A risk management concept that has migrated into the boardroom
The original use of the term “effective challenge” in the financial services regulatory community focused on risk management (versus board-level) matters. It still remains a concept deeply entwined with the three-lines-of-defense risk management model, especially as it relates to second-line effective challenge of the first line (e.g., the business lines and key support functions, such as technology and operations).
However, effective challenge has increasingly become synonymous with board effectiveness. A board oversees strategy, hires the CEO, oversees corporate performance and risk management, and so on. But above all, the board holds management to account for achieving the organization’s long-term strategy in line with its purpose, mission and values, and within the bounds set out in the board-approved risk appetite. It does so by credibly and effectively challenging management’s decision-making and performance.
Supervisory guidance has shifted in recent years to outline expectations more explicitly for effective challenge. For example, in its 2014 paper on risk culture, the Financial Stability Board (FSB) made their expectations explicit regarding board challenge of risk and strategy:
“The board and senior management have clear views on the business lines considered to pose the greatest challenges in the management of risk, such as business lines with unexpected or unexplained results or business lines with nonfinancial risks that may not necessarily lend themselves to immediate and easy quantification, and these are subject to constructive and credible challenge about the risk-return balance.”¹
More recently, in 2021, the U.S. Federal Reserve Board (FRB) issued guidance on attributes of board effectiveness that provided a window into the evolving regulatory expectations:
“To facilitate accountability, an effective board engages senior management in a variety of ways … Directors consider whether and how senior management's conclusions and recommendations align and support the firm's strategy and risk appetite. If weaknesses or gaps are identified, the information provided is incomplete, or as otherwise warranted, directors challenge senior management's assessments and recommendations.”²
There is no one-size-fits-all for board effective challenge
Board approval for material decisions that would significantly impact the organization’s risk profile is a key starting point for where challenge is most required. This can relate to acquisitions, aggregate credit exposures and limits, and new products and services, as well as major technology or risk management transformations.
However, boards provide effective challenge across a range of topics, not just those requiring formal approvals. Effective challenge often creates important, but imperceptible, change. For example, management may decide or shape its thinking, or choose an alternative sequence of decisions or discussions, simply on the basis of how they expect their board to react. The changes made by management as a result of board challenge or questioning may be subtle but material in the aggregate.
In practice, governance is complex. The board (and its committees) has to challenge management across a range of matters, from strategic to tactical, and business-as-usual matters and differing modes of governance are required, as shown in Table 1.