Directors Still Failing to Bring Risk Oversight Up to Par

Think the financial crisis forced boards to perfect their risk-oversight processes? Think again.

Two new studies published by the Committee of Sponsoring Organizations indicate that many directors are still falling down on their risk oversight responsibilities. According to the reports, directors are overly confident in management's ability to manage risk, use risk oversight processes that are too informal, and don't communicate well with management on risk.

According to one survey, more than two-thirds of the directors polled admitted that their risk-oversight processes were still insufficient. The results are surprising, given the focus on risk management that resulted from the failures that contributed to the financial crisis on Wall Street. The first survey, conducted by COSO along with consulting and internal audit firm Protiviti, found that more than 70 percent of the over 200 corporate directors questioned thought that their boards were “not formally executing mature and robust risk oversight processes.” 

The second COSO survey, administered jointly with North Carolina State University finds that the problem begins down in the organization. Almost 60 percent of the 460 managers and senior officers polled said their risk-management processes were “ad hoc” and “informal.” Further, 35 percent said they are “not at all” or are “minimally” satisfied with how key risk indicators are reported to senior executives.

“The surveys demonstrate that in a lot of cases, the communication between management and the board, as it relates to risk-management issues, is uneven and needs to be improved,” says COSO Chairman Dave Landsittel.

Part of the problem, says Frank Martens, a director in PwC's advisory practice, is that the board is potentially over-confident in the risk-management processes. This can largely be explained by the fact that management's reporting to the board is still very episodic, he says. “The challenge is that risk doesn't just occur annually; it occurs much more frequently,” Martens adds. “What happens in some organizations is the board gets comfortable with the information they get annually and they develop a higher level of confidence, not realizing that the risk profile of the organization is changing.”

In addition to reporting more continuously to the board on risk, management should also be diligent in documenting and discussing with the board the process of how the report was generated, Martens says.

“The board gets these nice reports, but if they don't understand what management has done to generate them from a process level, they may, at times, take a higher level of confidence, not realizing that the process wasn't as diligent or as robust as they might want to see,” says Martens. He points out that in some situations board members might not have a full understanding of the assumptions that management is using in its reporting.

Good communications between the board and management includes agreement on the risk appetite of the company. More companies are addressing the topic in a formal way since the financial crisis forced more emphasis on it.

“That's a critical discussion,” says Martens. “It's equally as important as reporting your top ten risks in the organization. ‘Now that we know what the risks are, are we actually comfortable taking these risks?'”

“What happens in some organizations is the board gets comfortable with the information they get annually and they develop a higher level of confidence, not realizing that the risk profile of the organization is changing.”

—Frank Martens,

Director, Advisory Practice,

PwC

The reports find that companies diverge widely on their approaches to risk. On one end of the scale, companies, especially those without enterprise risk management systems (ERM), may not even have formal discussions at the board level about risk-management or about emerging risk. For some of these companies, the only time risk gets on the board's agenda is after something goes wrong. On the other end, companies that highly value the ERM approach spend a lot of time and money on training and communication, says Ed Easop, vice president of the rating criteria at A.M. Best. These companies give specific training to their directors on risk-management tools and technologies (such as new software platforms), and communicate emerging risks in the industry at quarterly board meetings.  “The board has got to know what's being talked about and they need to understand the technical information in the risk report at a deep enough level,” says Easop.

Selecting directors with a background in risk may be one way to ensure that boards will be more proactive in overseeing risk. “You need to have a diverse board, but to have that risk expertise represented on your board would definitely be beneficial, particularly if the company is struggling with [risk oversight],” says Bonnie Hancock, the executive director of the Enterprise Risk Management Initiative at N.C. State University, and an author of the second COSO survey.

Cautious Optimism

While the reports suggest that boards still have to get better at risk oversight, there has been some improvement in the area. Almost two years ago the Securities and Exchange Commission adopted new disclosure rules that require companies to provide more information about how their board oversees risk in the proxy statement. These requirements have already had a positive effect on communication between boards and management on risk, says Amy Goodman, a partner at Gibson, Dunn & Crutcher and former associate director with the SEC's Division of Corporation Finance. “The requirements have focused attention on board oversight of risk management, which has made for greater communication between boards and management about risk,” she says.

