list would include acquisition, geopolitical, technology, financial, competitive, legal, management, operational, reputational, and staffing risks–the latter a factor in industries or regions with labor shortages. And no list would be complete without cybersecurity.
“It’s a really really really bad day when you get a call at midnight from your IT department [saying] our systems are down and we can’t get them up,” said Heilbrunn. “Ransomware is a real problem today.”
Risk is a subject that board members have to take seriously, not least because they could be liable when things go south. To be sure, courts grant board members of Delaware-incorporated companies broad discretion in overseeing risk management so long as they use their best business judgment, said fellow panelist Elina Tetelbaum, a corporate partner with Wachtell, Lipton, Rosen & Katz (seated far right in picture above).
But she pointed to two court decisions from earlier this year holding that directors could face liability related to their duty of oversight. In one of them a Court of Chancery cleared the way for plaintiffs to claim that the board of Clovis Oncology turned a blind eye to evidence that the company was exaggerating the effectiveness of a cancer drug in clinical trials.
“It’s not that you have to be in the weeds and really manage the risk,” said Tetelbaum. But if you witness red or even yellow flags, “you may find yourself in situations where you are held to account…”
Said Lisa Vandesteeg, partner of law firm Sugar Felsenthal Grais & Helsinger and moderator of the panel (seated far left in picture): “It is the job of a board to [ensure] that their management teams have adequate risk management policies and procedures in place.” Risk management, she said, “involves the identification, assessment and prioritization of risks and the application of resources to minimize, control and mitigate the impact of unfortunate events on businesses.”
Other advice for board members to come out of the event:
* Agree to an overarching approach for overseeing risk;
* Define the right risks to keep tabs on; these vary by business, depending on such factors as industry and size;
* Ensure that the management team gets on board with a risk management and mitigation strategy;
* Keep up with new risks by regularly surveying the management team about how risks are changing; update policies as needed;
* Develop “key risk indicators” where possible; decide the threshold beyond which management should escalate a situation to the board;
* Avoid the temptation to pile all the risks onto the plate of the audit committee; at a minimum consider moving non-financial risks to a separate committee;
* Make sure that key committees assigned risk oversight remain active and engaged with the main board on the issue; the board should never wash its hands of a risk by delegating to a committee;
* Include on the board a member who has experience in risk management;
* Keep up with new regulations, such as those springing from EU privacy laws;
* Don’t act in knee-jerk fashion when confronted with a potential crisis. Did a board member get an anonymous letter indicating the CEO had an inappropriate relationship with an employee? Get the facts and make sure the accusations are grounded before taking disciplinary action;
* Don’t let personal relationships with fellow board members or the management team cloud your judgment.
Action item: Learn more about the Private Directors Association from its Web site.