Board-Level Risk Committees
Atkinson, William
Implications and Opportunities for Risk Managers
Traditionally, senior risk executives have overall responsibility for risk management in their organizations at the operational level. The boards have responsibility for risk at the board level, but usually only oversee it in general terms and task their audit committees and/or finance committees with various and sundry risk responsibilities. For most boards, the traditional audit committees and finance committees are simply too overwhelmed with other responsibilities to add risk issues to their plates.
But with the increasing popularity of enterprise risk management (ERM) strategies, the realization that audit committees already have a full plate, and New York Stock Exchange listing requirements that boards oversee managements policies and practices for managing risk associated with major financial exposures, more and more boards are creating separate board-level risk management committees to remove the burden from audit and finance committees.
In some organizations, these new committees are called "risk management committees." In others, they are combined "audit and risk management committees" or "finance and risk management committees."
Richard Steinberg, CEO of Steinberg Governance Advisors sees the wisdom of the strategy. "Many boards have learned that there is way too much on the plates of audit committees, including financial reporting and Sarbanes-Oxley requirements." Steinberg is a believer in the value of separate risk management committees. "A lot of boards are asking the question: 'How does management know whether it has its arms around all of the significant risks?'" He has found that answering this question generally leads to the implementation of an ERM process. Boards then find it more effective to have a risk committee oversee the ERM process. "As such, there is a trend toward stand-alone risk committees," he points out. "It is still in its infancy, but I think it will gain steam."
The boards of a number of Canadian, European and Australian companies were among the first to move in this direction, followed by U.S. financial institutions, and, most recently, some nonfinancial U.S. companies, especially in the energy and utility industries.
Will such committees continue to be created by other boards? It seems to depend on the industry, the size of the business and the specific risk exposure. "I think the concept will tend to flourish in companies that are highly-regulated and large," says Mary Barnes, senior managing director, forensic and litigation consulting practice, for FTI Consulting. "These include financial institutions, pharmaceuticals, health care and even manufacturing, which is becoming more regulated."
Creating Perspective For Board Oversight
In terms of conceptual focus, KPMG looks at risk in two ways. One is risk content. The other is risk process. Understanding these two concepts is important for boards considering a stand-alone risk committee.
Risk content: "Companies need to determine the specific enterprise-level risks that threaten the organization's existence, strategy and business model," says John M. Farrell, who is the national partner in charge of enterprise risk management, for KPMG. "These risks will be those that gain visibility to the board and the senior management team."
Risk content tends to have more widely distributed concerns and ownership. One example is infrastructure risk. The content for this risk would be distributed among many different people and locations, who would be responsible for protecting the organization against negative related events happening. Those responsible - risk owners with facility or operations roles - would also manage through an event, should one occur.
Risk process: This focuses on the ways and means in which the organization identifies risk content, evaluates the content, assigns responsibility for the content, reports the content and structures itself around the content.
"While risk content tends to be distributed, the process aspect tends to be more centrally thought about and conveyed in terms of how one articulates what risk is and reactions to risk, including any form of measurement and quantification," says Farrell. "It also includes communicating and reporting about risk."
By and large, according to Farrell, organizations are waking up to the fact that they need to focus on risk, especially on the process side. "Since you can't centralize risk content responsibility, boards tend to focus on the risk process," he says. More specifically, boards are waking up to the fact that risk content for their organizations is quite varied and requires a number of different skill sets.
As such, not only are some boards setting up risk committees to oversee risk process, they often set up their committee structures as a whole so that various committees have appropriate allocation for the risk content. For example, according to Farrell, regulatory risks, compliance risks, financial risks, operating risks and product risks will be allocated and delegated to various board committees, based on the people on the committees who know the most about these risks. "Long-term, the risk committee will take on process oversight, and all committees will take on content oversight," he says.
According to Farrell, the risk executive creates a special risk committee. "[The board] tends to elevate the role of the risk manager, whether that be a vice president of risk or a CRO," he says. "When it is done well, the risk manager becomes almost a broker and a driver of change, to both the management team and the board." He or she pulls the information together so both bodies -the board and the management team -can perform their functions and make the right decisions.
Who does the risk manager report to in this structure? It depends on the industry. In the financial sector, it has become clear that the risk manager or CRO needs to report direcdy to the CEO. In the non-financial sector, the risk manager may still be reporting to the CFO or legal. In this sector, the board-level risk committee concept is just developing.
