Deloitte conducted its second analysis of risk proxy disclosures of S&P 200 companies to investigate how companies are performing their board risk oversight and governance efforts.  Its first analysis completed in 2010 focused on S&P 500 companies. In both studies, the information was gathered from the proxy disclosures about the board’s role in risk oversight required by the Securities and Exchange Commission (SEC). The analysis was done from an investor or outside stakeholder perspective, and it focused on 12 key areas.

The Findings

154 companies that appeared in the 2010 and 2011 studies showed that companies had improved their risk practices in 11 of the 12 areas that were considered in the studies. Some of the key findings in the 2011 research are as follows:

  • About 90 percent of companies acknowledge that the full board is responsible for risk
  • The audit committee is the primary risk committee in 64 percent of companies
  • 47 percent of companies reported that their risk management practices are aligned with strategy
  • Of the disclosures, only 35 percent of companies mentioned the CEO’s involvement in risk management, and only 11 percent of companies mentioned the board’s consideration of risk appetite
  • Deloitte also analyzed the group to detect any differences between financial services industry (FSI) companies and non-FSI companies. The following differences may indicate that FSI companies have certain practices that point to a more mature risk oversight:
  • FSI companies have a greater percentage of companies with a chief risk officer and a board risk committee different from the audit committee
  • A greater percentage of FSI companies disclose that their boards evaluate their organization’s risk appetite
  • A greater percentage of FSI companies disclose that the board evaluates the organization’s culture

The last two points are very important when setting the right tone at the top for the company’s risk management.

Deloitte compared the 2011 findings to the 2010 results. The results showed improvement in 11 of the 12 considerations. The report stated that the percentage decrease in companies disclosing that the audit committee is primarily responsible for risk oversight could be due to boards assigning risk oversight responsibilities to other board committees. The most improvements were noted in the following considerations:

  • A greater percentage of 2011 companies disclosed that other board committees apart from the audit committee are involved in risk oversight
  • More companies disclosed that the compensation committee oversees compensation-related risks
  • A greater percentage of companies indicated that their risk oversight/management was aligned to the corporate strategy
  • More companies disclosed their CEO’s involvement or responsibility for risk management


In light of the findings, Deloitte recommended that companies do the following to improve their risk oversight practices:

  • Leaders should do more than just meet the risk oversight/management requirements if they want to tap into the strategic benefits of risk management
  • Board members and senior executives should continually receive education about risk oversight/management
  • Board members should ensure that the company has appropriate committees, expertise, systems, and metrics for a robust corporate governance

The board and senior management should:

  • Re-evaluate risk oversight and management practices to evolve along with emerging risks and regulations
  • Periodically give proper funding and attention to risk oversight and management systems
  • Benchmark best risk management practices from other market participants
  • Consider using guides, such as Deloitte’s 12 considerations used this report, to ensure proper disclosure of the company’s risk oversight and management practices
  • Be transparent about the organization’s good and weak risk oversight and management practices
  • Consider assigning a leader to manage the monitoring of risk-related regulatory developments

Click below to download the paper

Link: Deloitte LLP

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2011-08-30