In January of 2014, The Conference Board Governance Center published a report that emphasizes potential reasons corporate risk management processes may have failed during the financial crisis. The report consolidated multiple reports to identify lessons learned about barriers in risk oversight and to provide recommendations to improve risk oversight capabilities going forward.
Observations About Potential Causes of Failure
The report highlighted a number of other reports that provide insights about risk oversight during the crisis. For example, it highlights the Senior Supervisors Group (SSG), a prominent group made up of financial regulators from multiple countries, which completed an exhaustive assessment of risk management practices and published two reports on how weaknesses in risk management processes strained the financial industry during the financial crisis. This report caught the attention of the US Federal Reserve and the Financial Stability Board, which sought to increase board involvement in the risk oversight process. Here are some of the report’s highlights:
- Board of directors and executives neither determined nor conformed to an acceptable level of risk of the firm.
- Compensation policies undermined internal control objectives of the firm.
- Information was distributed through a technological infrastructure that was siloed, which hindered effective risk identification and monitoring.
- Risk takers were rewarded at the expense of risk managers and control personnel.
In response to concerns about the adequacy of the board’s role in risk oversight, the report noted how two years into the crisis, the Securities and Exchange Commission (SEC) adopted new rules stating that “...disclosure about the board’s involvement in the oversight of the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company.” The intent of the rules is to provide more transparency about the board’s role in risk oversight and to help raise awareness about the importance of risk management among key stakeholders. That was followed by the Dodd-Frank Wall Street Reform and Consumer Protection Act was passed, which now requires large financial institutions to have a board-level risk committee that should oversee the company’s enterprise-wide risk management process. Together, these new regulations that followed the initial phase of the crisis, indicate how key regulators and Congress took action to strengthen board risk oversight to address perceived failures.
Risk Oversight Challenges
The report highlighted six challenges that board of directors need to be aware of in order to become a more risk intelligent board. They are:
- Asymmetric Information: Due to time constraints, managers can only inform the board of material risks exposures. Because of this, there is a gap between what management knows and what is being disclosed to the board.
- Risk Appetite and Tolerance Articulation: Because companies aren’t developing a common language to articulate risk, it is difficult for board members to determine what is within their company’s risk appetite/tolerance limits and what is not.
- Lackluster ERM Frameworks: The majority of risk management processes in use today do not have a formal risk identification process that links risks with strategic objectives.
- Traditional Internal Audit Approach: Internal auditor methods are not efficient in identifying clear indications of risk levels outside the company’s risk appetite because the internal audit approach looks at the effectiveness of controls in a specific point at a specific time and does not always examine entity-wide risk management processes.
- Litigation: Identifying risks can put companies on notice, which may increase exposure to litigation. But not managing risks can lead to other legal proceedings.
- Not Asking Questions: Many boards do not ask tough questions. Boards are not challenging executives to identify and manage risks to their strategic objectives.
Recommendations to Improve Risk Oversight
The report offered the following eight recommendations to improve risk management oversight:
- Demand quality risk information from executives, and internal and external auditors.
- Assign responsibility to board members, board committees and executives, and then hold them accountable.
- Implement a risk management process that identifies and links residual risks to strategic objectives as an entity, not in isolated departments.
- Task the internal audit function to evaluate and report on the effectiveness of the entity’s risk management process.
- Change the entity’s perception of the ERM process. Risk management should not be a check-the-box exercise but rather it should provide a meaningful, value creating, information gathering process for both the board and management.
- Encourage risk identification and communication with a reward system.
- Ensure that the executives and upper level management have been trained in enterprise risk management.
- Understand the additional exposures that documenting strategic risks can cause and implement strategies to reduce the risks identified.
Regulators, investors and credit rating agencies are driving expectations for boards to improve their risk oversight capabilities. Traditional risk management approaches are no longer adequate and boards are beginning to share some of the responsibility in the risk management process.