ERM and the role of the board
Boards of directors in the United States, having focused heavily on Sarbanes-Oxley requirements and more rigorous governance and compliance standards, are beginning to assess their evolving role in providing oversight in the area of enterprise risk management (ERM). In view of the rapidly developing state of ERM in US corporations, boards face a particularly challenging set of issues in responding to the need for improved oversight of risk management. For these reasons, it seems timely and useful to assess how corporate boards will be moving from their current focus on internal controls to a more comprehensive ERM framework and, importantly, toward integration of this framework with their historic strategic oversight responsibilities. Key research findings After conducting a combination of personal interviews, a written survey as well as an analysis of Fortune 100 board committee charters, The Conference Board documents the following key trends:
1. Evolving legal developments make it prudent for directors to ensure that they have a robust ERM oversight process in place.
2. An increasing number of directors acknowledge that they must oversee business risk as part of their strategy-setting role.
3. Directors should consider making improvements in their ERM oversight processes.
4. Sound ERM oversight and implementation practices are now recognizable in a number of leading companies.
5. Companies may be looking at best-in-class peers for emerging practices in ERM oversight.
1. Evolving legal developments make it prudent for directors to ensure that they have a robust ERM oversight process in place and that they are proactive in their oversight of risk management processes. Such developments involve:
• The interpretation of recent Delaware case law
• New York Stock Exchange listing standards
• The SEC’s endorsement of self-regulatory frameworks (for example, COSO) to manage financial risk
• The new Exchange Act requirement to consider risk factor disclosure in annual and quarterly reports
• Federal sentencing guidelines reform
• Best practice standards being implemented in highly regulated industries (for example, banking and insurance)
In addition, rating agencies, institutional investors and insurance companies underwriting directors and officers liability insurance policies are increasingly focusing on whether companies have ERM processes in place. This suggests that corporate boards may wish to reassess their approach to risk oversight as a fundamental element of good governance.
2. An increasing number of directors acknowledge that they must oversee business risk as part of their strategysetting role.
• Just a few years ago, directors had a less-than-complete understanding of business risks, and research on imple-mentation of enterprise risk management showed companies were at early stages.
• Now, many more directors say they have a better understanding of the major risks faced by their companies.
• Nevertheless, most board members tend to resist excessive formalization of ERM oversight processes.
• Directors today believe strategic risk rather than financial risk is their key concern.
• An enterprise-wide, top-down approach to risk management is viewed as a strategic effort rather than merely a compliance practice.
3. Directors should consider making improvements in their ERM oversight processes.
Directors confirm that every conversation they have about strategy embodies issues of risk, and risk is discussed on a case-by-case basis in connection with specific strategies or events. While most directors say they have a good or very good grasp on understanding the risk implications of strategy, directors are less likely to appreciate how the different parts of a business interact in the company’s overall risk portfolio. Although those directors surveyed feel satisfied with their risk oversight and the level of implementation by management, the personal interviews with directors show considerably less comfort in several key areas:
• Directors report a significant variation in knowledge of risk among their peers.
• Directors report a significant variation in practices among different industries.
• Less than half of the directors surveyed can point to the use of robust techniques to help them oversee risk and the majority of boards are not yet using a ranking system as part of their risk assessment practices.
4. Sound ERM oversight and implementation practices are now recognizable in a number of leading companies. Responsibilities between the board and management:
• The full board clearly has oversight responsibility for strategy as well as ERM. The agendas for both are set by management and approved by the full board.
• It is the board’s responsibility to provide oversight and ensure that an effective process for identifying, assessing and mitigating risks exists within the company.
• It is management’s responsibility to see that risk management is embedded in everyday business decisions throughout the company on an enterprise-wide basis.
• At the senior level, in addition to the CEO, a risk management team may include the chief financial officer or a chief risk officer. Relatively few companies formally designate achief risk officer in their charters, although the practice is becoming more widespread.
