Director Notes

Risk Oversight Practices: Two Success Stories

by Ellen S. Hexter and Gregory Vainberg

In a series of recent interviews with directors of publicly held U.S. companies, The Conference Board gained important insights on how boards can be instrumental in adding value to risk management oversight. The case studies discussed in this report illustrate the value and rigor that boards can infuse into the companys enterprise risk management (ERM) program.
Having the curiosity to understand ERM, its link to strategy, and the importance of a vigorous risk conversation has helped the two companies noted in this report to create and sustain leading risk management practices. At Papa Johns International Inc., ERM took root and began to flourish at the insistence of a board member. The audit committee chair was not satisfied with the risk information the committee had been receiving, and she asked the CEO to allocate resources to develop ERM. With some help from an outside consultant and after eventually finding the right person internally to lead the efforts, Papa Johns built an enviable ERM program. The second case study demonstrates the value of the deep understanding of the business, its success drivers and risks, within both senior management and the board. NewStar Financial was created in 2004 with a risk-savvy board. The management team understood that the board could only bring true value to the company if the members were fully knowledgeable of the complexities of its financing business. That strong alignment of risk understanding and support from the boardalong with meaningful ongoing communications, particularly during the financial crisishas been crucial to the companys performance and survival through challenging times.

JANUARY 2011 Volume 3, Number 2

Papa Johns International Inc.

Papa Johns International Inc. demonstrates the crucial role that a board can play in developing excellence in risk management practices. The development of its risk management program started with a request from the boards audit committee, which urged senior management to adopt a more robust ERM program. The companys effort has spanned the last three years, during which Papa Johns has developed a framework to cover risks on the continuum it describes as from farm to fork. Papa Johns is widely recognized as one of the leading pizza restaurant chains. It currently owns or franchises more than 3,600 restaurants in all 50 states and 30 countries around the world. The philosophy at the core of Papa Johns program is that risk should be considered in all strategic decisionsfrom brand strategy to expansion in business segments and from marketing to distribution. This philosophy emerged from the audit committee, which insisted that risk should become a key part of decision making and urged senior management to invest accordingly. Given this board directive, the organization has implemented a number of very sophisticated tools that enable senior management and the board to make riskinformed decisions. As it has evolved, effective risk management fits well into Papa Johns decision-making process. To protect Papa Johns Better Ingredients, Better Pizza claim in its slogan, food safety is a significant focus. Food safety issues can arise at any point in the supply chain or at the point of end-product delivery. These risks are complicated further by Papa Johns global footprint. For example, the decisions made regarding food distribution quality controls in Beijing, Boston, or Birmingham, England, can reverberate through the entire company and must therefore be managed very carefully. Like many companies, when Papa Johns began its ERM program, the framework and processes were being developed by external consultants. As the program evolved, ERM has become more effective because the company was able to secure the right talent, both internally and externally. The audit committees focus was on having an ERM leader with the right capabilities: an expansive mind, key analytical skills, strong communications skills, and a deep understanding of the business. Getting the right person in charge internally was critical to embedding risk thinking throughout the organization.

Analytical tools
In particular, three tools provide strong risk management at Papa Johns: Risk pyramid Papa Johns likes to think of how risks fit into its decision making by aligning various risks within the context of a risk pyramid. At the base of the pyramid there are operational risks. At the top of the pyramid there are strategic risks. Business line managers and business unit leaders follow a rigorous process to identify the significant risks that could impact the company. The teams have developed a laundry list of risks that is categorized by risk type (e.g., strategic risks, business model risks, financial risks, operational risks, and regular decision making risks). The list is then reviewed and edited by the executive team. Owners are assigned to each risk and are responsible for tracking, addressing, and escalating the issues that arise. This model of tracking risks is in line with its decentralized business model but ensures that every risk is adequately monitored. Risk appetite survey During the risk assessment phase, management and board members complete a risk survey. The survey is designed to gauge the level of risk the organization is willing to accept for each of the identified risks from unwilling to accept any risk (e.g., food safety) to willing to take risk (e.g., the business case for international expansion). These risk levels can then be aggregated to level-set the risk appetite of the organization. Interestingly, when management and the board began to talk about risk appetite, the two groups did not appear to be aligned. It took further discussion to understand that the board and management understood the questions differently. Risk heat map This is the primary tool used by management and the board to holistically track risk. The identified risks are mapped according to three criteria: 1 potential impact on the business model; 2 probability of occurrence; and 3 velocity or the speed at which the risk can materialize
(within a month is fast, within a quarter is medium, and within a year is slow).

