Risk oversight is a high priority on the agenda of most boards of directors. Recently, the importance of this responsibility has become more evident in the wake of an historic global financial crisis, which disclosed perceived risk management weaknesses across financial services and other organizations worldwide. Based on numerous legislative and regulatory actions in the United States and other countries as well as initiatives in the private sector, it is clear that expectations for more effective board risk oversight are being raised not just for financial services companies, but broadly across all types of businesses. As a result, some boards are taking a fresh look at the qualifications of their members, how they operate, and the extent to which they avail themselves of the appropriate officers within the organization and other expertise to understand the enterprise’s risks and how those risks are being managed. Directors are also looking into whether their board’s committee structure and the information to which each committee has access are conducive to effective risk oversight.
To develop deeper knowledge of the risk oversight process as it is applied by today’s boards of directors, and to understand both the current state and desired future state of board risk oversight as viewed by directors, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) commissioned Protiviti to conduct a survey regarding the risk oversight responsibilities of the board of directors and how those responsibilities are being performed. This issue of The Bulletin highlights the findings and recommendations of that survey. The survey report, Board Risk Oversight: A Progress Report, summarizes the results of input from more than 200 directors and is available at www.protiviti.com.
For purposes of this study, “risk oversight” describes the role of the board of directors in an enterprise’s risk management process. In assessing the overall survey results, we found there are mixed signals about the effectiveness of board risk oversight across organizations. While many directors believe their boards are performing their risk oversight responsibilities diligently and achieving a high level of effectiveness, a strong majority indicate that their boards are not formally executing mature and robust risk oversight processes. Just over half of the respondents rate the risk oversight process in their organizations as “effective” or “highly effective.”
The results were somewhat better among respondents from public companies, particularly large ones; these organizations continue to believe they are proactive in their risk oversight efforts. However, responses to several questions about key elements of risk oversight suggest the board’s risk oversight is not always supported by robust underlying processes and there is overall dissatisfaction among a significant number of directors in several areas, including how risks are considered in the context of the organization’s strategy. Notable variations in results exist across various organizations, including differences across the nature of the entity (i.e., publicly traded, privately held, not-for-profit), size of entity, and industry represented.
Overall, the results of this study reveal a number of areas for improving board risk oversight. These improvements would enable boards to advance the maturity of the risk oversight process and are summarized below.
There Is an Opportunity to Improve the Robustness of the Risk Oversight Process
As noted earlier, more than half of the survey participants commented that the board’s risk oversight process is either “effective” or “highly effective”; however, there also is general agreement among respondents that there should be a more structured process for monitoring and reporting key risks to the board. While just over half of the respondents believe there are processes for understanding and challenging assumptions and inherent risks associated with the business strategy and that there are processes in place to monitor the impact of changes in the environment on the strategy, fewer than 15 percent of respondents noted that the board is fully satisfied with those processes.
For a large majority of the survey questions, marginally positive responses were received with regard to whether key elements of risk oversight are routinely in place, and in most instances these elements are not supported by robust underlying processes. A strong majority of respondents – 71 percent – indicated that their boards are not formally executing mature and robust risk oversight processes. While the results were the same among respondents from public companies, within this group, 50 percent of directors from companies in the financial services industry reported that their boards are not executing mature and robust risk oversight processes, whereas the response from those with nonfinancial services companies was much higher (78 percent).
There Is an Opportunity to Enhance Risk Reporting to the Board
Respondents reported on the types of risk reporting their boards receive at least annually along with those that they do not receive. To obtain a perspective regarding the types of information provided to the board on a periodic basis, the survey provided a listing of nine illustrative examples of risk reporting. Respondents were asked to identify the frequency with which each is received in their respective organizations.
The top three reports designated by the respondents as being received by the board at least once a year are:
- High-level summary of top risks for the enterprise as a whole and its operating units
- Periodic overview of management’s methodologies used to assess, prioritize and measure risk
- Summary of emerging risks that warrant board attention
The top three reports designated by the respondents as not being received by the board at least annually are:
- Scenario analyses evaluating effect of changes in key external variables impacting the organization
- Summary of exceptions to management’s established policies or limits for key risks
- Summary of significant gaps in capabilities for managing key risks and the status of initiatives to address those gaps
The results show that, if reports are not received at least annually, they are generally received on an as-needed basis or not at all. There is little variation in the results across different organizational demographics, with the exception that public organizations are providing more regular reporting to the board on risk-related matters, showing more favorable results for all nine illustrative reporting examples, in terms of receiving the reports at least once a year. Furthermore, directors from public companies with revenue of US$1 billion or more reported even more favorable results for all illustrative examples.
