How the board views risk oversight as a process should dictate how it chooses to organize itself for purposes of executing that process.1 The risk oversight process enables the board and management to develop a mutual understanding regarding the risks the company faces over time as it executes its business model for creating enterprise value. In organizing itself for risk oversight, what are some of the factors for the board to consider?
There is no one size that fits all. A board has the flexibility to organize itself in a manner that makes sense in view of its company’s size, structure, complexity, culture and risk profile. With that in mind, following are approaches for boards to consider.
- The full board should assume responsibility for risk oversight, mirroring its responsibility for strategy. If the board is to understand the full picture around the corporate strategy, it needs also to understand the risks inherent in that strategy. If the full board is responsible for monitoring execution of the strategy, it needs to understand the critical risks and whether they are being managed effectively. This oversight can be carried out either by the full board or through delegation to one or more standing committees, provided overall responsibility for the process remains with the full board.
- As an alternative, risk oversight may be delegated to one or more standing committees. This delegation of responsibility can be accomplished in different ways, e.g., a separate risk committee, expansion of the role of the audit committee, or the various committees of the board (audit, finance, strategy, etc.). Our experience is that, outside of financial services, most boards delegate risk oversight responsibilities to the audit committee. In the United States, the New York Stock Exchange (NYSE) set the tone for this trend several years ago when it incorporated a requirement in its listing standards for audit committees to include in their charter a responsibility to discuss with management the company’s policies around risk assessment and risk management.
- Be careful, however, in making the audit committee the default choice. Whenever audit committees assert they are addressing risk management, our experience is that the scope is all over the map. The key question around the use of the audit committee for risk oversight is, “Does it have the time, skills and support to do the job, given everything else it is required to do?” If a company decides that the board should exercise strong risk oversight and that the audit committee is the answer for providing that oversight, it should recognize that the committee already has many responsibilities that are narrowly focused on financial reporting and is, in effect, the last line of defense for financial reporting risk. This point should not be taken lightly if the enterprise’s financial reporting issues are complex. The socalled “audit committee financial expert,” who has become a fixture on many audit committees as a result of the Sarbanes-Oxley legislation, may not necessarily have the requisite skillsets to evaluate policies for assessing and managing the range of business and operational risks the enterprise faces. Sadly, off-balance-sheet reporting and other financial reporting practices sanctioned by companies and their audit committees have often obscured the very transparency so necessary for effective risk management and risk oversight. Therefore, the complexity of the company’s risks may justify a different approach than deploying the audit committee.
- Whichever option is selected, the key is having a balance of qualified directors. Knowledge of the industry and its critical risks is vital for companies with significant financial and commodity-based risks. If this is lacking, it won’t matter which option the board selects.
- Information is also important. It is imperative that the directors have access, from both internal and external sources, to the information and insights conducive to effective risk oversight. Ineffective risk reporting renders moot the discussion around organizing for risk oversight.
- NYSE companies have further complications. Even if the board decides to set up a separate risk committee or engage one or more standing committees other than the audit committee, the audit committee charter of NYSE-listed companies still must address the committee’s duties and responsibilities to discuss policies with respect to risk assessment and risk management.
- If various standing committees are used, beware of the lack of focus on the big picture. The use of various committees can result in a fragmented and silo-driven approach, which can result in critical risks being omitted from consideration. That is why this approach should be orchestrated carefully at the full board level.
Questions for Boards
Following are some suggested questions that boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:
- Has the board considered how it should organize for risk oversight?
- Is the board satisfied that its current complement of directors has the requisite expertise and industry knowledge to provide effective oversight of the company’s most critical risks?
- Are the board and/or responsible committee(s) confident that they are receiving the comprehensive, objective information they need to perform their risk oversight function?
How Protiviti Can Help
As the board evaluates how to organize for risk oversight, Protiviti can assist it and executive management with assessing the enterprise’s risks and implementing strategies and tactics for managing risk. We help organizations improve risk reporting that can better inform the risk oversight process, a key to the success of any oversight process regardless of how the board chooses to organize itself.
1For a definition of “risk oversight,” see Issue 1 of Board Perspectives: Risk Oversight, available at www.protiviti.com.
Board Perspectives: Risk Oversight (Issue 5)