Wednesday, 9 September 2009

Could boards do a better job in risk oversight?

The demise of many large global companies as a result of the global financial crisis and their rescue by the state has brought the question on the role of the board of directors in risk oversight to the forefront.

Given that risk is inherent in business, and the global business environment getting more complex, the aftermath of the crisis has certainly resulted in more scrutiny on the effectiveness of risk management, especially in financial services institutions and public-listed corporations.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently released a thought paper on risk oversight.

The paper observes that boards have a difficult task in overseeing the management of increasingly complex and interconnected risks that have the potential to devastate organisations overnight. It also maps recent development in risk oversight such as the practice of some rating agencies which are now assessing enterprise risk management processes as part of their corporate credit ratings analysis. Some regulators are considering the requirement for compensation committees of public financial institutions to review and disclose strategies for aligning compensation with sound risk management.

COSO acknowledges that the challenge facing the board is to balance between managing risks and adding value to the organisation at the same time. Enterprise-wide risk management which provides a top-down view of key risks facing an organisation has been adopted on a wider scale.

Four areas which require the focus of the board in ensuring the effectiveness of enterprise-wide risk management of the organisations under their care are understanding the organisation’s risk philosophy and concurring it with the entity’s appetite; knowing the extent to which effective risk management has been established by management; reviewing risk portfolio and balancing that with the entity’s appetite for risk; and be appraised of significant risks and the management’s response towards them.

Based on the discussion in this thought paper, directors could not take comfort from the appearance of the existence of a risk management framework put in place by management. The whole risk management framework needs to be challenged and validated on a continuing basis to ensure they are not an artificial facade which will crumble when surprises hit the organisation.

Since the dynamics which shape the business environment changes continuously, the risk model and risk mitigation concept require periodical review by the board and management to ensure they reflect the risk profile on the ground.

Sustainability of a business would only be enhanced with effective management of risks. As the board is charged with the responsibility for identifying risks, implementing the risk management system and reviewing the adequacy and integrity of internal control system, effective risk management should be on the agenda of the board although some of the responsibilities are normally entrusted to the audit committee.

The other important issue as indicated by the new COSO paper is how enterprise-wide risk management is linked to the compensation system.

The lapse in ensuring compensation packages has now triggered a strong response by some of the G20 countries. Boards should be assessing the position in their respective organisations and perhaps initiate reforms which would address this issue.

As organisations consist of people working and performing within the official organisational structure, the effectiveness of risk management boils down to how people behave in pursuing the organisational objectives. Beyond the brick and mortar and the legal framework that bind everybody together, the other component that is overlooked sometimes is the heart and mind of employees.

If risk management remains attached to the externalities and not internalised by their hearts, how could risk management be externalised in their day-to-day activities? Boards need to understand how this “soft but important issue” is addressed with respect to developing an organisational culture which is risk-sensitive.

For the independent non-executive directors in particular, the issue is always about how deep they should be involved with the details while remaining non-executive. While there is guidance provided in most jurisdictions, the ultimate test is for each of them to satisfy themselves that they have enough information and knowledge to discharge their fiduciary duty as expected by the stakeholders. Blind reliance on representation by management would not absolve them from being held responsible should the organisation suffer substantial losses due to its failure in managing risk.

There is so much that can be achieved through structure and process. Ultimately, as humans, acumen, integrity and well- informed judgements would be key in ensuring the effectiveness of risk management. Each board member would have to pursue this as doing nothing is definitely risky.



The article was also published in the Financialdaily which could be read here:

Post a Comment