Newswise — Corporate directors could find themselves exposed to liability if they fail to keep pace with evolving best practices in enterprise risk management (ERM), according to a major new study released today by The Conference Board in conjunction with McKinsey & Company and KPMG's Audit Committee Institute.
Since ERM processes have improved in some companies, many corporate directors could be functioning with a false sense of security, the study points out. New legal requirements are steadily suggesting that directors should ensure that their companies have a "robust" ERM program.
The report, authored by Carolyn Kay Brancato, Matteo Tonello, and Ellen Hexter of The Conference Board, is entitled The Role of the U.S. Corporate Board of Directors in Enterprise Risk Management. These findings are based on a comprehensive research effort on the topic that incorporated personal interviews with 30 board members, analysis of Fortune 100 board committee charters, and a broad survey of 127 board members.
Dr. Brancato, Director of The Conference Board Governance Center and Directors' Institute, said today: "Our research shows many directors believe they have a good handle on the risks their companies face. But since many directors tend to approach risk more on a case-by-case basis, they may not have adequately robust and systematic enterprise risk management processes in place."
The study shows that banking and financial services tend to have more developed ERM processes and may therefore set the standard by which other industries will be measured.
CHIEF RISK OFFICERS GAINING CLOUTIn addition to the CEO, the corporate executive most frequently cited by directors as responsible for informing the board on risk issues is the CFO (71% of companies). However, at a growing number of companies, a Chief Risk Officer is cited as the person informing the board and appears to be an increasingly visible company executive (for instance, in 16.1% of financial companies, up from virtually none a few years ago).
FALSE SENSE OF SECURITY?Dr. Gunnar Pritsch, a partner of McKinsey & Company, who collaborated with The Conference Board on the study, said: "Things have definitely improved since we did a similar survey in 2002." Data in 2002 showed that 36% of directors did not believe that they had a full understanding of the major risks facing their companies. By 2006, that percentage decreased to 10.5%. However, he also said that "Boards still have a way to go. Directors serving on multiple boards reported significant variations in the quality of the risk dialogue and fewer boards seem to have well established risk processes."
Dr. Brancato reports: "There may indeed be a false sense of security among those directors reporting that they have a full understanding of the company's risks. When we asked directors personally, many said they approach risk on a case-by-case basis in connection with a specific strategic issue such as a merger or acquisition or the entrance into a new market. This may not constitute a sufficiently robust process to satisfy directors' fiduciary responsibilities."
The new research found significant differences in how directors understand risk and how their companies manage risk. Moreover, directors may have more of a top down understanding of risk. The Conference Board study finds: Although 89.5% of directors say they fully understand the risk implications of the current strategy,? Only 77.4% of directors say they fully understand the risk/return tradeoffs underlying the current strategy? Only 73.4% of directors say their companies fully manage risk.? Only 59.3% of directors fully understand how business segments interact in the company's overall risk portfolio.? Only 54.0% have clearly defined risk tolerance levels.? Only 47.6% of boards rank key risks.? Only 42% have formal practices and policies in place to address reputational risk.
Directors are, however, sensitive to the need for additional information:? While 71.8% of directors believe they have the right risk metrics and methodologies in making strategic decisions, 47.6% of directors would like to see more data analysis related to the company's risk profile.
BANKS AND INSURANCE COMPANIES OUT IN FRONT ON ERMDirectors interviewed note significant variations in ERM capabilities among companies on whose boards they sit. Some 72.6 % of directors serving on multiple boards see significant variations across firms in terms of their ERM capabilities. Directors in financial companies tend to report more robust ERM practices. For example, 64% of financial company directors report their companies have clearly defined risk tolerance levels versus 47% of the nonfinancial company directors (compared with 54% for all directors).
Financial service company directors also report a higher level of routine consideration of all major risks compared to considering risks only when management brings them to the board. Two major findings:? 55% of financial directors report the board considers all major risks including strategic risks versus only 25% of nonfinancial directors (compared with an average of 39% for all directors).? 27% of financial directors report they consider risks primarily when management brings them to the board, versus 50% of nonfinancial directors (compared with an average of 39% for all directors).
