Risk Management Takes a High Profile in Corporate Governance Today
Corporate governance—the establishment of processes, structures and controls to effectively run a business organization—has been a subject of increasing interest and concern over the past decade as a result of financial bubbles and scandals that have rocked the corporate world, and most recently resulted in a global financial and economic crisis.
In particular, in recent years, the management of risks has come to the fore as a key concern and responsibility of top corporate officers and boards of directors. For example, in dealing with the risks exposed by the financial scandals of the early 2000s, the Sarbanes-Oxley Act of 2002 (SOX) legislated tighter financial controls and mechanisms for public corporations, and made the CEO personally responsible for the information in the financial statements that his/her company files with the SEC and other government agencies.
Similarly, in response to the recent global financial crisis, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), enacted in mid-2010, was designed to reduce risks within the financial system and to enhance consumer protections when dealing with banks and other financial institutions. This landmark legislation requires wide-ranging changes in the behavior of financial services firms, and creates a whole set of new oversight mechanisms to enforce the law.
As the passage of these laws indicates, running companies has become increasingly risky for corporate executives and boards of directors, as well as for the public at large. And this has translated into increasing risk for individuals and institutions investing in these companies.
Risks of all kinds
Companies today are subject to a wide range of risks. A survey across all industries conducted this year by the consulting firm Accenture asked 400 company CEOs around the world about the risks they regularly deal with including business risk, market risk, credit risk, regulatory risk, operational risk, legal risk, liquidity risk, reputational risk, and political risk.
The results of the Accenture survey emphasize the importance of risk management to corporate executives in a business environment characterized by periods of economic turmoil and increasing regulatory oversight. The risk management function was identified by 86% of survey respondents as a critically important factor in managing the increasing volatility of the economic and financial environment. And 83% said that risk management is critical in managing the growing complexity of their own internal corporate organization.
Furthermore, the degree of interest in risk management has increased across all industries in the two years since Accenture took its previous global survey on risk management. As Accenture puts it, companies have moved from being “reactive” to being “proactive.” For financial and insurance companies, the urgency has become even greater due to increased regulatory requirements and the impact of the financial and economic crisis, Accenture said.
Of course, smaller and midsized private companies are subject to many of the same risks as public companies and should, therefore, be similarly interested in enhancing their internal risk management functions.
The responsibilities of corporate boards
With such critically high importance attached to risk management across all industries, it is no wonder that managing risks has become an important objective for boards of directors in implementing corporate governance.
A major study of corporate governance conducted by professors at the Harvard Business School in 2009 summarized in-depth interviews with 78 directors of major U.S. corporations across a broad spectrum of American industry. The project was designed to elucidate many corporate governance issues that were exhibited during the recent financial crisis.
Risk management was one of three key areas that were of greatest concern to the directors interviewed, the other two being board involvement in strategy and in management succession. Given the high degree of risk that led to the financial crisis, one director told the Harvard researchers, “I think now there is more and more concern that risk management has to be a board-level activity.”
Responding to these concerns, the Dodd-Frank Act mandates that boards of publicly owned companies establish a separate risk committee to oversee enterprise-wide risk management across the entire company. The risk committee must include at least one risk management expert.
Given the broad risk-related issues that corporations face today, accounting/consulting firm Deloitte has dedicated an entire consulting area to advising clients on risk analysis, management and governance. It calls its approach risk-intelligent governance, and calls corporations that practice this approach risk- intelligent enterprises. In a white paper, “Risk-Intelligent Governance: A Practical Guide for Boards,” it discusses six key areas of focus where boards need to take action to manage their risks:
Define the board’s risk oversight role
The board needs to set the expectations for risk intelligence, and create and communicate to management and other company stakeholders what will constitute intelligent risk management for this company.
Foster a risk intelligent culture
People at all levels of the organization should be involved in the discussion concerning the risks and uncertainties faced by the business and how to deal with them.
Help management incorporate risk intelligence into strategy
The board should work with management to develop a viewpoint that considers risks and returns of particular activities in a broad strategic context for the entire company.
Help define the company’s risk appetite
Deloitte defines risk appetite as the overall level of enterprise-wide risk that companies are willing to take with regard to such activities as acquisitions, new product development, market expansion and the like. Where practical, quantification of this risk appetite – e.g., a dollar figure, or a percentage of revenue or capital – should be developed. But less quantifiable risks, such as reputational risk should also be considered. The CEO would propose risk appetite levels, but the board would evaluate and approve them or send them for adjustments.
Execute the risk intelligent governance process
In executing the risk-intelligence process, the board should work with management on process design, monitor the risk management process, conduct formal assessments of the process, and ensure accountability/responsibility at the board and management levels.
Benchmark and evaluate the governance process
The board should establish processes for evaluating the process and its progress, and for improving it in areas where it is required.
Given the mercurial and rapidly-shifting nature of the global and domestic economies, it is clear that companies of all sizes will continue to be buffeted by risks of all types in the coming months and years. Interest in these matters has risen rapidly in recent years, and should remain at a high level going forward.
Company executives and boards are now more aware than ever of the need to manage these risks so that they can survive these turbulent times and thrive as the U.S. and global economies return to more normal growth. This attention to risk management will be enhanced by new regulatory processes put in place by such laws as SOX and, more recently, Dodd-Frank.
Going forward, corporate executives and boards will need to give these risk concerns a high priority on their governance agendas, or else risk deterioration in their growth, profitability and market share. When strategic, business management and day-to-day operational activity place high demands on executive time, consideration should be given to bringing in an outside resource with risk management and corporate governance expertise.
References and Further Reading
Report on the Accenture 2011 Global Risk Management Survey: Risk Management as a Source of Competitive Advantage and High Performance; Accenture; June 29, 2011;
Risk Intelligent Governance: A Practical Guide for Boards; Deloitte; 2009; http://www.corpgov.deloitte.com/binary/com.epicentric.contentmanagement.servlet.ContentDeliveryServlet/USEng/Documents/Audit%20Committee/Risk%20Oversight/Risk%20Intelligent%20governance_Deloitte_082609.PDF
Perspectives from the Boardroom – 2009; Jay W. Lorsch, Joseph L. Bower, Clayton S. Rose, and Suraj Srinivasan; Harvard Business School; September 9, 2009; http://www.people.hbs.edu/jlorsch/BoardroomIssues.pdf