CLASS: Five elements of corporate governance to …

1 CLASS: Five elements of corporate governance tomanage strategic riskStephen A. Drewa,*, Patricia C. Kelleyb, Terry KendrickaaUniversity of East Anglia, Norwich, United KingdombUniversity of Washington, Bothell, Washington, USAA bstractStrategic risk management is an increasing concern for both boards andsenior executives. Many recent business failures are due to senior level misjudge-ment and mismanagement of risk, the consequences of which can range fromembarrassment to serious setback to bankruptcy. Ineffective risk management putsotherwise strong business models in jeopardy. Here we present CLASS (Culture,Leadership, Alignment, Systems, and Structure), an integrated, five-element modelof corporate governance . We identify how attending to the elements in thisframework supports development of an integrated and robust approach to corporaterisk, and helps senior executives anticipate and handle the complexities of riskinherent in meeting strategic Kelley School of Business, Indiana University.

2 All rights Risk management : A need for a newlookBoards of directors are increasingly willing to takefirm managerial action to mitigate the downsiderisks of strategic change. In February of 2005, forexample, the directors of Hewlett Packard sud-denly removed Carly Fiorina as CEO because ofher management of the risks and slow progressof the complex HP-Compaq merger. Recent pro-secutions and executive turnover at numerouswell-known corporations ( , AIG, Marsh andMcLennan, Bank of America, Citigroup, Parmalat,WorldCom, Enron, Nortel, and Lucent) also dem-onstrate growing intolerance of strategic miscal-culations by regulators and investors. Sir PhilipWatts, chairman of Royal Dutch/Shell, was forcedto resign in March 2004 when overstatements ofthe company s oil reserves and poor results in oilexploration generated a public scandal. As well,Maurice Greenberg stepped down in March 2005as CEO of insurer AIG, following investigationsinto bid-rigging and fraud in the different view of the practice of risk man-agement needs to be taken.

3 Numerous changes,0007-6813/$ - see front matterD2005 Kelley School of Business, Indiana University. All rights ( ( Kendrick).KEYWORDSS trategic riskmanagement; corporate governance ;Enterprise riskmanagementBusiness Horizons (2006)49, 127 2006 by Indiana University Kelley School of Business. For reprints, call HBS Publishing at (800) 189including those that occur as a result of rapidlychanging technology, developments in the globalbusiness environment, the spate of recent inves-tigations and prosecutions, and the pressure forreform in corporate governance , demonstrate riskmanagement is more complex today than everbefore. In the era of the Internet, stakeholderactivism is more powerful and widespread. Thenumber of environmental and social activists andnon-governmental organizations (NGOs) has in-creased significantly in the last decade. ProfessorsHart and Sharma (2004, p. 2)describe how, in waysimpossible a decade ago,bsmart mobsQare nowable to communicate and coordinate their activi-ties using websites, email, and mobile communica-tions.)

4 Moreover, they illustrate the ways in whichthese smart mobs have precipitated strategicchangeatfirmssuchasMonsanto,She ll, and poor strategic risk manage-ment can quickly erode competitive illustrated by the increasing number ofstrategic blunders on the part of major corpora-tions, improved decision-making processes havebecome more and more urgent. ProfessorNutt(2004)investigated the causes of two publicrelations disasters: Shell s plan to dispose ofthe Brent Spar oil platform, and Quaker s costlyand unwise takeover of Snapple products. De-scribing how these firms mismanaged strategicrisks by limiting their search for options, makingpremature decisions, and misallocating time andmoney, Professor Nutt demonstrates how thecontext for strategic decision-making has becomeever more challenging in the face of complexstakeholder influences and a host of environmen-tal to these challenges is the spate ofregulatory reforms.

5 In the United States, theSarbanes Oxley Act of 2002 has increased boardand senior executive responsibilities for risk, andforced a more top-down approach to corporategovernance. The Turnbull report and future regu-latory review will encourage similar rigor andtransparency in the United Kingdom. The EuropeanCommission also plans to strengthen governance byrequiring stronger corporate controls on financialpractices, reporting, and risk , strategic risk management is not limit-ed solely to making necessary improvements incorporate governance and ethics. It includes man-aging risks that threaten a firm s long-term com-petitive success and survival: risks to its marketposition, critical resources, and ability to innovateand grow. In response to the increasing number andtypes of risks today s firms face, leading corpora-tionssuchasGE,Wal-Mart,BankofAme rica,andIBMhave begun to adopt enterprise-wide approaches torisk management (described inInset 1).