Responsibilities among the full board and committees:
• Two-thirds of companies currently delegate risk oversight responsibility to the audit committee. However, a small number of companies distinguish between financial risk and other business risk, and they additionally charge another committee with broader-based business risk oversight.
• Where one or more committees oversee risk, they should coordinate and report to the full board, which maintains the overall strategic responsibility.
5. Companies may be looking at bestin- class peers for emerging practices in ERM oversight.
• Reported variations (from industry to industry and from company to company) in the sophistication of ERM oversight processes – especially among the financial and energy/utility industries – provide an opportunity to learn from those firms that are distinguishing themselves as leaders in ERM development.
Recommendations to corporate boards
Directors who are considering recommending that their companies upgrade their ERM capabilities may wish to consider the following:
1. Review committee structure and charters.
To ensure effective risk management oversight, it must be clear where responsibility for it resides at the board level. Most companies currently lodge this oversight in the audit committee; however, some directors believe that this committee is overburdened and may not have the skills and focus to deal with enterprise-wide risks. In response, some companies have established a dedi-cated risk committee or have given risk oversight to an existing committee such as the governance committee. This committee then shares risk oversight with the audit committee, and both committees report to the full board where the ultimate responsibility for risk oversight resides. Many directors stated that risk oversight is so integrally linked to strategy oversight that it belongs primarily to the full board.
2. Review the competencies of the board in fulfilling its risk oversight duties.
Strengthen the board, if needed, by ensuring that it has the right people, a variety of expertise and proper training. Management should proactively identify ways to ‘raise the risk management IQ of the board.’ Best practice examples include:
• Conducting risk management training for all board members (upon joining the board)
• Dedicating some time at each board meeting to discuss issues of particular relevance (for example, the implications of the Basel II capital accord on banks)
• Providing more analysis on the company’s risk profile and the risk/return nature of decisions
3. Develop a risk management process to ensure that directors are fulfilling their fiduciary responsibilities and will, therefore, be afforded the protections of the ‘business judgment’ rule when making decisions.
The process should ensure appropriate oversight with regard to management’s enterprise-wide risk assessment, mitigating and monitoring. The process should begin with a review of the company’s drivers of performance, and then continue with an inventory of risks and an analysis of how those risks will affect shareholder value.
4. A robust board-level ERM reporting system should be considered.
The design of board reports on risk begins with a clear understanding of what information the board and its committees need to understand and what they are expected to do with this information. What risks does the entire board need to understand? How often does it need to review them? What should be reviewed by the different committees (finance, audit or risk committee)? And, for what purpose is management asking the board to consider these risks? Is management asking the board to help assess the risks, to satisfy a fiduciary responsibility, to give permission to address certain risk events or to make some other decision? Moreover, the report should focus on providing real information – not just data. For example, the report should prioritize key risk issues and include management’s assessment of those risks, including a transparent display of the trade-offs and decisions made by management and their rationale. Finally, the board reports should be part of an ‘integrated reporting framework’ (that is, business unit reports should aggregate to a company-level risk report) and there should be consistency between management information flow and reporting and board reporting.
5. Develop a process to assess and monitor performance of the risk management process.
Best practice boards periodically (once per year, for example) review the effectiveness of the risk management processes at the board level. Some best practice boards have developed a self-assessment tool with which they rate the board risk management process against a number of criteria. The effectiveness of board committee structures and charters, how well board members believe they understand risk policies and how productive the interaction with management is on risk are all examples of these criteria.
6. Spend real time with management to get to the core of risk issues.
Board members should identify the handful of executives who have the best perspective on the company’s key risks and interact with them directly.
Note: This article is a reproduction of the executive summary of a report produced by The Conference Board and written by Carolyn Brancato, Matteo Tonello, Ellen Hexter and Katherine Rose Newman. McKinsey & Co and KPMG Audit Committee Institute assisted in research and the production of the report. To acquire the full report, please go to www.conference-board.org.