Transparency is a hot topic today, but how “transparent” do you really need to be? And at what level in the firm does transparency begin? This post is the last of the series about levers boards should adopt in their risk management oversight. In this post, I’ll talk about assurance processes – processes that guide a firm’s risk monitoring and reporting, both internally and externally. That reporting equates to transparency.
While risk policies articulate board requirements for ERM, the board still needs information and feedback. How does the board know if risk management is working effectively? This question is perhaps one of the most critical facing board members today. The answer lies in the assurance processes established by the organization, such as board monitoring and reporting, independent assessments and objective feedback loops. Common issues related to risk assurance include:
- Ineffective board communication and reporting.
- Lack of independent assessments of the ERM program.
- Use of subjective indicators to gauge ERM effectiveness.
To fulfill its mandate to oversee ERM, the board must rely on management to provide critical information through communications and reports. Board members often criticize the quality and timeliness of the reports they receive. The standards that they want but are not getting to their satisfaction include:
- A concise executive summary of business versus risk performance, as well as external performance drivers.
- Streamlined reports, including a focus on key board discussion and decision points.
- An integrated view of the organization versus functional or silo views.
- Forward-looking analyses versus historical data and trends.
- Key performance and risk indicators shown against specific targets or limits.
- Actual performance of previous business and risk decisions, as well as alternatives to, and rationale for, management recommendations for board decisions.
- More time allotted for discussions and board input versus management presentations.
A clear view to insiders
Recently, James Lam & Associates worked with the board members and the executive team of a large financial institution to improve its board communication and reporting. In addition to adopting the above standards, the financial institution developed an ERM dashboard that provides key risk exposures and trends, as well as drilldown capability to underlying data. Additionally, each board member was provided with an iPad with preloaded dashboard software to support efficient board communication and reporting.
Information provided to boards should include objective feedback loops that gauge the effectiveness of ERM. The common practice is to evaluate risk management performance based on the achievement of key milestones or the lack of policy violations, losses or surprises. However, implementation milestones or “negative proves” are not sufficient. The board needs to work with management to establish performance metrics and feedback loops for ERM. In a previous RMA Journal article (“ERM Back to the Future,” June 2010), the use of earnings-at-risk was discussed as a feedback loop on ERM. Regardless of the metric, the board should decide on the appropriate feedback loop for risk management.
On an annual basis, boards should conduct two ERM assessments. First, they should oversee an independent review of the ERM program. The final product of this review would be an assessment of the organization’s ERM program relative to board expectations, ERM development milestones, and industry best practices. Second, boards should conduct a self-assessment of their role in ERM.
Now the view from outside
Risk assurance is important not only to boards, but also to investors, rating agencies, and regulators. And a key objective for any ERM program should be to enhance risk transparency not only to executives and board members, but also to key external stakeholders. Disclosures in proxy and financial statements should provide information about the organization’s governance, policy, and assurance practices. Moreover, quantitative information such as risk-tolerance levels, earnings sensitivity of key performance and risk drivers, and performance indicators on ERM should be disclosed. After all, no one likes surprises—whether they are negative operational events, ERM gaps or unexpected earnings volatility.
Board members are not involved in day-to-day business activities, but they have the ultimate responsibility to ensure that an effective ERM program is in place. What can they do to effectively oversee ERM and the key risks facing the organization? They have three key levers. First, a well-thought out governance structure should be put in place to organize risk management and oversight activities. Second, risk policies and risk-tolerance levels should be established to articulate the board’s expectations and risk appetite. Finally, boards should establish assurance processes and feedback loops to gauge the effectiveness of the ERM program. In short, boards must increase their risk GPA: governance, policy and assurance.
Now that you have read the entire series, do you have best practices to suggest to boards for improving enterprise risk management? How transparent does a financial services firm need to be and what are the benefits of greater or less transparency?
*Originally published by The RMA Journal in April 2010. Copyright 2010 by RMA. The Risk Management Association (“RMA”).Edited for length and republished here by permission.
Founded in 1914, The Risk Management Association is a not-for-profit, member-driven professional association whose sole purpose is to advance the use of sound risk principles in the financial services industry. RMA promotes an enterprise approach to risk management that focuses on credit risk, market risk and operational risk. Headquartered in Philadelphia, Pennsylvania, RMA has 2,600 institutional members that include banks of all sizes as well as nonbank financial institutions. They are represented in the association by more than 18,000 risk management professionals who are chapter members in financial centers throughout North America, Europe and Asia/Pacific.