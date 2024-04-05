By Amy Chai, Associate General Counsel and Director, Advocacy Initiatives, Association of Corporate Counsel and Adrianne Trainor, Governance Specialist, Nasdaq

In navigating between a company’s board, C-suite and business units and building what some would call the organization’s “connective tissue,” chief legal officers are in a unique position. In addition to serving as a key representative responsible for legal, regulatory and ethical compliance, a CLO’s position, insights and perspective enable them to provide critical support to the board’s oversight of risk.

Nasdaq and the Association of Corporate Counsel recently invited Paul Mascarenas, independent board member at The Shyft Group, who is also Chair of the board’s Governance and Sustainability Committee and a member of its Human Resources and Compensation Committee, and Josh Sherbin, the company’s Chief Legal Officer, to provide their insights on the opportunities and challenges of building strong, collaborative board–CLO relationships and how this relationship is key to the board’s ability to effectively oversee risk.

The Critical CLO – Board Relationship and the Board’s Need for Fluid Insight

According to Sherbin and Mascarenas, given the volatile and often unpredictable risk environment, CLOs and boards must be able to work together effectively to ensure that the board understands and has ongoing visibility on the internal and external risks that are most likely to impact the company. Mutual trust, integrity and alignment on the company’s goals and objectives are critical to building and maintaining the kind of relationship and communication the CLO must have with the board. And as Mascarenas emphasized, the board’s relationship with the CLO is not only at the full board level, but also with the committees, particularly Audit and Governance.

To begin, the board should feel comfortable seeing the CLO as the risk ombudsman (or a critical partner of the Chief Risk Officer, if one is in place) and be able to look to the CLO to help drive oversight of board risk-oversight policies, regularly review the risk and management compliance system and integrate lessons learned.

A good working relationship between the board and the CLO – with regular communication, interaction and transparency – goes a long way toward board support of the CLO. Critical to that support is working with management to set the appropriate tone at the top and building a corporate culture that meets the board’s expectations and lines up with company strategy. Keeping risk oversight – including an ongoing review with management of the company’s risk culture – as one of the centerpieces of board discussions helps to provide key insights for the CLO and the rest of the management team on potential risks.

While the CLO is responsible for helping his or her team “get to done,” the CLO must also be constantly looking around corners and keeping the board updated and informed. Allowing the board to have “fluid insight” on the evolving and wide-ranging risks a company faces facilitates proactive oversight and mitigates against the board’s needing to catch up on its understanding before responding to risk.

Sherbin emphasizes that staying ahead of emerging risks and challenges also requires effective processes. At a minimum, every board and committee meeting agenda should include a discussion and review of key risks and the legal and regulatory landscape, with a focus on fully understanding the risks, i.e., current “status,” potential implications, mitigation plans and the board’s role in the response or proactive strategy.

Given the nature of risks, the Shyft board's discussions about risk are not limited to scheduled meetings. Between meetings, the board and CLO should find opportunities to continue the discussion or raise visibility to newly emerging risks – typically with the appropriate committee’s chair or the full committee. It is important that the CLO proactively connects with the board or the right committee on risk issues and knows what the board needs. Asking the simple question, “What do you need more of or less of?” can help support effective CLO/board risk mitigation collaboration. As Sherbin notes, it is also crucial to step back annually (or more frequently, if necessary) to review and even challenge the effectiveness of the company’s risk identification and compliance processes to identify any gaps. To this end, Sherbin uses analytical benchmarks, such as the United States Department of Justice’s guidance on the design of effective compliance programs.

The Education Imperative

According to Sherbin, “An important part of being a successful partner to the board […] is digging in on your own knowledge of the business.” Understanding not only how the business works, but also the go-to market strategy, development status of and concerns regarding new products and organizational strengths and weaknesses, for example, is essential to being able to properly frame and provide context around the risks for the board.

Furthermore, the CLO must understand what information and guidance the board needs in order to effectively carry out its oversight responsibility and communicate that in a clear and timely manner. The sheer volume of information available on risk oversight and specific risks can be overwhelming, particularly when a new disruptive risk like AI comes to the fore. Again, asking the question, what does the board need more of or less of, is key. Sharing succinct, well-organized guidance on a topic with the board and relating it specifically to the company helps to get everyone up to speed. Sherbin routinely provides his board with a summary of key public company governance developments pertaining to risk, drawing a reference to the company’s status on each topic and any potential board action concerning that matter.

