Boards must mitigate risk by having a clear destination, getting input if needed, reading the dashboard data, and making judgments.

I believe in capitalism’s strength and resilience. With the same  survival-of-the-fittest efficiency living organisms have tapped for  millennia, capitalism will adapt to survive now. But as we work  through this difficult time and try to unbundle all that’s happened, we must not overreact. The capitalist system should be  met with practical self-evaluation about an intelligent response  to both regulators and shareholders. Effective, not reactionary,  governance and oversight will strengthen the system and move  us forward.

While regulators and investors deserve to be reassured, I grow  concerned that loud, public cries to better manage risk, will  effectively diminish our capacity to take risks. Ironically, this potential pendulum-swing of reaction becomes a new risk in and  of itself. An overly conservative approach will tamp down innovation and growth. Too much board time focused on risk will  draw directors’ attention away from other issues more important  to long-term value creation. And perhaps most importantly, if  directors slip into an operational risk management role, it will  undermine the CEO’s authority to lead his or her company. Put  simply, with reward requires risk and the oversight for those risk  profiles must be reasonable. Corporate leaders have to get this  balance right.

It’s time to move beyond risk modeling, which clearly has its  place. To get this right, we need a practical process that will add  insight and quality judgment to the mathematical models. As  with all results-focused processes, it must be built on specific expectations, clear roles and responsibilities, and accountability.

There’s no one-size-fits-all approach, but here’s my take on the  major components.

Define your tolerance for risk and how you’ll gauge it. The  board establishes risk parameters and defines a dashboard of metrics that demonstrate adherence to the policy. Directors must understand all of the material risks to the corporation and they need  it all in one report so oversight quality is clear. At a minimum,  the view should include reputational risk, operational risk, and  human capital risk. This type of report will enable appropriate  discussions on risk / reward correlation with a sharp focus on mitigating risk.

Put the CEO in charge. Performing within the parameters of  the risk policy needs an owner and in my view, that should be the  CEO.  There is a role for a Chief Risk Officer going forward, but  without clear ownership, there is no accountability. The CEO  owns this issue.

Hire a Chief Risk Officer. The CRO reports to the CEO, but  the board should have a role in selecting this person and ensuring this role’s incentives are in line with its primary responsibility  which is to identify significant threats to long-term growth and  value creation.

Connect the risk officer to the board, but not in a way that  weakens the CEO. By creating a separate reporting link for the  Chief Risk Officer to the board, you strengthen his or her internal  position and make it easier for the CRO to get needed data and  insight. But nothing should be put in place to weaken the CEO’s  authority. Some will say that a CRO should report directly to the  board to “keep the CEO honest.”   For me, if you don’t trust the  CEO, that is a separate issue. Discuss replacing the CEO with  other directors. If you find you’re alone in your assessment, resign  from the board. Your own reputational risk is too great.

Establish a risk committee. Many are calling for board-level  risk committees, but I believe this is a senior management committee. The CEO chairs this committee which reviews risk data,  makes recommendations to the board on the most effective ways  to balance the potential risk and reward of specific strategies, and  provides the requested dashboard data. Working with this Committee, the CRO defines ERM program objectives, assessment  framework, and a common “risk” language for the organization.  The board will define the risk profile, but determining how to execute risk management initiatives within the organization is the Risk Committee’s job.

Ensure the full Board is engaged in this discussion. All directors should receive and evaluate this data. If this conversation  gets delegated to a board-level committee, director accountability  will be diminished. Effective enterprise management is a vital  and shared responsibility. It’s too tempting for directors to think  it’s “handled” if it’s taken up by a board committee. This is a full  board issue.

Hold the CEO accountable. Unjustified variance from the risk  parameters must have consequences. At a minimum, the compensation committee should imbed adherence to the risk policy  into the CEO’s compensation structure.  If a CEO cannot get  results within reasonable risk parameters, then it’s the board’s responsibility to replace him or her.

In the end, moving forward requires risk. Every time we get in a  car, there’s risk. But we mitigate risk by having a clear destination,  getting input if we need it, reading the dashboard data, and making judgments. That enables us to move forward with confidence.    A clear process, with the right roles, will focus corporations on  what shareholders truly care about — long-term value creation.  It would be a mistake for us as corporate leaders to participate in  a discussion about throwing away the keys to the car.

©2009, All rights reserved. Stuart R. Levine, the founder, chairman and CEO of Stuart Levine  & Associates, is a director of Broadridge Financial Solutions, and  chairman of the governance and nominating committee and lead  director for D’Addario & Company.