By Christopher D. Ittner & Thomas Keusch
The board of directors’ role in risk oversight has come under increased scrutiny in the aftermath of the 2008 financial crisis. Corporate governance guidelines worldwide call for boards to play a more active role in risk oversight.
Credit rating agencies, such as Moody’s, and shareholder advisory groups, such as Institutional Shareholder Services, now assess the effectiveness of boards’ risk oversight practices when rating firms and issuing voting recommendations. At the same time, board members are facing greater legal liability when risks are not adequately managed. For example, shareholders sued the board of Citigroup for failing to monitor the bank’s risk profile[1] and the board of Goldman Sachs for approving compensation policies that rewarded employees for taking risks but failed to penalise them for losing money.[2]
Following the unravelling of the General Motors ignition switch debacle in 2014, several lawsuits were filed by GM shareholders in an attempt to hold current and former board members accountable for failing to exercise their fiduciary duty to oversee management.[3]
Defining responsibilities for risk oversight
The increased shareholder and regulatory pressure has spurred efforts in many boardrooms to improve risk oversight and risk management. One of the first challenges is deciding how to allocate risk oversight responsibilities within the board itself.
Stock exchanges, regulators and other stakeholders have expressed different preferences regarding the location of risk oversight. While New York Stock Exchange listing requirements charge the audit committee with risk oversight responsibility, the US Dodd-Frank Act requires the boards of certain financial institutions to assign responsibility to a standalone risk committee and the Australian Stock Exchange guidelines call for firms to hold the entire board responsible for risk oversight.
While failure to explicitly assign any board risk oversight responsibilities is universally regarded as poor governance because it prevents establishing accountability for risk-related monitoring, different risk oversight locations come with varying advantages and disadvantages. Holding the entire board accountable facilitates an integrated approach to risk oversight but can lead to free-rider problems. Defining oversight responsibility in individual committee charters, typically the audit committee, may entrust risk oversight in the hands of directors who are skilled in overseeing reporting and financial risks, but are potentially less able to monitor operational risks. Having standalone risk committees, often in conjunction with mandatory audit and compensation committees, can provide a central, designated avenue for risk communication and monitoring, but can also lead to certain risks, such as reporting risk and compensation risk, being discussed independently in multiple committees.
Hybrid structures can help exploit specific expertise of committees while holding the entire board accountable for risk oversight. For example, Microsoft charges the audit committee with oversight over reporting, investment and tax risks. The compensation committee monitors the effect of compensation policies on risk-taking by management. The regulatory and public policy committee oversees risks such as cybersecurity, public policy and competition law. Finally, the entire board of Microsoft exercises oversight of strategic risks and other risk areas not delegated to committees.[4]
“Only 26 per cent of boards receive risk reports at least quarterly; 23 per cent receive them on an ad hoc basis”
Given these advantages and disadvantages we examined survey data from Aon’s Risk Maturity Index (RMI) to shed light on how organisations actually allocate risk oversight responsibilities. The RMI survey was developed by Aon in collaboration with the University of Pennsylvania’s Wharton School as a tool for organisations to assess their enterprise risk management practices.[5] Our analyses focus on responses from 686 publicly-traded (46 per cent), privately-held (36 per cent) and non-profit (18 per cent) organisations headquartered in 35 different countries received between 2011 and 2013.
Roughly 21 per cent of participating organisations have not defined (or allocated) risk oversight roles and responsibilities to their boards. Of the remainder, 37 per cent have incorporated oversight responsibilities at the committee level but not at the board level, 23 per cent for the board as a whole but not for individual committees and 19 per cent in both specific committee charters and for the board as a whole. Around eight per cent of all listed companies and 23 per cent of listed financial institutions have established a standalone risk committee on the board.
What risk oversight activities do boards actually perform?
Even when risk oversight responsibilities are assigned, a natural question is ‘what risk oversight activities do boards actually engage in?’.
A number of different organisations have issued governance codes and best-practice guidelines suggesting activities that boards should carry out for risk oversight to be effective. For example, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) urges boards to (a) understand the entity’s risk philosophy and concur with the entity’s risk appetite, (b) know the extent to which management has established effective enterprise risk management of the organisation, (c) review the entity’s portfolio of risk and consider it against the entity’s risk appetite (i.e. the amount and types of risks the organisation is willing to bear) and tolerance (i.e. the amount of acceptable variation in outcomes) and (d) be apprised of the most significant risks and whether management is responding appropriately.[6] Similar guidelines have been published by the National Association of Corporate Directors (NACD)[7] and the Financial Reporting Council (FRC).[8]
Notwithstanding the governance codes and guidelines, we find only mixed evidence that boards have embraced these recommended risk oversight duties. Nearly all of the respondents (95 per cent) state that the key risks facing the organisation are discussed during board meetings and three out of four say that board members’ views of the key risks are consistent. However, although the notion of risk appetite is front and centre in most discussions on risk oversight, the board’s understanding of the organisation’s risk appetite is consistent in only 46 per cent of the respondents and is not even discussed in 23 per cent.
Nearly 40 per cent of organisations do not align risk management strategy and overall strategy. Of the remainder, 49 per cent achieve informal alignment but only 12 per cent formally integrate risk appetite and tolerance levels with risk management and overall strategies. The survey data further reveal that 19 per cent of boards fail to discuss and reach consensus with top management regarding risk management strategy. Another 56 per cent report informal agreement, with only 26 per cent reporting formal consensus between the board and executive. The limited formal consensus regarding risk management strategy is due in part to the infrequency of contacts between board members and key risk executives outside of board meetings, which only occurs in 54 per cent of the organisations.