The CEO, CFO, general counsel, and business unit leaders helped develop and now update and discuss the heat map every quarter. The audit committee receives quarterly reports on corporate risks and spends time analyzing changes in the risk heat map. At each audit committee meeting,

Director Notes Risk oversight practices: two success stories

www.conferenceboard.org

a business or process owner will speak about selected risks in depth. Some topics are deemed important enough to be discussed with the full board. Perhaps the most important risk management oversight task that the audit committee employs is to challenge the business model and assumptions about the operating environment. These discussions lead to a better understanding of both key business drivers and risks that could impact those drivers. Much of the value of the heat map for board members comes from the discussions that are generated. The board doesnt just see a snapshot of the risk profile, but engages in a discussion on risk mitigation and accountability.

The keys to Papa Johns success are:

Ensuring the board and senior management are convinced of the importance of risk management and role model the appropriate behaviors. Creating a risk-management process that is not overly formal or quantitative, and understanding that ERM is about substance, not form, and that process cannot replace judgment. Where possible, using leading indicators to prevent, anticipate, and monitor risks, which is the best way to deter a risk event. Avoiding analysis paralysis. It is very easy to fall into the trap of trying to boil the ocean in an effort to very accurately quantify the impact of potential risks for aspects of the business case that are generally well understood, which may result in missing other risk elements that could also have a large impact but are not initially identified. Accepting that not all risks can be mitigated. Sometimes, the most an organization can do is to have well-defined contingency/crisis plans and a well-executed communication strategy and spokesperson. Ensuring a wide scope to focus on all of the key risks, rather than selected ones. These broader risk discussions have allowed senior managers and board members to better understand the true value at stake from each of Papa Johns key success drivers. Making sure the board and management have a better understanding of the companys risk culture.

Risk map changes need to drive behavior changes.

Keeta Fox Vice President, Finance, Papa Johns International Inc.

Response to risk Both the board and management agree that a heightened focus on risk has increased the focus on risk agility (i.e., how quickly the company can respond to a risk event). Papa Johns understands that risk management tools and processes are ineffectual if they become a check the box exercise or stand-alone analysis that is not embedded in strategic decision making. The organization has avoided this pitfall by fostering rich, risk-informed dialogue between the board and senior management and including risk analysis in strategic decisions. Although this case study highlights three tools, Papa Johns incorporates risk throughout the decision-making process, using a variety of methodologies and processes (including shock-loss calculations using a Monte Carlo analysis simulation model1) and has developed leading indicators and mitigation strategies to help stay ahead of the risks the organization is taking. The Papa Johns story illustrates the value that risk integration can bring to better decision making and the critical role that board members can and should play in demanding strong risk practices.

Papa Johns International Inc. is an example of how a proactive and engaged audit committee can make a difference in developing valuable risk management practices.

NewStar Financial
Boards and executives rarely have the luxury of designing the culture of an organization from its beginning. NewStar Financial, founded with a laser-sharp focus on the importance of strong risk management, is one of those rarities. The company is in the business of buying and distributing risk. Its risk philosophy permeates its people and processes. NewStar Financial is a nationally recognized commercial finance company. It was established in 2004 to capitalize on opportunities in middle-market lending, including direct origination of proprietary deal flow in corporate middle-market leveraged loans and commercial real estate.

A risk analysis tool used for managing uncertainty, Using Monte Carlo Simulation Analysis for Finance, Financial Modeling Guide, available at www.financialmodelingguide.com/analytical-tools/ monte-carlo-simulation.

www.conferenceboard.org

Director Notes risk oversight practices: two success stories

Default rates in the industry usually can rise to as high as 10 percent but reached the low teens near the end of 2009 in the wake of the credit and liquidity crisis. With assets well over $2 billion on its balance sheet, NewStar was able to outperform its peers in 2009 with a default rate in its portfolio that was approximately half of industry benchmarks. The organization attributes a large portion of its success in the past couple of years to its focus from inception on robust risk management practices. It is no surprise that a company whose business is buying risk would focus on risk management; what is surprising is how, from the beginning, NewStar has taken a very deliberate approach to risk management, including a number of crucial elements: 1 Appropriate staffing Staffing is the area where the
organization has been the most focused, ensuring that its senior management team is staffed with individuals who have multiple years of experience in every aspect of credit. In particular, members of the portfolio management team have, on average, more than 20 years of experience (some have more than 30). NewStar has focused on its bench strength, both in management and within the board: individual directors who have a deep understanding of financial companies were also carefully selected to provide the right level of oversight.

