Risk Angles: Five Questions on Exercising Risk Oversight
This edition of Risk Angles features an interview with Stephen Alogna, director, Deloitte & Touche LLP in the United States, regarding ways in which boards of directors can sharpen their focus on risk. Also, we take a closer look at global practices regarding board-level risk committees with Dan Konigsburg, managing director of the Deloitte Global Center for Corporate Governance, Deloitte Touche Tohmatsu Limited (DTTL).
Boards of directors are working hard to define and fulfill their risk governance and risk oversight roles and responsibilities. The changing economic, business, competitive and regulatory landscapes ensure that this work will continually evolve, so staying abreast (or ahead) of developments is the order of the day. Within that context and given competing responsibilities, boards need to direct their risk oversight efforts toward the most productive areas and assist management in ways that most benefit shareholders and other stakeholders.
|What key risk areas should boards be focused on right now?||The board has to understand the risks the organization faces, as well as management’s processes for identifying, reporting and managing those risks. Both the risks and the relevant processes must be discussed. This covers a lot, so boards must foster an open, ongoing conversation about risk with management. Key risk areas for most organizations include strategic, financial, operational, regulatory, compliance, legal, technology and reputation risk. Given the proliferation of personal devices and social media, two risk areas currently deserve special focus: cyber-crime and reputation risk.|
|What structures can assist the board in exercising risk oversight?||While the full board is responsible for risk oversight, most boards exercise that oversight to varying degrees through boardlevel committees. For instance, the audit committee is often charged with overall risk oversight and for monitoring related controls. Similarly, the compensation committee typically oversees risk in compensation plans. Essentially, the board must allocate oversight of critical risks to the appropriate committee and make sure that each committee understands both the risks and the risk management processes in the areas they oversee. In addition, the full board should be discussing risk on a regular basis to coordinate individual committee activity. Lastly, a board may not need to establish a board-level risk committee, although that is often an option worth considering.|
|How can the board enhance risk culture?||Boards can create a positive environment by setting a tone in which employees are comfortable challenging one other, including authority figures, about risk-taking. They can promote transparency, ownership and accountability around risk. They can also help management to enhance the risk culture through resource allocations, training programs and risk culture surveys. Most importantly, the board should see that incentives, rewards and performance systems are aligned with a focus on sound risk management, compliance and controls — as well as value creation.|
|What do boards need to know about risk management maturity?||In this context, maturity refers to the levels of formality, quality, transparency and integration of risk management approaches, processes and systems. This includes means of measuring, monitoring, reporting, mitigating and managing risks of all types. Effective risk governance calls for a regular assessment of the maturity of the organization’s capabilities. A model that relates characteristics of capabilities to levels of risk management maturity — such as, fragmented, top-down, integrated, or risk intelligent — can help organizations gauge where they are and how to chart a path to the next level.|
|How can the board help stakeholders understand the organization’s risk story?||The key is to use disclosures to provide visibility into the risks the organization faces and how risk governance and management work. Disclosures can explain the roles of the board and its committees and processes for overseeing and managing risks. The board should ensure clear, plain-language disclosures and encourage supplementing risk disclosures with quantitative or qualitative analysis. Discussing the full range of risks — and management’s methods of addressing them — in a specific, concise, relevant manner will bolster stakeholders’ confidence in the organization’s risk governance and management capabilities.|
A closer look: Board risk committees around the world
By Dan Konigsburg
To address increasing risk-related responsibilities and, often, to respond to regulatory changes, a good number of boards have established board-level risk committees. These include dedicated, stand-alone risk committees, as well as combined, hybrid committees (such as an audit and risk committee or asset management and risk committee). Of course, the full board remains responsible for risk and risk oversight; however, a risk committee of either type can further formalize the means and mechanisms by which the board carries out its risk-related responsibilities.
According to a recent global DTTL study, board-level risk committees are well-established and widespread, with 38 percent of the 400 companies examined having either a stand-alone or hybrid risk committee. As might be expected, board-level risk committees were most often found in financial services industry (FSI) companies, but were also present in other industries — often to a significant extent, depending on the country. (For example, in Australia 75 percent of non-FSI companies had either a stand-alone (13 percent) or hybrid (62 percent) risk committee.) Among FSI companies globally, 67 percent had stand-alone risk committees and 21 percent had hybrid risk committees, for a total of 88 percent. In contrast, 26 percent of non-FSI companies had risk committees of some type.
Country-specific regulations play a big role in risk oversight structures and practices. Australia, Brazil and the United Kingdom have regulations that require risk committees at the board level for FSI companies. China, the Netherlands, Singapore and the United States currently have only suggested guidelines. In the overall sample, 62 percent of all companies analyzed do not have a board-level risk committee. This largely reflects the lack of regulatory requirements for board-level risk committees in non-FSI companies in most countries.
Whichever means they choose, boards must fulfill their risk-related roles and responsibilities as effectively as possible. Depending on the organization, its industry, its risks and its regulatory and risk governance needs, a board-level risk committee may enable the board to:
- Assert and articulate its risk-related roles and responsibilities more clearly and forcefully
- Establish its oversight of strategic risks, as well as the scope of its oversight of operational, financial, compliance and other risks
- Task specific board members, external directors and other individuals with overseeing risk and interacting with management and the chief risk officer
- Recruit board members with greater risk-related experience and expertise
- Keep the board more fully informed regarding risks, risk exposures and the risk management infrastructure
- Improve advice provided to management regarding risk, response plans and major decisions, such as mergers, acquisitions and entry into new markets or new lines of business
Of course, a board-level risk committee requires resources, including funding, expertise and time. Moreover, the foregoing items are risk oversight responsibilities that any board must fulfill. So we emphasize that a board need not establish a committee to fulfill those responsibilities, but that a board needs to consider — and periodically reconsider — the means by which it fulfills them.
By participating in this poll, you consent and acknowledge that your responses may be disclosed without attribution by Deloitte in future publications and you are authorized to respond to the poll on behalf of your company.
*Please review the guidelines before providing your comments.
As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.