COSO SURVEY FINDINGS

Below are some key findings from the COSO surveys, “Where Boards of Directors Currently Stand in Executing Their Risk Oversight Responsibilities” and “Current State of Enterprise Risk Oversight and Market Perceptions of COSO's ERM Framework.”

Select Suggested Areas of Improvement for Board Risk Oversight:

There is an Opportunity to Improve the Robustness of the Risk Oversight Process

There is an Opportunity to Enhance Risk Reporting to the Board

These findings reveal an opportunity for organizations to improve the risk reporting process and increase the regularity of reporting according to the nature of the organization's operations and risk profile as well as the board's specific needs.

There is an Opportunity to Improve the Risk Appetite Dialogue

There Are Opportunities to Improve Monitoring of the Risk-Management Process

While the survey focused exclusively on the perspective of board members regarding risk oversight, the link between risk oversight and the effectiveness of the risk-management process is inextricable. According to the results of the study, nearly two-thirds of the respondents noted that board monitoring of the organization's risk and management process is not done at all or is carried out in an ad hoc manner.

Many Organizations Can Do More to Apprise the Board of Significant Risk Matters

The results suggest that while many companies have a process to inform the board regarding the most significant risks and how those risks are being managed, in relatively few organizations is this process sufficiently defined and rigorous. As noted with other findings, the results for public companies evidences a higher percentage of organizations with functioning processes addressing these matters.

Boards Can Self-Evaluate the Risk Oversight Process Better and More Frequently

COSO Survey: Current State of Enterprise Risk Oversight and Market Perceptions of COSO's ERM Framework.

Select Key Findings:

Almost 60 percent of respondents say their risk tracking is mostly informal and ad hoc or only tracked withing individual silos or categories as opposed to enterprise-wide.

Almost half (42.4 percent) described their organization's level of functioning ERM processes as “very immature” or “somewhat mature”

About a third (35 percent admit that they are “Not at All Satisfied” or are “Minimally” satisfied with the nature and extent of reporting to senior executives of key risk indicators.

… in over half of the organizations, the board of directors has not formally assigned risk oversight responsibilities to one of its sub-committees.

Boards of directors, especially those on the audit committee, are placing greater expectations on management to strengthen risk oversight in the majority of organizations. That in turn is perhaps encouraging CEOs to assign more responsibility within management to strengthen risk oversight.

About a quarter (26.5 percent) responded significantly or “a great deal” to the perception that the COSO ERM Framework contains overly vague guidance.

The majority of respondents do not appear to be familiar with Volume 2 of the COSO ERM Framework, which contains Application Techniques.

Source

Committee of Sponsoring Organizations.

Hancock, too, is cautiously optimistic about the effects of these regulations on risk oversight: “The SEC requirements about disclosing risk-taking and how compensation structures could effect risk-taking only took effect last year, so I would guess that if we were to survey again next year, that we would see more progress in companies doing more to put structure around their risk-management process.” Still, Hancock is concerned that it could become a check-the-box compliance exercise, instead of a process connected to strategic planning and embedded in the core of a the business.

The SEC disclosure requirements have also encouraged the board to ask more of management in terms of risk reporting, according to Jim DeLoach, a managing director with Protiviti. Though boards have always had an interest in risk, traditionally asking management what the risks are and how they are being managed, the added regulatory pressure is now prompting boards to ask an additional question: How do you know?

“That is a powerful question because it forces management to evaluate its processes for understanding what the critical risks are and how well those risks are being managed, ” DeLoach says. “More and more boards are asking that question because they do not want management to wing it. They want management to have substantive processes underlying the discussion about what are our risks and how well are we managing them.”

A final key to improving dialogue on risk between board and management may be to prioritize risk more effectively. “There are very serious processes for assessing a company's risks and mitigating them, and as they rise in priority, they should at least be taken to the board for the board's consideration about whether they want to learn about them,” says GE's former senior vice president for law and public affairs, Ben Heineman, who is currently a senior fellow at Harvard Law School.

Still, corporate directors can only do so much. They have a limited role. And that limited role is to identify the top five or six risk issues and understand them substantively.

Boards should avoid the temptation to overstep their role and get into micromanaging, agrees Arthur Delibert, a partner specializing in investment management law and a former SEC adviser. “The board's job is to oversee risk management, not actually to do risk management,” he says.