The Ideal Risk Management and Governance Model

According to Sherbin, each of the major risk models provides structure to risk and governance management. Absent that structure, setting priorities and aligning resources can be chaotic and lead to ineffective outcomes. With its cross-functional approach, Enterprise Risk Management (ERM) provides a clear and holistic view across the group of risks that can impact goal achievement and allows the company to improve its process each year for the Shyft board.

In his or her role, the CLO can assist in shaping risk oversight mechanisms and be on point for board input regarding changes to the risk oversight structure or strategy. A collaborative relationship between the board and CLO also supports the board’s role in establishing a risk management system appropriately tailored to the company’s material risks and overseeing whether the systems are working and understood across the organization.

To ensure the ERM framework is effective in the identiﬁcation and mitigation of risks, the CLO and board should routinely conduct a periodic qualitative assessment, considering relationships and the dynamics of the program.

Mascarenas suggests that a best practice would be to hold a private session with the CLO at the end of each committee meeting (or full board review) to provide an opportunity for candid discussion and questions that might be sensitive in front of a larger group. A good indicator of the eﬀectiveness of the program is how much time is needed for these sessions. As Mascarenas explains, “a well-managed, fully integrated ERM program typically does not need much time in a private session because ownership is shared, and the value of the program is well understood throughout the organization.”

Optimizing Board Composition for Effective Risk Oversight

It goes without saying that the board must have relevant expertise and experience in order to provide effective oversight of risk. As risks evolve, the board’s needs will likely also evolve. Succession planning must be strategic and aligned to the company’s goals, both short-term and long-term. Because certain committees are key to providing the appropriate framework and ensuring the company has a thoughtful approach to ERM, the board must also ensure that committee members have expertise that is aligned with the committees’ risk oversight remit.

In his role as CLO, Sherbin has supported the board’s ongoing board refreshment initiatives and participates in discussions regarding skills and experience profiles the board might consider to build or maintain its collective strength with regard to risk oversight.

Diversity of experience is a key strength of the Shyft board. According to Mascarenas, “diversity of background and experience is a great asset to have. Being able to look at things through a different lens, bring examples and best practices from other companies to the table and help to constructively challenge management are all ways a diverse board can help strengthen ERM.”

Sherbin agrees. “Our board members bring experience from a wide range of industries and areas of expertise […] The breadth of these professional and personal experiences brings a rich and layered lens to the board’s risk management mindset and actions.”

Sherbin advises assessing the current composition of the board to identify additional and complementary professional experiences and skills that if added would position the board to effectively carry out its risk oversight responsibilities. Depending on the company, its critical risks and the existing board mix, the best new board member could be a subject matter expert, a seasoned executive with broad-based experience, a community leader, or someone “who doesn’t neatly fit into [any] one of these buckets.”

Biggest Risk Management Challenges

The biggest risks the company is currently facing include cyber security threats, supply chain risks – particularly for the EV business – and macro risks, such as the likelihood of another pandemic, economic recession or another disruptive event. Additionally, the impact of technology on changing customer needs and expectations or sustainability programs, for example, is driving decisions about resource allocation, hiring and employee training/ development and capital spending. As Mascarenas explains, “when properly managed, each of these can be tied back to the ERM framework, in the context of not only risk mitigation, but realization of future opportunities.”

For many manufacturers, supply chain and end-market considerations have presented significant challenges over the past couple of years. According to Sherbin, successfully working through these issues has been at the core of the company’s risk management focus. Across the transportation segment, driving the integration of clean technologies, particularly electrification, has been and remains an important component of business strategy. As with the development and adoption of many transformative technologies, there are uncertainties to manage along the way. “With the collaboration of talent across the Shyft team and oversight from our Board, we are focused on proactively managing this risk to a successful business outcome.”

The Wrap-Up

The CLO and the board working in partnership help to ensure that the board can provide effective risk oversight. Paul Mascarenas provides an apt summary of the key takeaways from the discussion. “The most eﬀective way to encourage collaboration between the board and the CLO is to communicate regularly, including between meetings, if necessary, to work proactively with business unit leaders to integrate the ERM process into their day-to-day management reviews, and to always be nimble and ﬂexible to the needs of the business. ERM is not a means to an end. It is a key part of running the business.”

Sherbin and Mascarenas agree on the core elements of eﬀective risk oversight: establishing a robust framework for risk identiﬁcation, mitigation and monitoring; staying current through regular reviews and evaluation of internal and external risks; leveraging the expertise of external counsel, ﬁnancial advisors and investor representatives and inviting them to meet with the board; and having and providing the board with a full 360 view of the business.

“The most important thing for me is that the board has trust and conﬁdence in the CLO and that we work together as partners in both governance and risk management matters,” Said Mascarenas.