Analyzing ‘Corporate Risk Oversight Principles’

It’s way too early for nostalgia about the financial crisis. But one of the most telling anecdotes coming out of this period was from John Thain, remarking to the Wall Street Journal on his time as CEO of Merrill Lynch. “Merrill had a risk committee,” he asserted. “It just didn’t function.”

Since then, legions of experts have devised sage guidance on what boards should do to supervise a company’s risk management—in effect, to make those risk committees function. But there’s one safeguard most such advice has neglected, and it is among the most important, at least for public companies. Directors must ask themselves whether their firm’s investors have the capacity to tell if the board is effectively overseeing risk. Because if shareowners can’t find comfort that the board is doing its job, it won’t matter how much skillful oversight the directors exercise. The company may discover its cost of capital too high and its relationship with shareowners too fraught with mistrust.

The key word, and we’ve used it deliberately, is investors’ capacity to judge board effectiveness. Address that and you get to the heart of the issue.

Smart risk oversight is, of course, partly about what boards do. It should also be about what they communicate to the market about their work. But a truly functional system of accountability hinges on whether institutional investors have sufficient resources and skill to absorb information on risk oversight, so that they become informed analysts and constructive interlocutors. Getting all this right is complex. One group—the investor-oriented International Corporate Governance Network (ICGN)—is trying to tackle the issue. Allied with the Millstein Center at Yale School of Management, the organization just issued the draft “Corporate Risk Oversight Principles” for comment. (Full disclosure: Co-author Stephen Davis co-chairs the Taskforce on Corporate Risk Oversight; co-author Jon Lukomnik is a member of the Taskforce.)

The principles are pitched to world markets, not just the United States. In fact, they’ve drawn on contributions from market experts from Abu Dhabi to North Carolina, and most recently at a lively roundtable at the Association of British Insurers in London. Now the guidance is ready for its close-up before U.S. compliance pros. So let’s unpack the guidance and see what it says.

First the familiar part. Boards, the principles assert, should see risk as “an inseparable element of strategy and a crucial driver in achieving the company’s objectives.” In other words, directors oversee risk, but don’t get into the weeds on it. That’s management’s job. And even if they do choose to delegate risk to a committee, directors as a whole—particularly outsiders exercising independent judgment—remain responsible for big decisions such as setting risk parameters and tolerances. That’s an ongoing task, the principles contend, since risks can evolve rapidly, and because a corporate culture can turn stale, rigid, and compartmentalized without constant reminders from the board. It’s also a duty directors should meet with rights to hire outside advisers or to gather “additional information from any member of executive management,” not just the CEO.

Finally, the chief risk officer (or his equivalent, regardless of exact title) should “be able to report directly and independently of management to the non-executive members of the board.” In other words, the company, from top to bottom, must know that directors are minding the store.

Maybe the language should be tweaked here and there, but overall this is pretty close to other guidance, such as the National Association of Corporate Directors’ Blue Ribbon Commission on Risk. From there, however, the ICGN-Millstein principles jump off to new ground. The second of four sections focuses on what boards should disclose to investors about what they’re doing.

For one, the principles call for an annual directors’ statement, distinct from management’s analysis of the company, explaining the board’s “risk oversight procedures and the board’s perspectives on risk strategy.” In it, directors should outline just how and how often risk reviews are undertaken, and “how they monitor robustness of contingency and resilience planning for risk threats and opportunities.”

The guidance goes on to recommend that boards disclose both “risk oversight challenges that may have emerged over the reporting period, including action taken to address them” and how the board “dealt in respect of procedure with any failures of risk oversight.” Notice that the focus is on procedure rather than a description of a specific risk failure—which few companies would be inclined to discuss publicly. Finally, the board’s risk oversight statement should explain director competency in risk oversight, along with how risk oversight figures in its annual self-evaluation process.

All this is meant to nudge board behavior and give investors the insights and information they need to satisfy themselves that boards are on top of risk. But in fact, too many institutions harbor practices that short-circuit their ability or willingness to make such judgments. Funds may outsource governance screening to proxy advisory services. Or they may lack the right in-house expertise to assess the quality of risk oversight or engage in talks with directors. Or their governance staff may not talk to the portfolio managers responsible for selecting stocks. Or they simply don’t know what to ask a company board to judge risk oversight.

TO COMMENT ON RISK PRINICPLES

The International Corporate Governance Network (ICGN) and the Millstein Center at Yale School of Management recently drafted their “Corporate Risk Oversight Principles.”

Both organizations want to hear your thoughts and suggestions. To comment on the draft, e-mail consultations@icgn.org.

For these reason, the ICGN-Millstein principles offer a section on investor responsibilities. They include some sample questions to ask boards, but the core call is for investors to look in the mirror with a periodic self-assessment “of their own resources, skill base, and outsource options to ensure that they meet needs necessary to monitor boards on risk oversight.” (The principles acknowledge that some investment styles may not require such skills, but note that fundamental stock-picking managers should perform the self-assessment.)

Getting more specific, the guidance asks that such a review include “whether and how internal remuneration, job descriptions, and staff performance reviews may be tied in part to such analyses.” And the principles want accountability for institutional investors as much as it does for public companies. “Where relevant, investors should disclose to beneficiaries a statement summarising the results of such reviews and explaining strategy and capacity for monitoring portfolio companies for their risk oversight and management.” Virtually no fund does this now.

The principles contend that two-way dialogue between directors and investors can help inform all sides on risk. So there is a simple but powerful recommendation: “Boards should make available to shareholders one or more communication channel(s) for periodic dialogue on governance matters, including the board’s role in risk oversight. Boards should clearly explain such procedures to investors, including guidance related to compliance with fair disclosure and other relevant market rules. Boards should regularly invite shareholders to express views and concerns regarding strategy and risk oversight.”

All this strikes us as a sensible way of nudging corporate culture and behaviour in the right direction, even if practices recommended range today from uncommon to unheard-of. But what do you think? The ICGN welcomes comments at consultations@icgn.org.