Improving Board Risk Oversight
Eight simple steps show you how.February 3, 2011
by Mark Beasley, PhD
Even though boards of directors have held a governance responsibility for the oversight of major risks facing the enterprise for decades, expectations for more effective efforts on the part of boards to oversee management's risk taking are increasing as a result of the recent economic crisis. Excessive risk-taking by management in the pursuit of over-the-top returns ultimately led to the demise of several high-profile organizations. Critics have responded by asking "where was the Board?" in fulfilling its responsibility to reign in management as they embraced risk-taking far-beyond the appetite of key stakeholders.
The spotlight has turned to boards and the result is boards are trying to assess how they should strengthen their own processes to enhance their effectiveness in risk oversight. Effective March 1, 2010, boards of publicly traded companies are now required by the U.S. Securities and Exchange Commission (SEC) rule to include disclosures in proxy statements that describe the board's processes in risk oversight. Several studies have examined samples of these new proxy disclosures and found wide variation in the nature of information provided and the underlying processes used by boards to oversee risks at their organizations. While some disclosures reveal boards that seem to be on top of their oversight of the major risk exposures facing the organization, others suggest that boards are struggling to understand their role in risk oversight and finding difficulty in pinpointing effective processes to help them.
Current State of Risk Oversight Maturity
Committee of Sponsoring Organizations' (COSO) recent report, Board Risk Oversight: A Progress Report, contains results of a 2010 survey of individual directors that sought information from directors about how risk oversight processes are applied by today's boards and to obtain both current and future states of board risk oversight. The results found mixed signals about the effectiveness of board risk oversight across organizations and a significant room for improvement. While many boards believe they are performing their risk oversight responsibilities diligently and achieving a high level of effectiveness, a strong majority indicate their boards are not formally executing mature and robust risk oversight processes. Just over 50 percent of respondents noted that the board's risk oversight process is either "effective" or "highly effective," but close to 75 percent indicated that their board is not formally executing mature and robust risk oversight processes. Most convincing is the finding that fewer than 15 percent noted the board is fully satisfied with their risk oversight. Thus, there appears to be room for improvement among most directors surveyed.
Part of the challenge is a general confusion as to what the role of the board is in risk oversight. Some directors are unsure as to where their responsibility begins and ends, in contrast to management's. Some directors perceive a responsibility for the board to be more hands on in the management of risks, almost assuming the role of risk management. However, most agree that the board's role is in risk oversight leaving the job of designing, implementing and executing processes to actually manage risks to management. That is the prevailing view among most governance experts.
In simple terms, the board's responsibility in risk oversight boils down to two overarching areas of focus:
Let's briefly explore these two overarching board responsibilities.
Understand and Approve Management's Risk Management Process
The starting point for many boards is asking management to describe its existing processes for risk management. In some cases, boards are generally unaware of how management goes about managing key risks facing the organization. They are familiar with typical silos or pockets of risk management activities within the organization, such as legal, compliance, financial reporting, internal audit, etc. Often these functions periodically report to the board on an individual basis about the nature of activities ongoing in those functions, but the board remains unaware of other risk management activities underway in the organization. Furthermore, boards often lack an understanding of whether there are processes management has in place to bring individual silos of risks together to obtain an integrated or enterprise-wide view of key risk exposures. In some organizations those processes exists but the board is unaware, while in other cases management processes for identifying, assessing and responding to risks are disjointed, uncoordinated and incomplete.
A second report issued by COSO, 2010 Report of ERM: Current State of Enterprise Risk Oversight and Market Perceptions of COSO's ERM Framework, suggest that the latter may be the more common reality in most organizations today. Of over 460 management executives surveyed, only 28 percent described their current stage of enterprise-wide risk management as "systematic, robust and repeatable." Most (almost 60%) indicated that their risk tracking is mostly informal and ad hoc or only tracked within silos or categories of risks. Almost half (42.4%) described their organization's level of ERM processes as "very immature" or "somewhat immature" and about a third (35%) admit that they are "not at all satisfied" or "minimally satisfied" with the nature and extent of reporting to senior executives of key risk indicators. Thus, part of the challenge for boards in increasing risk oversight is for them to engage management in efforts to strengthen underlying processes for actually managing risks. It may take board inquiry and expectation-setting discussions to push management to strengthen processes to manage the organization's most significant risk exposures.
Here are a few simple steps boards can take to move in that direction:
Understand the Most Significant Risks
The second board responsibility is to be apprised of the most significant risks being identified by management's risk management processes and review that portfolio of risks to determine whether those risks exceed stakeholder appetite for risk-taking. So, this second responsibility focuses on the output of the risk management processes discussed above.
Boards should evaluate whether information it receives from management about top risk exposures is providing an enterprise perspective of the top risk exposures facing the organization. Often management reporting of potential risks is done in silos whereby risks are not considered from an interrelated, enterprise-wide perspective. Thus, any connections between potential risk events may be overlooked, thus causing the board to fail to see potential risks that may be triggered by the same risk driver. Boards may need to work with management to help them present risk information in a coordinated enterprise wide format so that the board can more easily obtain a top-down portfolio view of the most significant risk exposures.
For some, the board's focus on potential risk exposures is mostly ad hoc and informal, often inadvertently occurring as part of discussion about other specific activities or processes of the organization. Boards are now finding that there is significant benefit in their placing the discussion of top risk exposures as a stand-alone agenda item at least annually for the board. Depending on the possible speed of change in a particular risk factor, some boards are increasing the frequency of discussions of major risk exposures to a quarterly basis.
The explicit focus on the entity's top risk exposures often leads to more robust communications among directors and management about the nature and extent of risks and whether risks identified are within the organization's appetite for risk-taking. While articulating risk appetite is challenging for most management teams and boards, many are finding that the explicit focus and communication about the top risk exposures has helped boards begin to define the entity's boundaries for risk taking.
Boards are also placing greater demands on management to improve the board's information package to include more direct metrics of potential emerging risks. Many are asking for management to develop key risk indicators (KRIs) to complement key performance indicators in an attempt to give management and the board more proactive leading indicators of emerging risks that will position them to more proactively (versus reactively) manage emerging risk exposures.
Here are a few simple steps boards can take to move in that direction:
Boards play a critical governance role in ensuring that management's risk-taking in the pursuit of value does not exceed the organization's overall risk appetite. Given the increasing volume and complexities of risks facing most organizations, this governance responsibility is no easy task for today's boards. But, greater focus by boards on understanding and approving management's process for risk management and dedicated focus and attention on explicitly discussing the entity's top risk exposures can go a long way in strengthening the board's effectiveness in risk oversight.
Rate this article 5 (excellent) to 1 (poor). Send your responses here.
Mark Beasley, PhD, is the Deloitte professor of Enterprise Risk Management and director of the ERM Initiative in the College of Management at North Carolina State University in Raleigh, NC. He serves on the COSO Board representing the American Accounting Association and is a frequent speaker on ERM and governance at national and international conferences.
The AICPA and NC State's ERM Initiative are jointly hosting a one and a half day workshop titled, Strengthening Your Enterprise's Risk Oversight for Strategic Benefit, to help organizational leaders understand emerging expectations for greater risk oversight. This workshop will be conducted in New York City on March 31-April 1, 2011.