Note to Directors: Risk Management Not Optional
It may have taken a financial crisis the likes of which we have not seen since the Great Depression and the election of a liberal president to get the federal government to see what corporate governance experts for years have seen. Risk really does matter.
Sure, some companies – especially those in financial services – have had a chief risk officer or the equivalent for years and COSO (Committee of Sponsoring Organizations of the Treadway Commission) issued an integrated framework for enterprise risk management back in 2004. (And those actions came after monumental accounting fraud perpetrated at Enron and WorldCom.) The difference now is that risk management is no longer an issue that just concerns CROs, CFOs and the internal audit team. It has reached the CEO’s office and the boardroom.
Aon, the Chicago-based insurance brokerage and management consultant, in its April Global Risk Management Survey found that while most organizations increased their overall risk preparedness since 2007, less than half of the respondents are tracking and managing all components of their total cost of insurable risk. And less than two-thirds of respondents had formally reviewed or have a plan in place to review three of the top 10 risks of 2009: economic slowdown (1), regulatory/legislative changes (2), and damage to reputation (6).
When the SEC and the U.S. Treasury Department (see Sept. 24 speech by Deputy Treasury Secretary Neal S. Wolin) are focusing on risk management for public companies, then you know it is no longer a secondary task, but rather a primary one for all boards and management. If auditors and audit committees felt burdened with conducting risk-based integrated audits of internal control over financial reporting, wait to see what the new administration has in store for the coming year.
For starters, the SEC under new Chairman Mary L. Schapiro has created the Division of Risk, Strategy and Financial Innovation, combining the Office of Economic Analysis, Office of Risk Assessment and other functions. It marks the first time one division, which will be headed by University of Texas School of Law Professor Henry T. C. Hu, will oversee risk and economic analysis, strategic research and financial innovation. Hu’s statement in the Sept. 16 release announcing his appointment is quite telling: “I look forward to working with the Commission and to using an interdisciplinary approach that is informed by law and modern finance and economics, as well as developments in real world products and practices on Wall Street and Main Street.”
In other words, it won’t be business as usual at the SEC as fewer political appointees and more academic and hands-on people join the regulator. It also means that all the work of organizations like COSO, the Institute of Internal Auditors (IIA), the National Association of Corporate Directors (NACD) and The Conference Board, will become more relevant. It is the research and thought leadership produced by such organizations that both regulators, lawmakers and executives will need to address current and future risk management issues.
Earlier this month, COSO issued Effective Enterprise Risk Oversight: The Role of the Board of Directors, a four-page paper that reiterates how crucial risk management is for today’s companies. “In the aftermath of the financial crisis, executives and their boards realize that ad hoc risk management is no longer tolerable and the current processes may be inadequate in today’s rapidly evolving business world,” the paper says.
The IIA has recently published 2010-2: Using the Risk Management Process in Internal Audit Planning (membership required), which is a practice advisory for internal auditors, and in May its Tone at the Top monthly e-newsletter focused on global risk. In addition, the NACD’s President and CEO Ken Daly told a KPMG Audit Committee Insights Webcast Sept. 21 that his organization is working on a Blue Ribbon Commission on Risk that is due out shortly.
Corporate Governance Handbook: Legal Standards and Board Practices (Third Edition)
The Conference Board Governance Center just last week released Corporate Governance Handbook: Legal Standards and Board Practices (Third Edition), which includes a separate chapter on risk oversight. “Corporate boards should give thoughtful consideration to the benefits of implementing a comprehensive risk management infrastructure and enhancing the organization’s ability to respond effectively to risk events and capture new strategic opportunities,” according to the handbook, which was authored by Matteo Tonello, associate director of corporate governance at The Conference Board. The Board is also working, in collaboration with its Directors’ Institute, on a special Risk Oversight Handbook for board members. The new Handbook will be a compilation of emerging practices in this area, expanding on the findings of the 2006 Working Group on Risk Oversight and will be released in the summer of 2010. (See Emerging Governance Practices in Enterprise Risk Management for those Working Group findings and recommendations.) Until then, The Conference Board will release a series of short-papers on the subject, for which it will avail itself of the contribution of leading legal and financial experts.
- Gary Larkin
Note to Directors: Risk Management Not Optional
Unfortunately it has taken a very serious crisis to finally get the corporate world to begin to address the imbalance which has existed between, the focus on pursuing the potential rewards associated with certain corporate activities, and the lack of focus on defending the organization from the risks associated with these activities. However (as your piece highlights) it appears that it has still required the intervention of the regulators to help ensure that organizations finally appreciate that an ad-hoc approach to risk management is no longer acceptable or indeed sustainable.
The management of risk in its broadest sense is a cultural issue which needs to be present in an organization’s DNA and needs to be embedded into day to day activities. For this to be achieved it needs to address multidimensional issues from both inter-disciplinary and cross-functional perspectives. This requires the vertical and horizontal integration of the strategic oversight, the tactical planning and the operation execution of risk management processes throughout the enterprise.
I for one look forward to the ongoing developments of comprehensive infrastructures designed to achieve this objective. Hopefully these infrastructures will also sufficiently focus on the integrated management of the critical components which constitute an organization’s program for self-defense. These components include not only the management of risk but must also include the management of governance, compliance, intelligence, security, resilience, controls and assurance.
Unfortunately the management of risk is all too often restricted to the direct 1st order consequence (financial risk) rather that appreciating the indirect 2nd and 3rd order consequences which can occur further down the road, as a result of qualitative issues. It needs to be remembered that at the end of the day all risk can have a financial impact, be it on share price or otherwise.
I am also looking forward to the upcoming series of short-papers by the Conference Board on this subject matter.