Regardless of how the data is cut, there is evidence that there are organizations receiving reports less than once a year, on an ad hoc basis, or not at all. These findings reveal an opportunity for organizations to improve the risk reporting process and increase the regularity of reporting according to the nature of the organization’s operations and risk profile as well as the board’s specific needs.
There Is an Opportunity to Improve the Risk Appetite Dialogue
The survey results suggest that within many organizations efforts are under way to understand better the entity’s risk appetite (i.e., understanding the boundaries and limits that the organization sets on behavior for its strategy and operating model). However, the findings show that boards and their organizations can benefit from a more rigorous process. Starting with the business strategy itself, just over half of the respondents (52 percent) reported that the board develops an understanding of, and appropriately challenges, the organization’s strategy, including its underlying assumptions and inherent risks. Likewise, a majority of respondents (55 percent) reported that there is effective monitoring of the environment for changes that could impact both the strategy and the associated risks.
On both of these points, however, less than 15 percent of respondents noted that the board is satisfied with the processes underlying these activities (i.e., the other respondents reported that either improvements are needed or the supporting processes are ad hoc in nature).
On another matter, only 40 percent of respondents indicated they routinely express risk appetite in either quantitative or qualitative terms. Almost six in 10 of respondents (59 percent) reported that the board monitors the company’s culture and incentive compensation structure to ensure that the proper tone is set towards managing risk. For U.S.-listed companies, this assessment is necessary for purposes of responding to the proxy disclosure requirements of the Securities and Exchange Commission (SEC), because an organization’s culture and compensation structure can impact its propensity to take risk. A majority of respondents (56 percent) indicated they have routine discussions regarding risks that are acceptable for the organization to take in achieving strategic objectives.
These discussions help boards and management understand the risks inherent in the organization’s value creation strategies.
It is important to note, though, that responses in this part of the study were higher consistently among directors from public companies, with the highest level of satisfaction with the risk appetite dialogue reported by directors from large public companies, underscoring the maturity of the risk oversight process in these organizations.
There Are Opportunities to Improve Monitoring of the Risk Management Process
While the survey focused exclusively on the perspective of board members regarding risk oversight, the link between risk oversight and the effectiveness of the risk management process is inextricable. According to the results of the study, nearly two-thirds of the respondents noted that board monitoring of the organization’s risk management process is not done at all or is carried out in an ad hoc manner. About half of the respondents reported that their boards have no formal processes to assess periodically whether the organization’s risk management system is resourced sufficiently.
Not surprisingly, boards of public companies receive more regular reporting on top enterprise risks to inform the board’s risk oversight process than those at private organizations and not-for-profits (64 percent compared to 40 percent). Larger public companies (revenue greater than $1 billion) reported even higher results, at 74 percent. Finally, among public companies, 82 percent of directors with financial services institutions reported that they receive periodic risk profile information regarding significant enterprise risks, compared to 58 percent reported by their nonfinancial company counterparts.
A majority of directors (55 percent) said there is a process followed by management to provide adequate and timely information resulting in fresh insight for the board’s risk oversight process. While the respondents noted that this process is in place, 85 percent indicated it could be improved. Finally, just over half of respondents (53 percent) indicated that there is a periodic assessment of the resources supporting the risk management system. As with other findings, results for public companies evidenced a higher percentage of organizations with functioning processes in these areas.
Many Organizations Can Do More to Apprise Their Boards of Other Significant Risk Matters
The results suggest that while many companies have a process to inform the board regarding the most significant risks and how those risks are being managed, in relatively few organizations is this process sufficiently defined and rigorous.
Based on the survey’s findings, there are opportunities to improve processes to notify the board when the organization has exceeded its risk limits, and to ensure that risk issues are addressed in an appropriate and timely manner. In addition, 44 percent of the directors reported that management does not have a process to ensure that deficiencies are remediated appropriately and timely, and 37 percent noted that the organization does not assess extreme high-impact/low-likelihood events (some of which may be so-called “black swans”). As noted with other findings, the results for public companies evidenced a higher percentage of organizations with functioning processes addressing these matters.
Boards Can Self-Evaluate the Risk Oversight Process Better and More Frequently
Twenty-nine percent of survey respondents indicate that their boards are not self-evaluating the board risk oversight process. Another 34 percent of respondent boards are only doing a self-evaluation on as-needed basis. Of the remaining respondents, 22 percent are performing at least a rigorous self-evaluation to identify inconsistencies and gaps with expected performance and suggest improvements, and 15 percent are conducting a self-evaluation routinely.
Of note, the results suggest that organizations outside the United States believe they are doing a more robust job with self-evaluations of the risk oversight process than U.S.-based organizations. Nearly 60 percent of respondents from organizations outside the United States indicated that there is a process in place to self-evaluate the results of the risk oversight process, whereas less than 40 percent of U.S. respondents stated they have a formal process to do so. In addition, 26 percent of respondents from non-U.S. organizations indicated that this is a mature and robust activity, compared to just 3 percent from U.S.-based organizations. Finally, whereas 22 percent of all respondents reported having a formal self-evaluation process, almost twice as many respondents from financial services organizations (41 percent) reported having such a process.