3 Constant portfolio monitoring NewStar is regularly

monitoring the portfolio so it can take action early when market conditions change. This process begins with the monthly internal publication of a set of leading indicators, followed by a quarterly review of each credit position, and a monthly or more frequent review of those on the watch list, as required. If necessary, senior management will meet daily to monitor indicators and liquidity levels and adjust their level of risk appetite (e.g., curtailing new investments in certain sectors if deemed too risky). From the boards perspective, there was a great deal of discussion on what was important for the risk committee to understand. The risk committee members wanted to delve into what was reported to the board, to management, and what processes generated the numbers they were seeing. Beyond the reports, the board wanted to know the people responsible for the processes.

4 Regular communication NewStar believes that the

more transparent it is with its stakeholders, the more confident stakeholders will feel that NewStar has a handle on its risk issues. The benefit of over communicating was evident during the difficult times in the recent financial crisis, when NewStar held bi-weekly board conference calls. Board members could call in to get an update on the current state of the portfolio and any actions being taken. NewStar could only implement this process effectively because the organization invested in reporting infrastructure to support information sharing and spent time educating and informing the board on risk metrics, management capabilities, portfolio composition, and the like, before the crisis occurred. Transparency is a fundamental value for NewStar and has enabled it to operate in challenging environments.

2 Individual credit selection NewStar has a clearly

defined approach to capital allocation, with a target position in the capital structure, a series of exposure limits on industry concentrations, and individual exposure limits. The investment committee, which includes the CEO and chief investment officer, reviews and approves each loan; furthermore, each of those loan approvals must be unanimously ratified by the underwriting committee prior to reaching the investment committee. The investment committee is not presented with a new loan unless NewStars thorough approach to credit selection is carefully followed. NewStar operates primarily as a direct origination shop, conducts its own due diligence including meeting management, visiting the sites, developing financial models, talking directly to clients, and calculating relevant risk metrics (e.g., capitalization, quality of management, and downside scenarios). Each deal includes appropriate covenants to ensure each party has a seat at the decision-making table so that if or when things go wrong, NewStar management can get involved early to mitigate and control risk.

5 Holistic risk discussion

The company recognizes that it doesnt quantify its softer risks in the same way that it does financial, credit, liquidity and other key risks. However, NewStar has taken steps to actively manage many of those softer risks, including retention of key personnel. NewStar has a clearly defined risk appetite that it uses for framing its internal controls and reporting. In some markets at different times in the credit cycle, the management team may decide to set the risk lower than its risk appetite would suggest. The companys dynamic use of the risk appetite framework considers how the company will manage risk and the context of the current operating environment.

6 Use of risk appetite

Director Notes Risk oversight practices: two success stories

www.conferenceboard.org

From its start, NewStar hired a cadre of risk management professionals who were world-class risk management and senior credit people. They [understood] risk quantication, capital allocation, risk reporting and applied these techniques to this very small company.
Charles Bravler Director, NewStar Financial

Conclusion
Papa Johns International Inc. and NewStar Financial share active, engaged boards whose focus on risk management has helped them create and reinforce strong risk management. In the most challenging of operating environments, NewStars effective risk management program and governance structure has enabled it to continue to focus on its mission and respond quickly to protect the organization. Similarly, the courage of one of Papa Johns board members to stimulate senior executives to identify and evaluate the weaknesses of their existing risk management practices to move toward an integrated ERM-type program has benefited the organization in countless ways. Its important to recognize that neither company would say that their risk management journeys are complete; effective enterprise risk management demands continuous improvement. It is not possible to avoid all risks, but strong ERM can help companies avoid some risks and frame risk as part of strategy to encompass opportunity as well as negative events. Both case studies show that risk oversight is not a passive job. It is the responsibility of each director to remain engaged in the process to ensure the board is adequately informed and aligned with the organizations risk philosophy and policy.

NewStars story reinforces the value (and luxury) of a company built on a strong understanding of and commitment to risk management. The keys to NewStars success are:

Forming a team of experienced professionals, all of whom have a credit background. Establishing a board that has credit and risk expertise to be able to understand and challenge strategy in a productive manner. Applying a disciplined approach to new exposures, ignoring market herd mentality, using a consistent process for every transaction, and clearly defining limits. Developing a tested approach to problem loans with a team of experienced workout professionals. Allowing for a margin of error in funding and proactively managing liquidity entering a downturn. Providing honest and regular communication to instill confidence in key stakeholders. Actively engaging the board and the risk committee in its oversight processes. Ensuring bench strength in its operations. Developing processes with enough flexibility to respond quickly to market changes.

