Law & Governance
Abstract
Although the management of a company is ultimately responsible for a company's risk management, the Board of Directors must understand the risks facing the company and oversee the risk management process. As former Delaware Supreme Court Chief Justice Veasey indicates, the director's role is to assist in managing risk, not attempting to eliminate it entirely.
Potential profit often corresponds to the potential risk.... Stockholders' investment interests will be advanced if corporate directors and managers honestly assess risk and reward, cost and benefit
- Hon. E. Norman Veasey
Risk management is the process by which management, subject to Board oversight, assesses the nature and scope of risks applicable to a company; designs and applies appropriate controls to minimize the risks; and monitors the controls to ensure that they are working effectively. The Committee of Sponsoring Organizations of the Treadway Commission suggests that companies evaluate their risks using the components of risk management described in its model, the Enterprise Risk Management Integrated Framework (ERM). This model emphasizes that, because risks will not always fall clearly into one category, a company should develop a comprehensive risk management plan in which the approaches to the various components of risk interact with and influence one another. The eight components of ERM are:
- Internal Environment: The tone of an organization is set by its leaders. Does the company have a large appetite for risk, or are its leaders more risk-averse? Does the company's culture support the risk management and internal controls process?
- Objective Setting: A company may set goals on many levels: strategic, operating, financial. By clearly identifying its goals, management and the Board can more clearly perceive the risks that the company may encounter.
- Event Identification: The Board should ask management how the company identifies new risks and opportunities. What risks and trends exist in the company's industry? What risks are associated with new products, services or acquisitions? With new competitors? How are the company's risks interrelated? The Board should also consider legal, ethical and compliance risks that the company may encounter.
- Risk Assessment: After identifying potential risks, management and the Board should analyze and prioritize the risks in light of their likelihood and potential impact. Each business unit should be involved in the process. What adverse events has the company encountered in the past and what lessons were learned?
- Risk Response: Companies may chose to respond to risks by avoiding them, or by accepting them and working to reduce their impact or dilute their severity by sharing risk with other parties. What are the costs of these alternatives? Has management allocated sufficient resources to respond appropriately? Is the company adequately insured for its insurable risks?
- Control Activities: The Board should work with management to develop and implement well-structured policies and procedures in response to the company's primary risks to ensure that responsive actions are carried out at all levels of the company.
- Information and Communication: Relevant information should be well-documented and communicated on a timely basis - vertically, up and down the chain of management, and horizontally, across divisions of a company - to ensure that all members of the organization carry out their responsibilities with respect to the company's risk management policies.
- Monitoring: The Board should help management establish testing and evaluation procedures to monitor the company's risk management system. Modifications to the risk management system should be made as needed in response to these evaluations.
Board committees should incorporate risk management into their regular responsibilities. A company's governance committee can ensure that the company is prepared to deal with risks and crises by evaluating the individual capabilities of the directors, nominating directors with crisis management experience and considering the time each director and nominee has to devote to the company. The governance committee should also work with management to establish an orientation program for new directors and succession plans for key executive officers.
While some companies prefer to involve the Board as a whole in the risk management process, corporate governance guidelines and charters of audit committees may delegate this responsibility to the Audit Committee. Alternatively, a company may appoint a risk management officer, form a risk management committee or assign responsibility to a finance or compliance committee of the Board. The responsible committee or group should meet regularly with the company's internal auditor, the chief financial officer, the general counsel and the head of compliance and individual business units to discuss specific risks and assess the effectiveness of the company's risk management systems.
In a recent survey by PricewaterhouseCoopers, only 20% of U.S. CEOs responding believed they had enough information to manage the risks facing their companies. In many companies, the Board may have to take the lead to ensure adequate risk management procedures are in place.
Acknowledgment
Reprinted with permissionThis article first appeared in the June 2005 issue of the Corporate Board Member.
Comments
Be the first to comment on this!
Personal Subscriber? Sign In
Note: Please enter a display name. Your email address will not be publically displayed