Effective March 1, 2010, publicly traded companies faced new SEC requirements to include first-time disclosures of the board’s role in risk oversight.  To obtain a sense for how board’s are responding to increased expectations for improved risk oversight, Deloitte & Touche LLP analyzed a sample of these new disclosures to get a sense for what boards are doing to fulfill their oversight obligations for these organizations.  They reviewed approximately 400 proxy statements from the year 2010.

Is the Board Really in Charge?

For the most part, the board of most of the organizations analyzed view risk oversight as a very important issue that is handled by their full board of directors.  Organizations and shareholders often make the mistake of believing that it is the board that should be managing the risks of the organization.  However, the report included interviews of a select number of CEOs who emphasized the fact that boards are there for risk oversight, not risk management. It appears that many of the boards agreed with that perspective by emphasizing their oversight roles.  Thus, one benefit of the new proxy disclosures is that they should do a great job of increasing transparency or insight that helps clarify the board’s oversight responsibility, leaving the actual management of risks to management.  The report also helps show that not all companies are taking a “one size fits all” approach to the concept of board risk oversight. There were noted differences in approaches taken by boards to fulfill their responsibilities.

Delegation of Risk Oversight to Committee Levels

Some of the disclosures showed that it isn’t always the board who is fully responsible for the risk oversight duties at these organizations.  In over half of the organizations reviewed, the audit committee was the group who was in charge of risk oversight.  This is practice is fairly common due to the perception that audit committees are already focused risk through their oversight of financial reporting risks and related internal control responses to those risks.  The report reminds readers, however, that in the end the board is still the group who must take full responsibility for oversight of risk management in an organization.  In some areas such as compensation, human resources, or audit, it is completely reasonable to have other committees involved with helping out with risk management in those specific areas, but there must be continuous and clear contact with the full board of directors as well.  This sharing of risk information allows for everyone on the board to have an understanding of key risks and helps mitigate any confusion caused by a silo effect among board committees by keeping an open line of communication about top risk exposures arising from multiple aspects of the organization’s strategies and core operations. 

Nature and Frequency of Board Review

Review of the proxy disclosures also provided some insights as to the nature and frequency of the board’s review key risks.  The disclosures appeared to be fairly transparent about the board’s frequency; however, the Deloitte report noted an observation that, for the most part, it appeared boards may want to consider increasing the frequency of those discussions.  The Deloitte report also commented that these organizations may benefit from better alignment of their strategic plans with their risk oversight so there is less drop-off when determining an organization’s risk management plan and their overall risk appetite.  Even though the board is not there to manage risk, they do have to be able to understand the reasonable amount of risk desired so they can oversee the risk management more efficiently.

Suggestions for Board Risk Oversight Moving Forward

Below are some suggestions noted in the Deloitte report for board consideration:

  • Appoint a Chief Risk Officer if possible
  • Address strategic risk and board oversight hand in hand
  • Involve the board in the risk appetite process
  • Make risk oversight a part of the organization’s corporate culture
  • Set a strong tone at the top for risk oversight
  • Keep the level of risk oversight transparency balanced
  • Keep open lines of communication between risk committees and the board

Click here to download the Deloitte report.