Since the board cannot engage in day-to-day risk management, governance advocates argue that directors require frequent and in-depth risk-related information to effectively fulfil their risk oversight responsibilities. Yet only 26 per cent of the boards receive risk reports at least quarterly and 23 per cent receive risk reports on an infrequent or ad-hoc basis. Information on an organisation’s key risks is by far the most common element reported to the board (87 per cent), while information on risk metrics (39 per cent) and risk thresholds and limits (38 per cent) is provided least frequently.
Does risk oversight pay off?
A natural question is whether the observed variations in risk oversight responsibilities and practices lead to differences in day-to-day risk management processes and, ultimately, to differences in firm risk. When we examine the relations shown in Figure 1, we find that organisations that assign oversight responsibilities to both the board as a whole and to individual committees have stronger risk oversight practices. Stronger risk oversight practices, in turn, lead organisations to adopt more mature risk management practices, as measured by Aon’s Risk Maturity Index (RMI). For example, an organisation with more sophisticated risk oversight practices (in the upper third) has an RMI score that is 20 per cent higher than an organisation in the middle third of risk oversight sophistication and 83 per cent higher than an organisation in the bottom third.
These relationships hold across public, private and non-profit organisations. More importantly, greater risk oversight reduces firm risk through its positive impact on risk management maturity. For example, a listed company with mature risk management processes (upper third) has a 20 per cent lower future stock return volatility than a company in the bottom third of risk management maturity.
Where do we go from here?
The benchmark statistics on board risk oversight activities suggest that a significant number of organisations do not yet follow the recommendations in best-practice guidelines and corporate governance codes. This is reflected in the number of boards that do not discuss risk appetite or align risk management with overall strategy, receive infrequent reports on risk and risk management, do not communicate with risk leaders of the organisation and have not reached consensus with top management on risk management strategy. One explanation is that some organisations simply lag behind current best practices and will catch up over time. Another view is that certain risk oversight practices do not pass the cost-benefit assessment at some companies, despite the documented associations between risk oversight intensity, risk management maturity and firm risk.
There is indeed some evidence that different organisations have different preferences for risk oversight structures and activities. Failure to allocate oversight responsibilities is observed much less frequently among large organisations, publicly traded corporations and financial institutions. These entities also exhibit a higher intensity of board risk oversight activities. Large, publicly traded and financial organisations likely benefit relatively more from effective risk oversight and risk management processes.
“Risk oversight activities are more sophisticated when the board as a whole is charged with risk oversight than when responsibilities are defined in committee charters”
Organisations that strive to improve their risk oversight activities should confirm that they have clearly defined responsibilities for risk oversight and carefully consider how responsibilities should be allocated. The level of directors’ understanding, the depth and frequency of risk reporting, the consensus between board and management and the alignment of risk management and overall strategy are weakest among organisations that have not formally assigned board oversight responsibilities. Moreover, risk oversight activities are more sophisticated when the board as a whole is charged with risk oversight than when responsibilities are defined in committee charters alone and are the most sophisticated when both the board as a whole and individual committees are formally assigned oversight responsibilities.
Finally, greater interaction between board members and key risk executives is needed, both inside and outside board meetings. Only through enhanced communication and reporting will the extensive dialogue and information exchange needed to effectively integrate risk considerations into the organisation’s strategy and ongoing activities be achieved.
About The Authors:
Christopher D Ittner is the EY Professor of Accounting at The Wharton School, University of Pennsylvania. Professor Ittner’s research focuses on the design, implementation, and performance consequences of performance measurement and cost management systems. His articles have been published in the Harvard Business Review and leading academic accounting, marketing, and operations management journals. He is a senior editor at Production and Operations Management and has served as an associate editor for Accounting, Organizations and Society, Management Science, and several other academic journals. His work on the association between customer satisfaction measures and financial performance received the American Accounting Association’s Notable Contribution to Management Accounting Literature Award.
Thomas Keusch is Assistant Professor at Erasmus School of Economics, Rotterdam. His current research interests cover corporate governance, insider trading, and shareholder activism. Thomas Keusch obtained MSc. degrees in Corporate Finance and in Accounting from EDHEC Business School and Maastricht University, respectively, in 2009. His work has been published in the European Accounting Review and presented at the Management Accounting Section meeting in New Orleans, the Allied Social Science Associations meeting in Philadelphia, and the European Accounting Association meeting in Tallinn. Thomas is also a fellow with the Harvard Law School Program on Corporate Governance.
FOOTNOTES: 1In Citigroup Inc. Shareholder Derivative Litigation, 964 A 2d 106 (Del. Ch. 2009) 2In Goldman Sachs Group, Inc. Shareholder Litigation, C.A. No. 5215-VCG (Del. Ch. 2011) 3Civil docket numbers 2:14-cv-11191-RHC-MK and 2:14-cv-11277-RHC-MKM 4Microsoft 2014 Proxy Statement 5For details on Aon’s Risk Maturity Index, see www.aon.com/rmi/ or ‘AON Risk Maturity Index Insight Report, October 2014’. 6Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2009 Effective Enterprise Risk Oversight The Role of the Board of Directors 7National Association of Corporate Directors (NACD) 2009 Report of the NACD Blue Ribbon Commission on Risk Governance: Balancing Risk and Reward 8Financial Reporting Council (FRC) 2014 Guidance on Risk Management, Internal Control and Related Financial and Business Reporting
*The authors have received no compensation or funding from Aon. The companies that are used as examples in this text did not necessarily participate in the Aon survey
