Recent developments have given corporate directors plenty of reasons to pay attention to enterprise risk management, and many are doing so—but they might not be doing as well as they think, according to new research from the Conference Board.
Brancato
While many directors believe they have a strong understanding of the risks their companies face, a recent survey of board members revealed that most tend to approach risk on a case-by-case basis, and that their companies lack strong enterprise risk management processes to satisfy the directors’ fiduciary responsibilities. Speaking earlier this month, Carolyn Kay Brancato, director of the Conference Board’s Governance Center and Directors’ Institute, said, “When we drilled down into what they meant by ERM, we found that fewer [directors] had the robust processes to support the knowledge they say they have.”
The study, titled “The Role of the U.S. Corporate Board of Directors in Enterprise Risk Management,” is based on a survey of 127 board members, interviews with 30 board members, and an analysis of Fortune 100 board committee charters. Among its findings: While 90 percent of directors say they fully understand the risk implications of a current strategy, only 59 percent say they understand how business segments interact in the company’s overall risk portfolio and only 47 percent rank key risks (see executive summary in box at right).
The report also cites several developments as redefining director duties and strengthening executive accountability for risk management. Those factors range from recent Delaware case law to new stock exchange listing standards, not to mention the revised federal sentencing guidelines. Also cited was a new requirement to disclose risks in annual and quarterly reports, and the fact that liability insurance policies are increasingly focusing on whether companies have ERM processes in place.
And while the Sarbanes-Oxley Act doesn’t specifically
mandate ERM, the report notes that the SEC “clearly encourages management to pay attention to a broader spectrum of risks, and to manage them in an enterprise-wide context.”
Gunnar Pritsch, a partner at McKinsey & Co. who helped conduct the study, stresses that ERM has improved in recent years. In a 2002 McKinsey survey, for example, 36 percent of directors didn’t believe they fully understood the major risks facing their companies. Today that figure is 10.5 percent—but, Pritsch adds, boards still have work to do. Directors on multiple boards reported wide variations in the quality of risk dialogue, he said, and not enough boards seem to have well-established risk processes.
Ma
“[A] board has to have a good understanding of the business and how the different material risks interact with the company’s financial statements,” says Cindy Ma, a vice president at NERA Economic Consulting and head of its financial risk management practice. “They can’t do it all themselves, but they need to have the proper protocol in place and they have to select the right people to sure it gets done.”
“I think companies are moving in the right direction” such as by hiring a chief risk officer or creating a risk management committee, Ma says. Even if companies do not have “the luxury or the budget to have a separate CRO with an army of people, the board’s number one responsibility is to make sure they have the right expertise and skill sets, whether they’re internal or external.”
Other trends the Conference Board study noted were:
Chief risk officers gaining clout. Besides the CEO, the corporate executive most often cited by directors as responsible for informing the board on risk issues is the CFO (71 percent of companies). But a growing number cite a chief risk officer as the person informing the board, up from virtually none a few years ago. 16 percent of financial companies cited a CRO, compared to 7 percent at nonfinancial companies.
CHEAT SHEET
Directors pondering whether to recommend that their companies upgrade their ERM processes may wish to consider the following:
Review committee structure and charters. To ensure effective risk management oversight, it must be clear where responsibility for risk management resides at the board level. Most place it with the audit committee, but that committee can be overburdened or lack the skills to manage nonfinancial risks.
Review the board’s competencies in fulfilling its risk oversight duties. Strengthen the board, if needed, by ensuring it has the right people, a variety of expertise, and proper training.
Develop a risk management process to ensure directors fulfill their fiduciary responsibilities. By doing so, directors can then be afforded the protections of the business-judgment rule established under Delaware Law. Such a process should begin with a review of the company’s drivers of performance, and continue with an inventory of risks and an analysis of how those risks will affect shareholder value.
Consider a board-level ERM reporting system. The design of board reports on risk begins with a clear understanding of what information the board and its committees need to understand, and what they are expected to do with this information. Reports should focus on providing real information, such as prioritizing key risk issues and including management’s assessment of those risks.
Develop a process to assess and monitor performance of the risk management process. Boards should periodically (at least annually) review the effectiveness of the risk management processes at the board level.
Spend time with management to get to the core of risk issues. Directors should identify the handful of executives who have the best perspective on the company’s key risks and interact with them directly.
Source
Corporate Directors May Not Be Providing Sufficiently Robust Enterprise Risk Oversight (The Conference Board)
Banks and insurers lead the way on ERM. Experts note that banking and financial services, which tend to have more developed and mature ERM processes, may set the standard against which other industries will be measured—which could be increasingly important as directors determine their liability exposure for failing to meet fiduciary duties, as courts may increasingly look to “best practice” standards to measure fiduciary duties of care, loyalty and good faith.
Directors in financial companies tend to report more robust ERM practices. For example, 64 percent of financial company directors say their companies have clearly defined risk-tolerance levels, versus 47 percent of nonfinancial directors. Financial service company directors also report a higher level of routine consideration of all major risks, compared to considering risks only when management brings them to the board.
Audit committees: Where it’s at. About two-thirds of Fortune 100 corporate boards place responsibility for risk management with the audit committee. The report notes, however, that boards might want to consider assigning responsibility for risks other than financial reporting to another committee in coordination with the audit committee, since audit committees are already heavily involved with financial reporting risk.
Risk Committees. A few companies—mostly financial institutions—have established separate risk committees with an integrated view on all risks the company faces. Of the companies surveyed, 16 percent in the financial services sector report having a risk committee for more than two years, versus less than 4 percent for companies in nonfinancial sectors.
One such company is banking giant Wachovia Corp., based in Charlotte, N.C. Wachovia established its risk committee two years ago. Its predecessor, the credit and finance committee, had been evolving for several years from a primary focus on oversight of the bank’s loan portfolio and balance sheet to a broader focus including market risk reports and regular updates on Wachovia’s implementation of a framework for managing operational risk.
According to Suzanne Storm, Wachovia’s director of risk policy, in mid-2004 the bank formally combined oversight of credit, market, operational, liquidity and interest rate sensitivity risk in a single risk committee. Oversight of technology and merger implementation risks were also incorporated into the committee’s charter, and compliance oversight was moved from the audit committee to the risk committee.
“Board oversight of the entire risk management function was delegated to a single committee. Therefore that committee gets a good view of how various risks intertwine,” Storm says. The internal audit department’s assessment of how well management actually addresses those risks is presented separately to the audit committee, so there is “good separation of the audit function,” she says. The company holds regular joint meetings of the audit and risk committees to address common concerns, such as those where a compliance issue could affect the financial statements.
The charter Of Wachovia’s risk committee, as well as related documents, articles and columns, can be found in the box above, right.
No comments yet