There Are Obstacles to Improving Risk Oversight
While participating board members acknowledged that the risk oversight process is in need of improvement, they also reported on some of the key obstacles to improving it. Providing a list of possible impediments, we asked participants to list the top three. Of the respondents completing all of the questions in the survey, only nine chose not to list any obstacles, implying there were none. Almost three-fourths of the respondents selected three obstacles. The remaining respondents selected anywhere from one to all of the obstacles. In summary, substantially all of the respondents reported that there were one or more impediments to improving risk oversight.
The five obstacles that were selected most often were:
- More pressing needs for the organization
- Don’t see the value in pursuing an enterprise risk management process
- Lack of understanding and/or acceptance of enterprise risk management by board members
- Risk management is viewed as a compliance-related activity and/or treated as an appendage to performance management
- Lack of clarity around or inability to agree on the entity’s risk philosophy
While the tabulation of results included in the survey report provides a view as to the frequency with which each listed obstacle was selected by respondents, it also implies a “good news” message in that, for each individual obstacle, a majority of participants in the survey did not see it as an impediment. Therefore, the overriding message is twofold: First, almost all respondents reported that there are one or more obstacles inhibiting the risk oversight process in their organizations. Second, the nature of the obstacles faced varies with each organization.
The SEC Proxy Enhancements Are Raising Awareness of the Need for Risk Oversight
The SEC proxy enhancements require greater transparency into how the board operates to provide oversight with respect to the organization’s risk management. Because risk oversight is not a robust process at the present time for most organizations and there is a lack of authoritative guidance as to best risk oversight practices, the risk oversight playbook is likely to evolve over time. The SEC proxy enhancements are prompting more interest on the part of directors and executives regarding the enterprise’s risks and risk management processes, and may even be part of the reason why public companies show more progress than private companies and not-for-profit organizations.
According to the respondents, the three most common impacts of the SEC’s 2010 proxy enhancements requiring disclosure of the board’s risk oversight process are:
- More discussion of risk in concert with strategy and/or operational performance
- Heightened the need to implement effective risk management
- More frequent discussion of risks at board meetings
Recommendations to Improve Board Risk Oversight Effectiveness
As the results of this study demonstrate, there are opportunities to improve the maturity of the board risk oversight process in many organizations today so that it can become more systematic, robust and repeatable. For example, boards may want to consider the following in view of the nature and complexity of their organization’s operations and risks and the current state of their risk oversight process:
- Implement a more structured process for monitoring and reporting critical enterprise risks and emerging risks to the board.
- Look for opportunities to enhance the risk reporting process to make it more effective and efficient and increase the regularity of reporting according to the nature of the organization’s operations and risk profile.
- Come to an agreement with management on the riskrelated matters that need to be escalated to the board, addressing the what, when and why.
- Encourage employment of techniques that foster out-ofthe-box, big-picture thinking focused on the critical assumptions underlying the corporate strategy to assess the strategic risks and uncertainties the enterprise faces.
- At least annually, focus on whether developments over time in the business environment result in changes in the critical assumptions and inherent risks underlying the organization’s strategy and the effect of such changes on the organization’s business model.
- Implement a more defined and rigorous process supporting the risk appetite dialogue between the board and management, and ensure the results of this dialogue are driven down into the organization in an appropriate manner.
- Incorporate appropriate questions relating to risk oversight in the board’s periodic evaluation of board performance effectiveness.
The above considerations can be applied to most organizations, irrespective of how the board chooses to organize itself for risk oversight.
While many board members perceive that their board’s risk oversight process is operating effectively, particularly those directors from larger publicly held organizations, there are opportunities for improvement for most organizations as well as several noted obstacles to be considered. The findings of this survey provide valuable insights into how an organization, regardless of how the board organizes itself for risk oversight, can advance this critical process to a more mature stage so that it is more systematic, robust and repeatable. These opportunities are further detailed throughout the survey report provided at www.protiviti.com, along with further tabulation of the results and Protiviti commentary.
Key Questions for Consideration by Board Members:
- Has the board articulated its risk oversight objectives? Are those objectives incorporated into the board’s charter?
- Has the board evaluated the effectiveness of its risk oversight processes in achieving its risk oversight objectives? Has the board considered whether to conduct this evaluation periodically in the future?
- Is the board proactively taking steps to address any gaps that may impede its risk oversight effectiveness?
- Are any of the recommendations for improving the risk oversight process, as outlined above, relevant to the company considering the nature and complexity of its operations and risks?
The Bulletin (Volume 4, Issue 4)