A transformation is under way at boards with respect to their role in enterprise risk management (ERM). In the wake of the global financial crisis, boards are taking a much more active role in risk oversight. They are reexamining governance structure and roles, risk policies and limits, and assurance and reporting processes.
This change is very significant and positive. Of the key groups that provide independent risk monitoring -boards, auditors, regulators, rating agencies, and institutional investors – the board of directors is the only group with both the direct responsibility and the greatest leverage in ensuring that sound risk management is in place.
At most organizations, corporate management would bend over backward to satisfy board demands. By asking tough questions and setting board expectations in regard to ERM, the board can set the “tone from the top” and effect significant change in the risk culture and practices of an organization.
Recent surveys have reported that board members recognize the importance of ERM. Board members recognize that they can play a more effective role in risk oversight. Based on a survey of more than 200 board members, a December 2010 report commissioned by the Committee of Sponsoring Organizations of the Treadway Commission (COSO Report) indicated that 71 percent of respondents acknowledged that their boards “are not formally executing mature and robust risk oversight processes.”
It’s evident that board members are setting higher expectations and requirements for risk oversight. They are not alone. In December 2009, the Securities and Exchange Commission established new rules that require disclosures in proxy and information statements about the board governance structure and the board’s role in risk oversight, as well as the relationship between compensation policies and risk management.
In July 2010, the Dodd-Frank Act was signed into law. The act requires that a board risk committee be established by all public bank holding companies (and public nonbank financial institutions supervised by the Federal Reserve) with more than $10 billion in assets. The board risk committee is responsible for ERM oversight and practices, and its members must include “at least one risk management expert having experience in identifying, assessing, and managing risk exposures of large, complex firms.”
Three key ERM levers
In academia, the acronym GPA means “grade point average.” In the context of board risk oversight, the same acronym can be used to remember these key levers: governance, policy and assurance. In brief, all boards must adopt these levers in their ERM oversight.
Governance. Establish an effective governance structure to oversee risk. How should the board be organized to oversee ERM? What is the linkage between strategy and risk management? How can the independence of the risk management function be strengthened?
Policy. Approve and monitor an ERM policy that provides explicit risk-tolerance levels for key risks. Do risk management policies and risk-tolerance levels effectively capture the board’s overall risk appetite and ERM expectations? What is the linkage between risk policies and compensation policies?
Assurance. Establish assurance processes to ensure that an effective ERM program is in place. What are the performance metrics and feedback loops for ERM? How to improve the structure and content of board reports? How should that assurance be disclosed to investors, rating agencies, and regulators?
These key levers enable boards to play a constructive and effective role in ERM. Board members are not involved in day-to-day operations, and they have limited time to review materials and have discussions with management. But by using these levers, they can effectively oversee ERM and the key risks facing the organization.
The role these three levers play in effective risk management requires further explanation and exploration. Rather than making this an extremely long article, I’ve decided to dedicate the following three posts to each topic: governance, policy and assurance. Follow along and let’s discuss these priorities within the context of board risk oversight.
*Originally published by The RMA Journal in April 2011. Copyright 2010 by RMA. The Risk Management Association (“RMA”).Edited for length and republished here by permission.
Founded in 1914, The Risk Management Association is a not-for-profit, member-driven professional association whose sole purpose is to advance the use of sound risk principles in the financial services industry. RMA promotes an enterprise approach to risk management that focuses on credit risk, market risk and operational risk. Headquartered in Philadelphia, Pennsylvania, RMA has 2,600 institutional members that include banks of all sizes as well as nonbank financial institutions. They are represented in the association by more than 18,000 risk management professionals who are chapter members in financial centers throughout North America, Europe and Asia/Pacific.