 |
 |
 |
|
Enterprise Risk Management ERM: Are directors on board? Conference Board study shows directors pushing hard for ERM By Michael J. Moody, MBA, ARM Much has been written about enterprise risk management (ERM) over the past few years. A number of reports and studies have discussed the rationale for adopting an ERM approach and how corporate management has been accepting of the concept. A variety of new laws and regulations following the Enron et al. financial collapses have clearly pointed out to corporate executives the wisdom of an enterprise view for risk management. And at this point in time, there is little doubt as to management’s commitment to ERM. However, until recently, little was known about the corporate directors’ commitment to ERM. Recently, The Conference Board issued a report titled “The Role of U.S. Corporate Boards in Enterprise Risk Management.” This landmark study confirms that boards of directors of publicly traded companies have been heavily focused on the Sarbanes-Oxley requirements over the past couple of years. Despite this renewed interest in governance and compliance, boards are also beginning to assess their evolving role in risk management oversight. The report notes that most directors now realize that they must advance their focus from the traditional role of internal control to a more comprehensive ERM framework. Emerging trends The Conference Board identified a number of key findings in their report. Included in this list were the identification of several emerging trends with regard to corporate boards and the responsibilities of the directors. Among the more important trends were the evolving legal developments that make it prudent for directors to ensure they have a robust ERM oversight process is in place. Further, boards must be proactive in their oversight of the risk management process. The report noted several developments that make this proactive involvement critical for a board. These developments include new New York Stock Exchange listing standards, SEC’s endorsement of self-regulatory frameworks to manage financial risks, Federal Sentencing Guidelines reform, and best practice standards being implemented in highly regulated industries such as banking and insurance. It also noted that several key groups are beginning to focus on whether companies have ERM processes in place. These include rating agencies, institutional investors and insurance companies directors and officers underwriting departments. As a result, the study suggests that corporate boards may soon choose to reassess their approach to risk oversight as a fundamental element of good governance. The report also noted that an increasing number of directors are beginning to acknowledge that they must oversee business risk as part of their overall strategy-setting role. While most directors agree that they previously had a less than perfect understanding of business risks, just a few years ago, now many more directors say they have a better understanding of the major risks facing their companies. As a result of this improved understanding, directors believe that strategic risks rather than financial risks should be their key concern. They also recognize that an enterprise-wide approach to risk management should be viewed as a strategic effort rather than merely a compliance issue. Despite the improved view of risk management, some directors still admit they need to make improvements in their risk management oversight processes. They indicate that every conversation they have about strategy embodies issues of risks and, as such, risk is now discussed on a case-by-case basis in connection with specific strategies or events. In addition, most directors say they have a “good’’ or “very good” grasp of the risk implications of different strategies their companies may choose. However, while the survey results indicated that directors were satisfied with their risk oversight and management’s implementation, personal interviews with individual directors showed considerably less comfort. Areas of concern for the individual directors were the variation in knowledge of risks among their peers and significant differences in ERM practices among different industries. The report also noted that sound ERM oversight and implementation practices are now a trend that is recognizable in a number of leading companies. Leading companies have indicated that the full board has clear oversight responsibility for strategy as well as ERM. And while management sets the agenda for both, the board must approve it. Additionally, it is the board’s responsibility to provide oversight as well as ensure that an effective process is in place for identifying, assessing, and mitigating risks that exist within the company. Management’s responsibility, on the other hand, is to see that risk management is embedded in everyday business decisions throughout the company on an enterprise-wide basis. The Conference Board report also noted a trend that companies are beginning to look at best-in-class peer organizations for emerging practices in ERM oversight. They also noted that despite the reported variations from industry to industry, corporations could look to the financial service industry for more sophistication with regards to ERM oversight. This will provide the board with an opportunity to learn from the financial service firms while distinguishing themselves as leaders in ERM development. Recommendations for boards The Conference Board report notes that many directors are now considering recommending that their companies upgrade their ERM capabilities. They believe that directors may wish to consider several specific recommendations. For example, directors want to confirm that risk management oversight rests with the board. While some corporations have placed this responsibility within the audit committee, most directors believe that this committee is already too overburdened and may lack the skill sets to effectively handle this duty. In order to correct this problem, some organizations are now forming new ERM committees to handle this important task. The Conference Board report also recommends examining the competencies of the board members to assure successful risk oversight. If needed, the report suggested strengthening the board to get people with a variety of expertise and proper risk management training. Further, corporate management should continue to work toward increasing directors’ risk management IQ. One method that can be used effectively is to dedicate time at each board meeting to discuss various risk management relevant topics. The report also suggested that the board implement a risk management process that will ensure that the individual directors are fulfilling their fiduciary responsibilities. This process should center on the appropriate oversight of the ongoing ERM assessment, mitigation and monitoring. This process should begin with an in-depth review of the corporation’s performance drivers. It should continue with an inventory of risks and an analysis of how those risks will affect shareholder value. Another important recom-mendation advanced in the report is to develop a robust ERM reporting system. Central to the reporting system is providing information that gives directors the data needed to understand the company’s risk. It is critical that the board understand which risks it needs to be aware of and how often it should review the handling of those risks. All risk reports should be designed to provide specific, decision-making information, and should prioritize the key risks and include management’s assessment of these risks. A final suggestion stated that management should invest the time needed to relate the core risk issues to the directors. Further, management and the board should identify those key executives who have the best perspective on the organization’s risks and have ongoing dialogue with this group. Conclusion The recent Conference Board report has provided significant insight into how corporate boards are now viewing their responsibilities regarding risk management. As the report documents, there is little doubt that boards are now recognizing the critical nature of risks within their corporations and their oversight responsibilities. While a number of organizations are still struggling with ERM implemen-tation, their boards are painfully aware of their oversight role and their duties from a risk management standpoint. Speculation has been high as to who will be the ultimate driving force for ERM implementation. Among possible drivers, experts have recently identified directors & officers liability underwriters, lending institution requirements, rating agencies and institutional investors. However, as time goes on, it may well be the corporate directors who will insist on a state-of-the-art ERM program. * The author |
|
|||||||||||||
| ||||||||||||||
