The following article was recently published in Bloomberg BNA’s Corporate Governance Report. In addition, it was uploaded to all Bloomberg terminals, which are used globally by approximately 350,000 investors, financial traders, and corporate governance experts. For the rest of the article, click here.
Risk Oversight: Risk Committees Can Play a Role, But They Are Not the Whole Story
In the wake of the ﬁnancial meltdown of 2008, and before the Dodd-Frank Wall Street Reform and Consumer Protection Act was introduced, there were rumblings in the marketplace calling for all companies to have board-level risk committees. Such calls stemmed from the assumption that if corporate America had speciﬁc committees of independent directors to oversee all of the company’s risks, the problems that led to the banking crisis and the subsequent meltdown of Lehman Brothers and Bear Stearns could have been avoided. The concept went so far as to be included in early drafts of Dodd-Frank, but the act was eventually narrowed to require risk committees only on the boards of ﬁnancial institutions.
Interestingly, most, if not all, of the ﬁnancial institutions that failed during the most recent recession already had risk committees on their boards before the crisis, so the requirement within Dodd-Frank was not earth shattering. However, when the National Association of Corporate Directors (NACD) examined the board structure and committee responsibilities outside of ﬁnancial companies, a much different approach came to light. Risk at most non-ﬁnancial companies was over seen by the audit committee of the board prior to the failure, and still is.
NACD believes that the full board should approve and oversee the risk management policies developed and recommended by management. Risk oversight by a board risk committee—especially one that works in isolation from management and other board committees—could weaken both risk management and risk oversight.
The 2009 Report of the NACD Blue Ribbon Commission on Risk Governance states:
The full board should have primary responsibility for risk oversight, with the board’s standing committees supporting the board by addressing the risks inherent in their respective areas of oversight. It is rare that any one committee—such as the audit committee or a risk committee—would have the time, resources, and expertise to oversee the full range of risks facing a company. Moreover, the critical link between strategy and risk points to the need for the full board—rather than any one committee—to have responsibility for risk.
A risk committee cannot, and should not, replace the board’s active engagement in risk oversight. Active, proper, and effective risk oversight requires the full board’s attention.
High-Proﬁle Risk Issues
In a blast of legislation, the 2010 Dodd-Frank Act mandated that ﬁnancial institutions have risk committees. Jumping ahead two years to this spring, the Federal Reserve Board recently proposed rules to put this mandate into place, requiring certain ﬁnancial institutions (any publicly traded non-bank ﬁnancial company supervised by the Board of Governors and any publicly traded bank-holding company with consolidated assets of $10 billion or more) to establish board level risk committees. These committees would be explicitly responsible for oversight of the enterprise risk management practices of the company.
However, recent events have proven that risk requires more thought than simply forming a committee dedicated to its oversight. While corporate crisis is not a new story, several high-proﬁle stories have led some to question the current structures in place to oversee risk. In many of these cases, companies have not been able to recognize the ultimate level of risk presented in strategies. Especially in large corporations with multiple business units, it can be difﬁcult to identify the total level of risk presented, given inter- and intra-business correlations.
The inability to recognize the interconnectivity of risk can skew the balance of risk and reward companies believe they have in place. Absent the recognition of interrelation within the organization—which can amplify the risk presented—the board may believe it has established an appropriate balance of risk and reward based on what the company can bear. Factoring in interconnectivities, the board may ﬁnd itself in hot water if strategies take a turn for the worse.
In addition to the required risk committees already possessed by most large ﬁnancial institutions, the Federal Reserve Board included an additional provision: that each committee include at least one risk management ‘‘expert.’’ However, the given deﬁnition of ‘‘risk-management expertise’’ was vague at best, ultimately lacking a comprehensive explanation of acceptable experiences and background.
To read the rest of the article, click here.