This is the second post in my series about the new role boards must take in steering enterprise risk management (ERM) in financial services firms. In the first post, I pointed to three key levers that boards must adopt in their ERM oversight: governance, policy and assurance. This post will cover the risk governance structure.
A fundamental step in providing ERM oversight is to establish an effective risk governance structure at the board level. Beyond the organizational chart, risk governance establishes the oversight roles and decision points for the board and board committees, as well as the relationships with management and management committees. Common issues related to board risk governance include:
- Fragmented or ambiguous risk oversight responsibilities across the board and various subcommittees.
- Insufficient risk experience and expertise among board members.
- Inconsistencies between the board and management governance structures or unclear separation of roles.
- Lack of integration between strategy and risk management.
- Weak independence for the chief risk officer or the risk management functions.
To strengthen risk governance at the board level, organizations should consider adopting the following ERM practices:
Establish a risk committee.While the full board generally retains overall responsibility for risk oversight, a growing number of organizations are establishing risk committees. Based on the COSO Report, 47 percent of board members at financial services organizations indicated that they had a risk committee, versus 24 percent at nonfinancial services firms. Given the Dodd-Frank Act and other regulatory reforms, it’s likely that these percentages will increase in the next few years.
Regardless of the committee structure, the risk oversight roles of the full board and subcommittees (audit, governance and compensation) should be clearly defined. Boards should also ensure that they can effectively challenge management on risk issues by appointing board members or board advisors with deep risk management expertise. General risk education should also be provided to all board members.
Align board and management structures. This alignment includes committee charters, roles and responsibilities, reporting relationships, approval and decision requirements, and information flows. As boards become more active in establishing risk policies and risk appetite, the role of the board versus the role of management should be clearly differentiated. The table above provides an example of the separation between management and the board in terms of ERM responsibilities. Alignment and clarification of roles would prevent unnecessary tensions and encroachments between management and the board.
Integrate strategy and risk. Monitoring the organization’s strategy and execution has long been the purview of boards. As boards become more active in ERM, the integration of strategy and risk is a logical and desirable outcome. Independent research studies1 have found that when publicly traded firms suffer a significant decline in market value, 60 percent of the loss events were caused by strategic risks, 30 percent by operational risks, and 10 percent by financial risks. While integrated strategy and risk oversight is arguably a key role for the board, this process is still in its early stage of development. According to the COSO Report, fewer than15 percent of board members indicated that they were fully satisfied with the board’s processes for understanding and challenging the assumptions and risks associated with the business strategy.
Strengthen risk management independence. This includes formalizing the reporting relationship between the chief risk officer and the board or board risk committee. Moreover, under exceptional circumstances (excessive risk taking, major internal fraud or significant business conflicts), the chief risk officer should be able to escalate risk issues directly to the board without concern about his or her job security or compensation.
What have I left out? Are there other risk governance best practices that boards and organizations should be adopting?
Next week I’m going to write about the second lever boards should consider – risk policy. Board-approved risk policies are a critical tool for communicating its expectations and requirements for risk management and oversight.
*Originally published by The RMA Journal in April 2010. Copyright 2010 by RMA. The Risk Management Association (“RMA”).Edited for length and republished here by permission.
Founded in 1914, The Risk Management Association is a not-for-profit, member-driven professional association whose sole purpose is to advance the use of sound risk principles in the financial services industry. RMA promotes an enterprise approach to risk management that focuses on credit risk, market risk and operational risk. Headquartered in Philadelphia, Pennsylvania, RMA has 2,600 institutional members that include banks of all sizes as well as nonbank financial institutions. They are represented in the association by more than 18,000 risk management professionals who are chapter members in financial centers throughout North America, Europe and Asia/Pacific.