How does a Risk Officer help company Directors understand the risks to the business?
A New Risk Executive
Director’s duties are outlined in corporation laws; this is done at the state level in the US. Generally speaking, the duty of care and the duty of loyalty are where a director has the most exposure.
Duty of Loyalty: Directors must place the corporation’s interests above their interests and those of their friends, family members, and any other associates. Additionally, directors cannot take advantage of their positions to benefit themselves, even if it would not harm the corporation, such as using confidential information.
Duty of Care: Directors are instructed to make informed, rational, and prudent decisions through an analytical decision-making process.
If directors uphold these duties, they have protection from litigation. The legal concept is that the directors are making reasonably informed decisions, even if the outcomes of those decisions are negative. Commercial cannabis businesses can be formed under many different business structures that do not all have directors. Still, the concept of duty of loyalty and care will help your top management structure guide the business appropriately. For this article, we refer to the board or the top management structure as the board.
The role of the risk officer is a trusted advisor to keep the board informed of risks so the directors can make reasonably informed decisions. Risk officers provide information to the board on many topics, including information needed to execute their duties as outlined in their job description, challenge management assumptions, advise management on strategy, build value, ensure leadership, and understand regulatory complexities of corporate transactions.
Supporting the Board
A director’s role is complex and requires an experienced and qualified person to fill the role. In commercial cannabis businesses with heightened reputational, administrative, civil, and criminal risks, the director’s positions are even more challenging. Management is responsible for providing information to directors to execute their duties. Many executives have a role in this process; the risk officer’s role is mainly to inform directors of the major risks to the business in the context that allows the director to make a decision. For risk professionals to understand the context of their board members, they should review the director’s job description, board committee charters, and board mission to understand the role of their business’s directors. In general, the board needs information and analysis to challenge management assumptions, advise management on strategy, build value, and ensure leadership. The risk officer should enhance the risk program to address the directors’ informational needs.
By understanding the context of the board, a trusted advisor can provide their advice and information in a format that the directors can immediately use. Keep your information on point, relevant, and focused on the highest risks first. You don’t want or need to answer all questions the directors could have. You are supplying the information they need to know so that they can ask questions if they need to.
A risk officer should be prepared to provide supporting information at the board’s request. Your business’s board will use this information to challenge management assumptions, advise management on strategy, build value, and ensure appropriate leadership. The board oversees the entire business, a view that few employees can share. As a trusted advisor, the risk officer helps the board understand the business by clearly and succinctly presenting the highest risks the business faces so that the board can make an informed business decision with a clear understanding of how it is likely to affect the business’s risk profile.
The board’s ultimate goal is to preserve and enhance the value of the business it serves. Directors must carefully weigh all possible strategic options when deciding whether or not to engage in a particular transaction. Many executives should be involved in due diligence for M&A; this includes compliance and risk professionals. M&A transactions are complex and have multiple stages; compliance and risk professionals focus on due diligence and integration stages. The role of the risk officer is to understand regulatory complexities and other risks of corporate transactions and escalate this information appropriately.
Due Diligence: The parties of a transaction try to identify any material risks that may affect the value of the transaction. The board should oversee the procedures that management and advisors use to identify trouble spots. The risk officer’s role is to focus on uncovering or estimating the business’s exposure to misconduct or noncompliance and determining if weak areas of control need to be addressed early in integration.
Commercial cannabis businesses are licensed. Misconduct or noncompliance generally follows the license holder, even if they were not the license holder during the time in question. Identifying this exposure enables the acquiring business to negotiate for potential misconduct or noncompliance to be borne by the target.
When businesses are acquired or merge with others, the market regulators incentivize the new business to reduce the risk across the new entity. When the new business has an effective plan for integration to reduce the highest risk areas first, this will likely be a mitigating factor should noncompliance or misconduct be found during this time. Thus, the risk officer has to understand both business’s risk profiles prior to integration so that resources are appropriately assigned in integration.
Integration: The new entity board will ideally fulfill the original objectives of the deal. The risk officer must oversee the integration process that affects the highest risks to the business, document the progress, and escalate issues. This information allows the board to manage emerging risks and show their strong risk culture by maintaining or lowering the risk profile of the new business.
Support Your Business
Risk and compliance professionals become trusted advisors because they support executive management and the board. The difference between reporting to these groups and supporting them is building a relationship. By understanding their needs and tailoring your reports to usable information, you will build a foundation of respect and trust. There are many things that executive management and the board need from a risk officer. Respect this relationship by putting the information together so that they understand what you’re saying and why it is important to them. You will find that their respect and trust will be reciprocated.
Know these things
- Formalize a periodic risk report to the board so that there is a routine to what is presented
- Understand the responsibilities of the board so that information can be tailored to their needs
- Provide information in a reasonable length and vernacular so that everyone can understand
- Be prepared to answer questions in the context that the board needs so they can use the information
- Let the board know that risk management provides insight in corporate transactions so that they know to involve you
Spend Time on Relationships
The difference between a job or career in risk and compliance is trust. For risk and compliance professionals to be trusted, they need the request knowledge and experience to allow all stakeholders to understand the role of risk management in the business. The board is an important stakeholder that not only needs your professional help, but you also rely on in order to create a strong risk culture. Compliance and risk professionals build value for their business not just by reporting to the board, but by spending time cultivating a relationship that ensures they are the trusted advisors the board can rely on.
The Association of Certified Commercial Cannabis Experts (ACCCE) is dedicated to advancing the professional knowledge and skills of those committed to commercial cannabis risk management.
Click here for more information on how ACCCE supports our members.