www.conferenceboard.org

Director Notes risk oversight practices: two success stories

About the Author

Ellen S. Hexter is a senior advisor at The Conference Board, where she develops research on enterprise risk management and manages seven councils, including the European and U.S. Strategic Risk Councils, the Council of Financial Executives, and the South Asia Council on Corporate Governance and Risk Management. Hexter is the author of numerous reports on enterprise risk management and frequently speaks on risk and governance issues. She also serves as a faculty member of The Conference Board Directors Institute. Hexter received an A.B. from the University of Michigan and an M.B.A. from Cleveland State University. She is a Chartered Financial Analyst and serves as an arbitrator for the National Association of Securities Dealers (NASD). Gregory Vainberg is an associate principal in the Montreal office of McKinsey & Co. Since joining the firm in 2006, he has worked in the electric power, basic materials, and institutional investing sectors. He has helped organizations on a variety of risk-related topics, including the design of their risk function, creating risk and return dashboards, reviewing their project valuation approaches, and formulating hedging policy. Prior to joining the firm, he completed a Ph.D. in finance and a Bachelors degree in computer engineering from McGill University. He is the author of Option Pricing Models and Volatility Using Excel-VBA.

About Director Notes

Director Notes is a series of online publications in which The Conference Board engages experts from several disciplines of business leadership, including corporate governance, risk oversight, and sustainability, in an open dialogue about topical issues of concern to member companies. The opinions expressed in this report are those of the author(s) only and do not necessarily reflect the views of The Conference Board. The Conference Board makes no representation as to the accuracy and completeness of the content. This report is not intended to provide legal advice with respect to any particular situation, and no legal or business decision should be based solely on its content.

About the Series Director

Matteo Tonello is director, corporate governance research, at The Conference Board in New York. For The Conference Board, Tonello has conducted governance and risk management analyses and research in collaboration with leading corporations, institutional investors, and professional firms. Also, he has participated as a speaker and moderator in educational programs on governance best practices. Recently, Tonello served as the co-chair of The Conference Boards Expert Committee on Shareholder Activism and as a member of the Technical Advisory Group to The Conference Board Task Force on Executive Compensation. Before joining The Conference Board, he practiced corporate law at Davis Polk & Wardwell. Tonello is a graduate of Harvard Law School and the University of Bologna.

Acknowledgments
The authors would like to acknowledge Andr Brodeur, Christopher Donohue, Claude Fontaine, William May, Martin Pergler, Tony Santomero, for their contributions to this research project and Gary Larkin for his editorial finesse. The authors would also like to thank Charles Bravler, Olivia Kirtley, Keeta Fox, and Peter Schmidt-Fellner for their sharing insights into their companies practices.

About The Conference Board

The Conference Board is the worlds preeminent business membership and research organization. Best known for the Consumer Confidence Index and the Leading Economic Indicators, The Conference Board has, for over 90 years, equipped the worlds leading corporations with practical knowledge through issuesoriented research and senior executive peer-to-peer meetings.

For more information on this report, please contact: Matteo Tonello, LL.M., S.J.D., director, corporate governance, at 212 339 0335 or matteo.tonello@conferenceboard.org. The Conference Board www.conferenceboard.org The Americas 845 Third Avenue, New York, NY 10022-6600, United States / Tel +1 212 759 0900 / Fax +1 212 980 7014 Asia china Beijing Representative Office, 7-2-72 Qijiayuan, 9 Jianwai Street, Beijing 100600 P.R. China / Tel +86 10 8532 4688 / Fax +86 10 8532 5332 / www.conferenceboard.cn hong kong Suite No. 2-3, 18/F, Queens Place, 74 Queens Road Central, Hong Kong SAR / Tel +852 2804 1000 / Fax +852 2869 1403 india A-701 Mahalaxmi Heights, Keshavrao Khadye Marg, Mahalaxmi (East), Mumbai 400 011 India / Tel +91 22 23051402 singapore 8 Eu Tong Sen Street #22-81, The Central, Singapore 059818 / Tel +65 6325 3121 / Fax +65 6222 4637 Europe Chausse de La Hulpe 130, box 11, B-1000 Brussels, Belgium / Tel +32 2 675 54 05 / Fax +32 2 675 03 95 The Conference Board of Canada 255 Smyth Road, Ottawa ON K1H 8M7, Canada / Tel +1 613 526 3280 / Fax +1 613 526 4857 www.conferenceboard.ca
2011 by The Conference Board, Inc. All rights reserved. Printed in the U.S.A. The Conference Board and the torch logo are registered trademarks of The Conference Board, Inc.