Trends in Risk Oversight: What Board Directors Should Know
Deloitte Insights video
The financial crisis shot risk management to the top of board agendas. Today’s boards are struggling with how to define and fulfill their governance roles in light of changing regulations. Tune into this episode of Deloitte Insights to catch up on the latest trends in risk oversight.
Henry Ristuccia, Partner, Deloitte & Touche LLP and Global Leader, Governance, Risk and Compliance Services
Maureen Errity, Director, Deloitte LLP, Center of Corporate Governance
It’s time for Insights, a video news production of Deloitte LLP. Now here’s your host, Sean O’Grady.
Sean O’Grady (Sean): Hello and welcome to Insights. Today, we are discussing what corporate board members should know about the latest trends in risk oversight. To do so, we are welcoming back to the program, Henry Ristuccia, a partner in Deloitte and Touche LLP and the global leader of our Governance, Regulatory and Risk Strategies practice. We also have Maureen Errity, a Director in Deloitte Center for Corporate Governance. So, folks, it is good to have you back on the program.
My first question is over to you Henry and that is, why is there such a heightened sensitivity around risk right now?
Henry Ristuccia (Henry): Well, Sean, what we have seen is a sentiment in the marketplace amongst organizations that traditional risk management has had shortcomings. Specifically, organizations are very focused on how the board, in its oversight role, effectively interfaces with executive management to address the real value-killer risks within the organization. And by value-killer risks, we mean the critical issues that an organization needs to address to ensure its value is protected. Certainly, legislators and regulators feel the same way, and, as a result, we have seen the SEC increase proxy disclosure requirements. We also hear a lot about the Dodd-Frank Wall Street Reform and Consumer Protection Act and legislation that affects mostly financial institutions, but also has a lot to say about corporate governance.
Maureen Errity (Maureen): I would agree with that, Henry. I would say also that risk was driven to the top of board agendas as a result of the financial crisis, when we saw systematic risk throughout our financial systems. And today, boards are focused, obviously as part of their role, on the strategy of the organization. With that being said, they are looking more closely at the strategy -- with regard to risks to that strategy and risks of the strategy.
Sean: Proxy statements were mentioned in that response. I am wondering are we seeing any trends around those disclosures?
Maureen: Well, that is a great question, Sean. Our Center for Corporate Governance with our Risk Services team have actually done some significant research in this area over the last couple of years. Henry mentioned the new regulation for disclosure of risk oversight in the proxy statements. We have looked at hundreds of companies and their disclosures, and we have seen in 2010, as compared to in 2011 as well, an increase in what they are disclosing and more information for their investors. I can give you some statistics specifically around what we are seeing. First of all, with regard to who is responsible for risk, we found (in both years) about 90% of the companies disclosing that the full board does have the ultimate responsibility, which we all agree with. On the committee level, we found that the audit committee in about two-thirds of the companies in both the years is still taking the primary responsibility with regard to owning risk oversight. However, a big difference there is that companies are spreading that responsibility across committees. So, we have seen an increase in the disclosure from 2010-2011 for more involvement from other committees. 88% of the companies in 2011 that we looked at mentioned at least one other committee besides the audit committee. Some other key things — and these are not requirements by the SEC but these are things that we are looking for — we looked to see if the companies disclose information about how risk is aligned with strategy. Again, we saw an increase in the disclosures around that, 45% of the companies we reviewed in 2011 disclosed some alignment with risk oversight and the strategy of the organization, including CEO involvement. We think that the CEO should own risk management, and in about 36% of the companies, the CEO is mentioned as being part of risk management. So, all these things are on the rise. I think, whether or not specifically required, we are seeing companies disclose a lot more about their risk management program from the board’s involvement down to what Henry mentioned: how management is involved as well.
Henry: There is the critical touch point between the board and the C-Suite and that is really “code” for the CEO. It is a critical factor, that, in our view, really brings the risk program to a heightened and more effective level. When the CEO, working in unison with the board, is able to identify what those critical risk factors are ( not only to protect value, but also create value), it transforms the risk program to a different level.
Sean: Let's go there with that idea of value. If risk committees are becoming a fact of life at the board level, what is that value?
Henry: One of the rating agencies did a study and found that 70% of the organizations with a weak risk program that is overseen by a risk committee in many cases, had very volatile earnings. Where they had a strong program, in 30% of the organizations, saw some volatility in their earnings. So, the issue around risk committees is, you need an entity within the governance structure of the organization to really focus the risk program because if you don’t have a focused program, you tend to “boil the ocean.” It needs to be much more focused and much more practical. The risk committee, as Maureen said, functions at the board level and says, “Let's get the program focused; let's make it practical,” although, as we said, the entire board is responsible for risk. This is really a critical best practice that helps to focus the program.
Maureen: And I would just add to that. In the same recent research we did across hundreds of companies, it was prominently found that financial service companies have the infrastructure in place. They will either have a chief risk officer that reports to a board-level risk committee or a risk management committee that reports to a risk committee as well. As to why a risk committee is important, I think it really sets the tone that risk at the board-level is being thought about on a regular basis. Culture and embedding risk-thinking in an organization is really powerful and can be a differentiator for leading companies. So, having a risk committee focused on this can really be a value-add for an organization.
Sean: I think that is one valuable suggestion. I liked your remark, though, about boiling the ocean. So, my last question to you is, if there is an organization that is struggling with risk oversight, what are your recommendations?
Maureen: We get the question a lot. I think, the first thing that organizations should do at the board- level is define who is going to own it. Is it the risk committee, or another committee, and how is the full board going to be involved? And then, going back to the first point Henry made: what is the infrastructure at the management level? Is there ownership by the CEO? Do you have a chief risk officer? If not, who would be owning all of the policies and practices that are being put in place for all the employees to look to identify, assess, and monitor risk on a regular basis? So, an infrastructure in place is really critical. I think that is a good first step for an organization.
Sean: So, oversight of the oversight. And you, Henry?
Henry: We recently published a guide for risk committees, and while an organization does not have to have a risk committee at the board level there should be some type of focal point. This recent guide for risk committees includes practical considerations about organizational considerations what the charter is, how to define a risk appetite -which is a term of art these days -so, there are a variety of items that an organization could go through to ensure that it has the right substance at the board level. It is not just about the structure. It is also about the substance and the risk committee agenda..
Sean: Well, folks, thank you very much for your time today.
Maureen: Thank you.
Henry: Thank you.
Sean: You are welcome. We have been talking about risk oversight with Henry Ristuccia, a partner in Deloitte and Touche LLP and the global leader of our Governance, Regulatory and Risk Strategies practice, and Maureen Errity, a Director in Deloitte Center for Corporate Governance.
If you would like to learn more about topics we discussed on this broadcast, you can find that information on our website, it is http://www.corpgov.deloitte.com. For all the good folks here at Insights, I am Sean O’Grady. We will see you next time.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Join the Conversation