Do risk managers report directly to the boards? "This depends on the personality of the board," says Farrell. "In some organizations, board members prefer to be very interactive with the various risk people in the organization."
ERM programs: Board-level risk committees also have implications for ERM initiatives, according to Farrell. In general, risk managers and CROs tend to own risk process. They are the ones driving ERM change in the organization. In organizations where boards have become more involved in risk, by creating risk committees (for risk process), and/or giving more responsibility to other committees for risk (for risk content), this drives two things. One is a stronger governance stream in the risk management work. "Second is probably some form of redesign to the monitoring function, such as internal audit and compliance," he says.
Risk Boards In Action
One entity with a strong and successful board-level risk committee is National Penn Bancshares. In this organization, the Executive ERM Committee (management-level) reports to the Directors ERM Committee (board-level), which reports to the board of directors as a whole.
Its charter document, revised in April 2007, notes that, "As a committee of the board, the directors Enterprise Risk Management Committee will assist the board in its responsibilities under this policy to ensure that risk management activities are within policy and risk tolerance levels. The committee is responsible to review and, where required, approve the reports and information presented by management for these purposes." In addition, "the board, based on management's recommendations, will establish the organization's tolerance levels for the various forms of risk as defined by the Office of the Comptroller of the Currency, and management."
Having the committee has helped in a number of ways, according to Garry D. Koch, group executive, vice president and director of risk management of National Penn Bancshares. One relates to detail. "We are actually able to discuss various approvals with the committee, as the designee of the full board," says Koch. "That is, we are able to talk to a committee empowered by the board in a lot more detail about certain risk issues." A typical board meeting is filled with a lot of agenda items. By having a separate committee, Koch and his colleagues find that they have more time to discuss important risk issues.
The risk committee at National Penn Bancshares is composed of chairs from the other board committees. "As such, they are experienced bank directors and have a good understanding of the various forms of risk," says Koch. "However, there is also a learning process, in that all of us are still learning what enterprise risk management entails and how to manage the process."
The bank has found significant value in the committee over the last two years. One issue that recently arose was whether the bank was looking at tech- nology properly and allocating suffi- cient resources to it. As a result of some discussions that the risk team had with the Directors Enterprise Risk Management Committee, the committee went to the corporate governance committee and requested the creation of a technology risk committee, which is now a subcommittee of the risk committee. "This subcommittee is looking at our use of technology, whether we are employing it correctly, whether we have the right security in place, and so on," reports Koch. "I am very hopeful that, out of that, will come a better solution for some of the technology issues that we face."
Another entity with a successful board-level risk committee is Duke Energy, whose board created its risk committee about 10 years ago. At Duke, the risk management department reports to the treasurer, who reports to David L. Hauser, group executive and CFO. "The committee was set up to look at the risk exposures of the company and what mitigations are being put into place, look at financing requirements of the company and approve the financing plan, and look at and approve deals that the company might be doing," says Hauser.
The simplest piece of the risk, according to Hauser, is insurance, and historically, this would have been the primary focus of the committee. "However, the world has evolved a lot over the years, and now the committee reviews the assessment of company risk that we provide to it," he says. Examples include how much collateral the utility might have to put up if it were down-graded or whether sensitivity associated with the sale of its product (such as not being able to get the coal it needs for its power plants).
According to Hauser, every member of the board risk committee has a different background and set of skills. "Some of them are well-versed in derivatives and the financial market," he says. "Others are more versed in real estate markets. As such, when we make presentations, we make things as straight-forward as we can." In addition, there is also a lot of question and answer, which Hauser believes is a good thing to encourage dialogue and additional information-sharing.
The committee has been a benefit to Duke over the years. "The board committee wants to make sure that someone is monitoring risk from a total company basis," says Hauser. "The board then gets to understand the positions that cost the company and how they are mitigated at the corporate level."
The simple fact that the committee's existence puts a discipline into the risk process that is very positive. "Overall," says Hauser, "the board's awareness of risk issues has been hugely worthwhile and has kept us from making some mistakes that we might otherwise have made."
William Atkinson
"Board-Level Risk Committees" pg. 42
Atkinson is a freelance writer based in Carterville, Illinois.
Copyright Risk Management Society Publishing, Inc. Jun 2008
Provided by ProQuest Information and Learning Company. All rights Reserved
No comments:
Post a Comment