|
 |
|||||||
|
|
|
|
|||||||||||||||||
|
|||||||||||||||||||
|
|
|||||
|
Reader
Profile
Editor's note: Each month, we ask a Directors & Boards reader to comment on critical issues facing directors today. If you'd like to participate in this section in the future, please email Scott Chase. Recent economic events have caused the topic of risk management to be top-of-mind for boards. What is a director’s fiduciary responsibility around risk management and oversight? Maureen: First and foremost, the board has overall fiduciary responsibility for creating long-term shareholder value for the company. As it relates specifically to risk management, this means the board should help establish the company’s risk “vision” that addresses both value creation – or risk taking for reward – as well as value preservation. We believe that organizations that are the most effective in managing risks, both to existing assets and to future growth, will be the highest performers in the long run. Henry: Participating in audit committee meetings, we’ve observed that external directors get a lot of raw and inconsistent data internally, and in many cases, there is no context for what that data really means. In a lot of organizations, the external directors simply do not have the right tools to effectively perform their oversight function. We recommend the development of a master list of the risk elements that are considered important in value creation and value preservation. This would be similar to — but perhaps more comprehensive than — the disclosures in a 10-K that list the company’s critical risk factors. Who on the board has responsibility for overseeing risk management? Should this responsibility be delegated to a subcommittee? Maureen: New York Stock Exchange listing standards require the audit committee to oversee financial risk. What has happened, though, is that many companies delegate overall risk responsibilities to the audit committee. This can be overwhelming for many audit committees that already have their hands full with Sarbanes-Oxley requirements around financial reporting. When risk management is optimized, every board committee will have risk on its agenda. For example, the compensation committee oversees compensation risks, and the nominating committee oversees succession risk. It’s important for the board to play a key role in understanding the details, opportunities, and procedures for the risks that are being overseen. Delegating risk management to a committee, however, does not absolve the board of its responsibility. You are a board member first, and then you’re a committee member. The full board should be engaged in overseeing corporate strategy and execution, so it is focused on strategic risk and all of the associated elements. Henry: The full board should think about execution of the business plan and about the risks that threaten it. This is strategic risk, which is where the considerations about risk and reward truly lie. The board should ask, “How do we define risk oversight?” As Maureen said, it’s not just a committee that should be doing risk oversight – the full board should take responsibility. Deloitte coined the term “Risk Intelligent EnterpriseTM”. What does it mean to be Risk Intelligent, and how does this relate to the board’s responsibilities? Maureen: A Risk Intelligent Enterprise views risk as both vulnerability to the downside, but also preparedness for the upside. This includes developing a board culture in which risk is incorporated as part of every board discussion. The board can help set the tone and the culture of the organization, with the goal of building a culture in which risks are being considered at every turn. Henry: In order to become Risk Intelligent, boards should move away from “checking the boxes” of compliance. Instead, the board should concentrate on developing the ability and gathering the information to make risk informed decisions. If the board does not understand what the strategic risks are, the board is not functioning optimally. The Risk Intelligent board needs a standardized approach that allows them to agree on what the risk factors are to build and preserve value for the company. At the board level, this should be a short list that is focused and doesn’t change very radically in the near term but does accommodate new risks that emerge over time. The board should have meaningful follow-up on risk related topics to assure accountability. Ask questions like: What comprises that master risk factor list? How are we going to ensure that we get comparable and consistent information? And how are we going to monitor progress? Holding audit committee meetings and approving minutes just won’t get the job done. It needs to be so much more than that. How can the board get involved in risk management? Maureen: Most larger organizations are managing risk, but not in a way that aggregates risk exposure of the individual business units and that overcomes the “silo effect.” Most organizations spread risk management activities across the organization, and this means that boards should encourage an enterprise-wide structure for risk management. The board should be asking management about the framework that allows these “silo” risk exposures to be effectively mitigated throughout the organization. Henry: The environment is changing. What we might see in the future, especially in financial services, is legislation that puts more pressure on directors to have familiarity with the risk agenda. There needs to be a two-way interaction between directors and management, with the external directors having greater input into the structure and direction of risk management activities than in the past. What other specific steps can boards take to achieve Risk Intelligence? Maureen: The board should understand that its view of risk must be broader than just the protection of the existing assets. And remember that in the Risk Intelligent Enterprise, everyone in the organization is talking about risk – on an everyday basis. . Executive management is the executor and the board is the overseer, so that relationship should be an effective one. Henry: You have to have that master list of risk factors, and the whole board – not just a committee – has to weigh in on that list. It should be a short list that’s focused on the material strategic, operational, and compliance risks. Once that list is finalized, senior management and the external directors could utilize dashboard-type reporting that allows them to monitor all parts of the organization. By this, I’m talking about qualitative and quantitative information that fits into a dashboard summary. If the master list is ten items, maybe the dashboard has 25 measurement points. And those points are the focus of the risk items that the board hears about all the time. |
|
||||
To learn more and to download resources for the Risk Intelligent Enterprise, visit www.deloitte.com/us/governanceandrisk. To learn more about corporate governance trends and regulations, visit Deloitte’s Center for Corporate Governance at www.corpgov.deloitte.com. Henry Ristuccia is a partner with Deloitte & Touche LLP, where he is leader of Deloitte’s U.S. Governance and Risk Management services. Henry can be reached at hristuccia@deloitte.com or at 212-436-4244. Maureen Errity is a director with Deloitte LLP, where she leads the operations for Deloitte’s Center for Corporate Governance. Maureen can be reached at merrity@deloitte.com or at 212-492-3997. Copyright © 2009 Directors & Boards, P.O. Box 41966 Philadelphia, PA 19101-1966. All rights reserved. Contact the webmaster. < Privacy Notice > |
||||||