6 Inset1 Enterprise risk management and strategicrisk managementEnterprise risk management (ERM) refers to abroad approach to risk management thatincludes strategic risk management . Mostrecently it has captured attention as thefocus of a report by the influential Committeeof Sponsoring Organizations of the TreadwayCommission (COSO). This committee devel-oped the COSO I framework, accepted in 2003by the SEC as a best practice guideline forSection 404 of the Sarbanes Oxley Act (SOX404), which relates to reporting of internalcontrols. COSO I was expanded beyond report-ing of internal controls to enterprise riskmanagement in the COSO II framework of2004. It will likely be widely discussed andimplemented in future is described by the Treadway Commis-sion as encompassing all business risks andopportunities, in contrast to risk managementby department or function:bEnterprise risk management is a process,effected by an entity s board of directors, management and other personnel, applied instrategy setting and across the enterprise,designed to identify potential events thatmay affect the entity, and manage risk to bewithin its risk appetite, to provide reasonableassurance regarding the achievement of its new, integrated enterprise risk man-agement framework, COSO envisions ERM as acontinuous process that is overseen by seniorexecutives and boards, and as the responsibil-ity of everyone in the organization.

7 COSO identifies components of ERM and makes adirect relationship between these and organi-zational objectives, including strategy, opera-tions, reporting, and compliance. As describedbyLevinsohn and Williams (2004), the COSO IIframework is a very broad one that includesboth strategic risk management and : Retrieved March 7, 2005, Drew et CLASS: The five elements , strategicrisk management , and corporategovernanceWe believe effective risk management must bedefined broadly in order to avoid strategic identify five integrated elements that underpina firm s ability to manage risks , engage in effectivecorporate governance , and implement new regula-tory changes: Culture, Leadership, Alignment,Systems, and Structure. Referred to, for the sakeof convenience, by the acronym CLASS, eachelement relates to the others. For example,organizational culture is shaped by leadershippractices. Systems support organizational structureand shape its culture.

8 Alignment ensures eachelement is harmonized with the others so that,for example, explicit cultural norms are reinforcedby leadership, and systems reinforce the one element stands and senior executives can review eachCLASS element to build and fortify risk manage-ment and governance capabilities. AsFig. 1illus-trates, each element positively reinforces theothers and strengthens strategic risk engaging in an examination process, boardmembers can map organizational challengesagainst these elements , identify areas in need ofimprovement, and plan change management pro-grams. Superior risk management programs andstronger firm governance capabilities Element 1: CultureIn October 2004, Marsh and McLennan was suedby New York attorney-general Eliot Spitzer forrigging bids on insurance contracts and acceptingspecial contingent commissions. As a result,CEO Jeffrey Greenberg was ousted, the firmwas forced to reach an $850 million settlement,and the loss of revenue from special commis-sions forced drastic job cuts and share pricedeclines.

9 Cultural problems were an importantroot cause of these woes. Not only was Marshand McLennan known for its arrogance and se-crecy, CEO Greenberg set high financial targetsfor his managers which, if not met, could leadto dismissal. This cultural intolerance of failureresulted in some managers engaging in exces-sive risk-taking, rule-bending, and gaming has also suffered setbacks manyattribute to cultural deficiencies. In September2004, Japan s Financial Services Agency (FSA)terminated Citigroup s private banking operationsin that country after investigations into allegedimproprieties. This decision cost Citigroup $244million in the fourth quarter of 2004 alone,denied the bank access to wealthy Japanesecustomers, and temporarily shut it out of Japa-nese government bond auctions. FSA investigatorsfaulted a culture where profits were chased atany several other high-profile examples, culturesthat maintain an attitude of arrogance, encouragesecrecy, and/or create an unwillingness to admitfailure have spawned disastrous consequences.

10 AsSchein (1996)notes, culture is one of the mostpowerful influences on organizational decision-making and strategy. It can be a vital aid tostrategic risk management and a source of com-petitive advantage; however, culture can alsocontribute to destructive behaviors. Aspects ofSTRATEGIC RISKMANAGEMENTC ultureLeadershipSystemsAlignmentStructur eFigure 1 CLASS: Culture, Leadership, Alignment, Systems, Structure. Five elements of corporate governance tomanage strategic : five elements of corporate governance to manage strategic risk129culture that can work against good governance andrisk management include:!Unethical behavior;!Excessive internal rivalry;!Intolerance of failure;!Propensity for risk-taking;!Secretiveness; and!Persecution of people who speak up (bwhistle-blowersQ).AsFig. 1illustrates, culture is intricately linkedwith leadership, alignment, systems, and orga-nizational structure. ProfessorSchein s (1996)research demonstrates that the founder s person-ality can both create and shape organizationalculture.