The Conference Board study suggests that standards used in the banking and insurance industries may set the pace for all companies. This factor may be increasingly important to directors in determining their exposure to liability for failing to meet their fiduciary duties " as the courts may increasingly look to comparative "best practice" standards by which to measure directors' performance of fiduciary duties of care, loyalty and good faith.
BEYOND AUDIT COMMITTEESThe board committee charter analysis of the Fortune 100 companies indicated that about two-thirds of corporate boards place board risk responsibility in the audit committee. Caryn P. Bocchino of KPMG's Audit Committee Institute, who also worked with The Conference Board on the study, discussed the organizational aspects of board oversight of risk management. She noted: "Although it's clear that the audit committee is the most common place for risk management oversight responsibility, audit committees are already heavily involved with their basic financial reporting risk responsibilities. Boards may consider assigning the non-financial reporting aspects of risk management oversight to another committee in coordination with the audit committee." Dr. Brancato also noted that giving the more operational aspects of ERM to another committee might be beneficial; then the audit committee and this other risk-related committee would report to the full board. In fact, the study finds that, in addition to the 66% of companies where the audit committee is the sole repository of risk oversight, in 23% of companies another committee shares this responsibility with the audit committee.
A few, mostly financial, institutions have established separate Risk Committees with an integrated view on all risks the company faces (of the companies surveyed, 16% in the financial services area report having a separate and distinct risk committee for more than 2 years, versus less than 4% in the nonfinancial area).
About The Conference BoardThe Conference Board, not-for-profit and non-partisan, is the world's leading research and business membership network. The Conference Board is celebrating its 90th anniversary this year. It produces the Consumer Confidence Index, the Leading Economic Indicators for the U.S. and eight other nations, the Help-Wanted Print and Online Job Indexes, and major studies on productivity trends. The Conference Board also produces authoritative studies and reports on corporate governance, executive compensation, corporate citizenship, diversity and best practices on a wide range of human resources activities. The Conference Board's conference and council programs bring together more than 18,000 senior executives from around the world.
The Conference Board creates and disseminates knowledge about management and the marketplace to help businesses strengthen their performance and better serve society.
The Conference Board Governance Center brings together a distinguished group of senior corporate executives from leading world-class companies and influential institutional investors in a non-adversarial setting. In small groups of prominent senior executives, all discussions are confidential, enabling a free-flowing exchange of ideas and effective networking.
The Conference Board Directors' Institute is the premiere provider of governance education for corporate directors. Our singular approach brings together current and former directors, chairmen, and CEOs to share their practical experiences in a completely non-academic format. As a significant part of the Directors' Institute experience comes from peer-to-peer discourse, attendance at events is restricted to sitting corporate directors.
About McKinsey & Company McKinsey & Company is a management consulting firm that helps many of the world's leading corporations and organizations address their strategic challenges, from reorganizing for long-term growth to improving business performance and maximizing revenue. With consultants deployed in more than 40 countries across the globe, McKinsey advises companies on strategic, operational, organizational and technological issues. For eight decades, our primary objective has been to serve as an organization's most trusted external advisor on critical issues facing senior management.
About KPMG's Audit Committee InstituteKPMG's Audit Committee Institute (ACI) has been communicating with audit committees since its formation in 1999. Its programs have allowed ACI to meet directly with thousands of directors and officers. ACI's initiatives include semiannual roundtables, publications, conference and board presentations, a toll-free hotline, periodic distribution of time-sensitive information, and a Web site, www.kpmg.com/aci. ACI can be reached toll-free at 877-KPMG-ACI (877-576-4224) or via e-mail at [email protected].
Source: The Role of the U.S. Corporate Board of Directors in Enterprise Risk Management, Report # 1390, The Conference Board
RSS