Enterprise Risk Management
Board oversight revisited
Directors have been given the responsibility for risk oversight—now what?
By Michael J. Moody, MBA, ARM
Enterprise risk management (ERM) has become the risk management norm for many organizations worldwide, and appears to have become the de facto long-term solution that many companies have been searching for. However, risk management in general has had to endure its share of issues over the past 10 years. Initially, there were the financial scandals of 2002 - 2003 that involved a number of high profile corporations. Along with companies such as Global Crossing, WorldCom and Tyco, ENRON become the poster child of bad management. This was particularly painful, since ENRON was, at the time, one of the strongest proponents of ERM.
More recent was the financial crisis of the last five years. It began with the likes of Bear Stearns and Lehman Brothers, but quickly moved on to huge, "too-large-to-fail" companies which included AIG, many international banks and even the U.S. auto industry. While the book has not yet closed on this saga, again risk management has managed to be tarnished by the ensuing events.
While the future has improved for most financial institutions over the past few years, it has come with several lingering issues that will need to be resolved if future growth is to occur. And it is clear that it will be up to the board to help resolve these issues. If there was ever any doubt about who bears the ultimate responsibility for monitoring an organization's risks, it has, in no uncertain terms, been finally laid to restóit is the board. While this should not come as a surprise to anyone, the events of the last 10 years have crystallized this position. Over that time period, there have been any number of governmental rules and regulations that have been enacted as well as additional regulations that were introduced by other organizations.
The heat is on
One of the first government attempts to mitigate these kinds of problems was the Sarbanes-Oxley Act of 2002 (SOX). SOX led to rules for monitoring policies and procedures in preparation of a company's financial and SEC reports. For the first time, management was personally responsible for attesting to the validity of the information in the financial statements. Additionally, the New York Stock Exchange also promulgated its Corporate Governance Rules for its listed companies. These rules required the audit committee of listed companies to discuss policies with respect to financial risk assessment and risk management. Equally important, most of the major credit-rating agencies began to incorporate specific reviews of ERM programs as part of their overall rating process. Initially, they reviewed only ERM programs of insurance entities and other financial institutions, but have since moved on to non-financial organizations.
More recently, the Dodd-Frank Act has been passed and, while it has a number of requirements that remain to be formalized, some specifics have been approved. One of the specific requirements of Dodd-Frank is that it provides the first statutory requirement for a risk committee. The SEC requirements have also been updated with the amendment of one of its prior rules. Known as Rule 33-9089, it requires that proxy statements discuss company compensation policies and practices as they relate to the company's risk management practices. Additionally, listed companies are required to disclose the extent of the board's role in risk oversight, including the administration of the oversight function.
In addition to the above noted items, the Canadian Office of the Superintendent of Financial Institutions recently issued a draft guideline that is intended to update the existing Corporate Governance Guideline. The new guideline is designed to bring federally regulated financial institutions including insurance companies into "greater alignment with prevailing industry best practices and standards."
While there are a number of important changes included in the new guideline, the most obvious change is the increased focus on risk. In essence, it requires institutions to provide statements regarding risk appetite and risk tolerance, as well as having these statements approved by the board as part of an integrated ERM strategy. Additionally, the guidelines require the establishment of a risk committee, which must be made up of independent directors. For the most part, even though the guideline is being circulated for comment, the handwriting on the wall is clear. Boards must become more dynamic in their firm's risk oversight activities.
At this point in time, there is little doubt that the board must assume responsibility for risk oversight. The only real question is how best to do that.
Square peg in a round hole
The Risk and Insurance Management Society (RIMS) has noted in their recent report, An Evolving Model for Board Risk Governance, which corporations are beginning to implement strategic plans for a more active involvement in risk oversight by the boards. They point to a study that was completed by risk management consultant ermINSIGHTS into the current practices with regard to this matter. The consulting firm reviewed the proxy statements of the companies that made up the Dow Jones Industrial Average. They looked at three specific areas with regard to the disclosures:
• "How often an organization noted whether a chief risk officer (CRO) function was in place."
• "Measure the extent 'enterprise risk management' or 'enterprise approach to risk management' was specifically mentioned."
• "Examine how the board's role in risk oversight was being presented to stakeholders."
The report noted that only about 20% said that a chief risk officer was in place and, since this is still an evolving job function, that is to be expected. The report also found that 64% mentioned ERM in their disclosures. Finally, while only 27% of the proxy statements contained a section regarding board oversight of risks, the authors believed this is due to the timing of the study. They indicated that the actual number would be 100% next year, since compliance of this aspect is specifically required.
So at this point, most organizations and their boards now understand the importance of developing a proactive risk oversight program. However, it's the next step that is causing concerns for some organizationsówhere do you actually house the risk oversight effort? As the recent RIMS report points out, too frequently, the answer to this dilemma has been the audit committee. But RIMS suggests that there may in fact be a better option since there are several shortcomings to using the audit committee.
First and foremost, the audit committee already has a pretty full agenda and adding the responsibilities for risk oversight could be detrimental to both the audit function as well as risk oversight. For this reason, a number of interested parties, including RIMS, suggest a separate risk committee.
The past 10 years have been a roller coaster ride for many risk professionals. Deficiencies in risk management have been a contributing factor for most of the financial failures of the past decade. As a result, risk management in general and enterprise risk management specifically have suffered over that time period. While there has been pressure from a wide variety of sources to strengthen risk management, continued demands will be placed on the profession. During that time, corporations will have to struggle with developing ERM programs that are compatible with their missions and corporate cultures.
Have all of these new rules and regulations actually helped? At this point, there is little evidence, despite how well intentioned, that some of the legislative efforts have had anything other than limited value. Take SOX as a case in point. As Michael Schrage, MIT Sloan School of Management scholar, points out, SOX was "the most sweeping corporate governance reform in any country in five decades when it passed, and its express purpose was ensuring diligent and responsible boardroom behavior." Yet despite this noble goal, Schrage continues, "SOX played no discernible role in anticipating or preventing the inappropriate risky behaviors that precipitated the global financial crisis that came just five years later." He suggests that SOX, in essence, transformed the board's oversight duties into increasingly detailed "compliance checklists" rather than "encouraging directors to collaborate on behalf of shareholder concerns."
So for all the good many of the new rules and regulations may do in the future, one thing is apparent at this pointólike any other corporate initiative, its ultimate success is totally dependent on the "tone at the top." Today, due in large part to the previous failings of risk management, board support and oversight has become a paramount issue. And while the board oversight responsibilities can rest in any number of places, current best practices would suggest that in order to provide proper oversight, a separate risk committee should be established at the board level. It is just too important to rest elsewhere.