Risk expectations are changing. Do you know where your risk is?
New expectations are emerging from regulators, rating agencies, director institutes and institutional shareholders. What are they? Why should you care?
Despite the introduction of stringent and costly regulations, such as Sarbanes-Oxley (U.S.) and NI 52-109 (CAN), recent economic and business meltdowns prove that traditional approaches to risk are sometimes not enough. Major, even fatal risks are not always getting the attention they deserve from senior management and the Board.
As a result, regulators are sharpening their focus on risk oversight.
Some of the new Risk Oversight Expectations worth paying attention to include:
- U.S. Securities & Exchange Commission (SEC) Proxy Disclosure Enhancement rules require companies to describe the risk oversight role of the Board, and describe how risks in compensation systems are identified and managed.1
- U.S. New York Stock Exchange (NYSE) rules require that audit committees discuss policies with respect to risk assessment and management.2
- NYSE rules require having an internal audit function to provide the audit committee with an ongoing assessment of the company’s risk management processes, and system of internal control.3
- Canadian Corporate Governance Guidelines (NP 58-201) note that the Board should acknowledge responsibility for the identification of the principal risks of the issuer’s business, and ensure the implementation of appropriate systems to manage these risks.4
New expectations place responsibility at the doorstep of the Board and CEO.
Scrutiny is escalating. Fingers are being pointed. Questions—hard ones—are being asked of Boards, CFOs and CEOs. In turn, management is under increased pressure to enhance risk management processes and ensure reliable risk status reporting, while still ensuring compliance costs don’t spiral through the roof.
What exactly are these new expectations? The National Association of Corporate Directors Blue Ribbon Commission (BRC) report, Risk Oversight: Balancing Risk and Reward, states every Board should be certain that:
- The risk appetite implicit in the company’s business model, strategy, and execution is appropriate.
- The expected risks are commensurate with the expected rewards.
- Management has implemented a system to manage, monitor, and mitigate risk, and that this system is appropriate given the company’s business model and strategy.
- The risk management system informs the Board of the major risks facing the company.
- An appropriate culture of risk-awareness exists throughout the organization.
- There is recognition that management of risk is essential to the successful execution of the company’s strategy.
Companies want to believe in their own experience, intuition and diligence in managing risk—but there is room for improvement.
Risk is a part of business, and most businesses have some form of oversight system in place. However, according to recent surveys of over 200 various board members, many acknowledged that their risk oversight needed work:
- Fewer than 15 percent of respondents noted that the Board is fully satisfied with current processes in place to monitor and report key risks to the Board.
- Fewer than 14 percent reported that their activity of routine discussions regarding acceptable risks is sufficient for the Board’s purpose.
- Nearly two-thirds noted that Board monitoring of the company’s risk management process is not done at all or is carried out in an ad hoc manner.
- 37 percent noted that the organization does not assess extreme high impact/low likelihood events.
- Almost one-third noted that the Board does not self-evaluate its risk oversight processes to determine if it is meeting oversight responsibilities.5
Despite best intentions, the risk oversight frameworks of many organizations are not robust enough to meet new expectations. Boards, CEOs, and companies are left open to the potential fallout of untreated risk—and opportunities are lost to enhance relationships with rating agencies and institutional investors, who are taking a much closer look at corporate risk oversight frameworks.
Time for a better response to risk? We can help. Contact us today.
5 http://www.coso.org/documents/Board-Risk-Oversight-Survey-COSO-Protiviti 000.pdf