In the September 14 issue of Compliance Week, Stephen Davis and Jon Lukomnik wrote an interesting article on “Unsettling Questions on BP, Boards, Risk Management.”
“Can directors really oversee risk? This is the question. Blame for recent corporate disasters—from risk-management failures at Bear Stearns and Lehman Bros. to long-term misjudgments at General Motors to the Deepwater Horizon spill and its aftermath—has tarred directors as well as executives. If only directors were doing their job, the thinking goes, disaster would have been avoided or at least mitigated.
“Against this mainstream chorus, a small but growing backlash is wondering if any part-time board can really provide risk oversight of global, complex companies. By all appearances BP boasted a gold-standard board before the Deepwater Horizon blowout. It was equipped with virtually every governance bell and whistle an investor could want, including independent staff for the outside chair.
“Whatever your opinion about the real-world ability of directors to oversee risk management at complex companies, responsibility for risk oversight is now squarely on the boardroom table. Abdicating it isn’t an option; trying even harder seems the only sensible route for directors to take. That means more of a role for internal audit and more formal risk assessments. It also means the creation of more risk committees or revisions to audit committee or other charters to make sure that risk oversight is fully integrated into board deliberations."
These are excellent questions, and I think merit examination.
As David and Lukomnik said, abdicating their responsibility for risk oversight is not an option for boards. But there are opportunities for them to lighten the load. This is what I suggest:
1. As we know, there is a difference between auditing the financial statements (to verify that they do not contain material misstatements) and auditing the controls over the financial statement process. When you have good controls, it increases the likelihood that the financial statements are accurate. But even if the controls are deficient, you can still test the financials to validate the numbers and verify they are accurate.
Similarly, there is a difference between the risk management process and the actual identification and assessment of risks by the company.
The board should perform two assessments:
a. Is the risk management process adequate?
b. Are the risks identified by management complete and have they adequately assessed them?
2. When it comes to assessing whether the risk management process is adequate, the board should look to the internal audit function. Internal audit’s primary function is not to perform audits, but to provide assurance over the organization’s governance, risk management, and related internal controls. (See Our Job Is Not to Perform Audits.) The board should require a formal, annual assessment of the risk management process from the chief audit executive.
If the risk management program is not sufficiently mature, the board should question management on how it will improve the program so it meets the needs of the organization. Internal audit may be tasked with helping, through consulting and advice.
One critical aspect of the risk management process is the ownership and responsibility for risk management in the organization. Even though internal audit should address this issue, I would encourage the board to ask:
· Is there a chief risk officer? Does he/she report at an appropriate level within the organization, so his/her voice is heard? Does he/she have the ability to communicate directly with the CEO, CFO, and board when necessary?
· Is risk management embedded throughout the organization and part of daily decision-making?
· Is the consideration of risk part of how management determines strategies, objectives, and plans? Is the chief risk officer involved in strategy meetings?
· Does the culture of the organization embrace the consideration of risk?
· How does the executive management team ensure risks are taken at a level appropriate to the needs of the company, and the appetite set by management and the board?
3. The board should determine how it will provide effective oversight. My opinion is that it should delegate financial risk oversight to the audit committee – but only financial risk oversight. The audit committee already has a massive workload, and I worry that giving it the responsibility for oversight of all risk management would cripple its ability to address the financial statements, SOX, management of the internal and external auditors, capital management and budgeting, treasury management, etc.
Some boards have a compliance committee, or have assigned compliance oversight to the governance committee (or similar). I would look to that committee for oversight of related risk management activities. Some boards have an IT committee or equivalent; others may have other specialized committees. I would tend to assign to each of those specialized committees oversight of related risk management, given their specialized focus and (presumably) insight.
The board should consider a risk committee (in some industries, this may be required by law or regulation) to (a) oversee risk management as a whole, across the enterprise, (b) coordinate the oversight responsibilities of other committees performing oversight of particular risk areas, and (c) lead a discussion of risk management at the board level.
The board can delegate oversight at a detailed level to committees, but must retain accountability for oversight as a whole. In particular, I would look to the full board to ask questions relating to strategic risks, executive succession, etc.
4. The board and its committees challenge management’s risk identification and assessment through a combination of penetrating questions and the sharing of their wisdom. They need directors with a breadth and depth of experience and knowledge in the business, the industry, the regulatory and economic environment, and more. I would encourage boards to include this requirement in their self-assessment process and in the selection of new directors.
5. Finally, on an annual basis, the board should consider whether its oversight of risk management has been effective. It should reflect on management’s assessment and whether it turned out to have defects that should have been surfaced by better questioning by the board. The board should also follow-up on any corrective actions identified by internal audit during their formal assessment.
Do you agree with the above?
Can you share other guidance for directors?
Do you have any stories of effective risk oversight to share?
 My thanks to Compliance Week’s editor, Matt Kelly, for permission to quote from the article. Compliance Week is an excellent source of information relating to governance, risk management, compliance, and internal audit – and recommend subscribing.