Enterprise Risk Management

Dominating the conversation

Deck

By Michael J. Moody, MBA, ARM

Over the past 12 months, boards of directors across the country have held significant discussions regarding risk oversight. As the full effects of the financial meltdown are still being felt by many, people are trying to determine just where the breakdown in risk management occurred that allowed conditions at many financial institutions to deteriorate far enough to cause the current crisis. More and more, it appears that corporate boards of directors may have lacked sufficient oversight of their corporations' various risk elements.

While directors have always had ultimate responsibility for monitoring the risks of their companies, little time and/or attention was paid to this topic until recently. Many companies did little more than pay lip service to this important area. Without question, the boards had abdicated much of this duty to other corporate officials. Now, however, the events that led to the current financial woes are causing some major soul searching at the board level of many corporations.

Regulators' concerns

Several major regulatory events have signaled that a new, more robust approach to risk oversight will be required going forward. While many believe that this new view of risk management began last year, the more onerous requirements actually began to appear several years earlier. Initially, several critical risk management-related requirements were embedded within the Sarbanes-Oxley Act of 2002.Among other things, these include a requirement that a public corporation disclose any material weakness in the organization's internal financial reporting. This is further amplified by the additional requirement that the chief executive officer and chief financial officer of these firms attest to the effectiveness of the company's internal control.   

Interest was further broadened when the Securities and Exchange Commission (SEC) enacted specific requirements regarding risk oversight at the board level. The passage on December 16, 2009, of Rule No. 33-9089 gave fair warning of things to come. While much of Rule 33-9089 dealt with what is widely viewed as a major contributor of the meltdown, executive compensation, the regulation also contained Section C, New Disclosure about Board Leadership and the Board's Role in Risk. This states that risk oversight will be considered a "key competence" for the board. As part of this section, the regulations require new proxy disclosures that highlight individual directors' qualifications as well as noting the role of the board in the risk management process.

According to ERM specialist Sim Segal, president of SimErgy Consulting LLC, the SEC also added requirements for disclosures related to risky incentive compensation programs—those which create risks "reasonably likely to have a material adverse effect" on the company. "This is important," says Segal, "because a strong ERM program is needed to determine whether or not a compensation program is risky and, therefore, subject to new disclosures." Segal says that an ERM program is needed to (a) measure the risks taken by employees, in terms of their impact on shareholders, (b) define "material adverse impact" with a risk appetite statement, and (c) integrate (a) and (b) into the incentive compensation formulae.

The New York Stock Exchange has also moved to strengthen the board's oversight responsibilities. The Exchange now requires the audit committee of listed companies to discuss the corporate policies regarding risk assessment and risk oversight. Additionally, the audit committee must point out that while an audit can discuss risk oversight, it remains the exclusive responsibility of the board to perform the oversight function.   

More recently, the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank bill) raises the stakes even higher with regard to board oversight. The Dodd-Frank bill, which was signed into law by President Obama on July 21, 2010, represents one of the most far-reaching regulatory efforts to control the financial service sector since the Stock Market crash of 1929. It is a broad-based bill that covers a multitude of financial related issues.

Questions remain

Despite the massive amount of legislation and regulation that has occurred recently, many questions remain, according to Segal. Since many of the specifics of the Dodd-Frank Bill are left to be worked out in the future, "it is difficult to predict whether or not the bill will end up having much impact." In fact, he points out that in many key areas, the bill leaves crucial details up to a newly established group known as the Financial Stability Oversight Council. Segal cites as an example the lack of specificity regarding new "risk management" requirements for large and complex banks.

In addition, Segal says, "The bill, unfortunately, limits its focus to those risks to economic stability arising from selected financial firms, mostly the largest banks, whereas threats can come from failures of other extremely large companies outside the financial sector, such as was the case with GM. We needed a bill that would protect the economy from the next financial crisis, whether it arises from financial or non-financial firms."

One of the more complete sections of the bill is a requirement that will necessitate that the board form a separate risk committee. Based on the legislation, the risk committee will be:

• held responsible for risk oversight in the organization

• required to include the appropriate number of independent directors

• required to include at least one "risk management expert having experience in identifying, assessing and managing exposures of large, complex firms."

While the majority of the Dodd-Frank Act is directed at banks, it also applies to certain large non-bank financial companies. Many experts believe that while these requirements are currently limited to the financial services sector, it can be clearly seen that these types of risk committees could become "best practice" procedures for all public organizations.

Further, it appears that Congress is not resting on its laurels with regard to risk management and risk oversight. Several additional bills have been introduced that would impose on the board even more stringent risk management requirements than the Dodd-Frank bill. For example, one of these would include a provision that all public companies establish a risk committee that would be made up solely of independent directors.

Conclusion

With or without further regulatory efforts, the board via its fiduciary duty to the shareholders has always been responsible for risk oversight. However, the new regulatory efforts leave little doubt about its responsibility for this important oversight role. Only time will tell just how stringent the oversight aspects of these various initiatives will be. It may be a number of years before we realize the true effect these programs actually have on corporate financial results.

Segal, however, believes that Congress "missed an opportunity to make a real difference in enterprise risk management." He admits, "It is still possible that it could become meaningful legislation," but its vagueness does not speak well for the law. Long term, these types of regulatory efforts should, in fact, strengthen most companies' risk management programs. However, for the most part, this is relegating risk management to a compliance exercise and thus will diminish enterprise risk management. Segal thinks that ERM is effective only when it serves a larger strategic purpose.

"ERM must offer a business case for itself to senior management," says Segal. "This is achieved through a value-based approach, which integrates risk and return management, increasing shareholder value." Without such a strategic approach to ERM, which is unlikely to evolve from the Dodd-Frank bill, effective ERM may only come at a slower pace.

The author

Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc., an independent consulting firm that has been established to advance the practice of enterprise risk management.