Corporate Governance Practices Emerging in ERM

New York - As the oversight role of the corporate board in enterprise risk management (ERM) expands, companies feel the need to fill a knowledge gap on effective risk governance practices, according to a major new study released today by The Conference Board Inc."The concept of correlating risk management and strategy in an enterprisewide structure first appeared in the midst of merger frenzy in the late 1980s," says Matteo Tonello, who focuses on corporate governance at The Conference Board, New York, and is the author of the study. "At the time, many executives and strategists acknowledged that the enormous amount of risk undertaken through a series of corporate combinations was often not justified by a sound analysis of long-term prospects. In the 1990s, the debate continued and increasingly drew the attention of the business community, only to be obfuscated by the more exclusive focus on financial risks resulting from the scandals of the Enron era. A few years into the implementation of the Sarbanes-Oxley Act of 2002, corporations are now ready to leverage their experience with mandatory internal control procedures to establish a more comprehensive ERM infrastructure."

In response to the need for guidance in the design and implementation of ERM, The Conference Board instituted a case study based Research Working Group on enterprise risk management with select risk and governance officers. "Emerging Governance Practices in Enterprise Risk Management" presents an overview of this group's findings, including comments from participants and insights gleaned from five case studies of companies at the forefront of ERM. The report also provides a detailed "road map," with a discussion of the oversight role of the corporate board in each of the major stages of ERM development and execution.

The group operates from the recognition that, after years of regulations focused on tackling fraudulent behaviors and raising compliance standards, a new era in corporate governance development has begun, according to The Conference Board. Public companies have started to realize that poor governance can hurt market opinion, with a negative impact on the cost of capital and share price. For this reason, management and corporate boards need to proactively think about the specific governance issues their companies are facing and set up a process to anticipate and respond to major risks in this arena.

"As soon as business organizations abandon the traditional view of corporate governance as a regulatory burden," says Tonello, "they can begin to more easily understand its value as a fundamental risk management activity. That is why our research group reinforced the oversight role of the board and stressed the importance of integrating corporate governance practices with a company's Enterprise Risk Management program."

The report points to the benefits of this integration:

  • Reduces the inefficiencies inherent in the more traditional, segmented approach to risk management and promotes cost reductions through the development of synergies among business units and departments (both through the aggregation of risks for more accurate quantification and the adoption of coherent risk response strategies).
  • Minimizes costly risk exposures, by allowing the company to identify interdependencies among risks that would remain unnoticed under the traditional risk management model.
  • Provides—through its emphasis on overall risk appetite—a more objective basis for resource allocation, therefore improving capital efficiency and return on equity.
  • Stabilizes earnings and reduces stock-price volatility. Empirical evidence, especially in the insurance industry, supports the use of hedging techniques to reduce unanticipated earnings fluctuations; further studies highlight the need to coordinate hedging activities among functional or business silos in order to optimize the benefits.
  • Offers the tools to make more profitable, risk-adjusted investment decisions.
  • Improves transparency to stakeholders, therefore reducing regulatory scrutiny, litigation expenses, costs of access to equity capital and the rate of return on incurred debt.

Working Group participants agreed that risk is a two-fold phenomenon and distinguished between "downside risk" (composed of all the consequences of an event that may negatively affect a company's ability to achieve its strategic goals) and "upside risk" (represented by the potential benefits or the business opportunities that the company may derive from the same event). Obviously, the downside of risk should be mitigated, or avoided altogether. But it is also important for a company to have a system in place to identify the upside of risk and escalate it to the higher ranks in the organization, so that senior managers and the board become aware of it and embed it in their strategic decision-making process.

In other words, there are two aspects of risk management: a preventive, control-based aspect and a forward-looking, entrepreneurial aspect. While traditional risk management activities tend to focus on the preventive aspect, an ERM program should ensure the right balance between the two.

The Conference Board Research Working Group examined five case studies of ERM implementation: Bristol-Myers Squibb Company, Capital One Financial Corporation, International Paper, MetLife, Inc. and Moody's Investors Service. Participants then reached a consensus on recommendations for corporate boards and senior executives who undertake the effort of integrating corporate governance and risk management. Among such recommendations, outlined in the report, a company should consider the following stages in the development and execution of the program:

  1. Appreciate the importance of ERM. Board members need to become knowledgeable about ERM and appreciate its strategic value. For this purpose, they need to be provided with adequate informational materials and, if necessary, they should retain advice from independent external experts.
  2. Assess gaps and vulnerability in existing risk management solutions. The corporate board should be persuaded by the business case for implementing ERM, which should rest on a detailed analysis of the limitations inherent in more traditional, risk management solutions (which tend to be disjointed and segmented).
  3. Set an underlying mission and program objectives. The ERM business case should be formulated as a concise and effective mission statement, articulated in the main program objectives and tied to the firm's strategic goals.
  4. Establish the ERM infrastructure and assign leadership. As part of this step, dedicated board members and senior executives should discuss corporate risk governance policies, draft (or revise) charters or other organizational documents to incorporate ERM functions, and assign the program leadership at the executive level.
  5. Compile a risk inventory. Risks facing the business should be identified, categorized and prioritized. Since the accuracy of the risk portfolio is a precondition to the success of the whole program, the board should oversee the process to take inventory of risk and become comfortable about its effectiveness and thoroughness.
  6. Select assessment techniques and define risk appetite and tolerance. The selection of appropriate risk measurements should be made based on the nature of each risk in the portfolio, the amount and depth of data required to apply the measure being considered, and the organizational capacity of the business unit in charge of responding to the risk event.
  7. Determine risk response strategies. Risk owners are accountable for the response to events assigned to their area of responsibility. Nonetheless, because of the comprehensive and cohesive nature of the ERM program, their response should no longer be disjointed from other divisions of the firm and should be taken according to a set of response criteria and guidelines (the "response strategy") predetermined as part of the designed procedures. A response strategy should be developed for each risk category in the portfolio.
  8. Develop effective internal communication and reporting protocols. An internal flow of information is essential to the success of ERM. Therefore, in designing the program, senior management should pay extra attention to establishing coherent communication and reporting practices. Board members, for their part, should analyze the quality of internal reporting lines and be persuaded that information on risk that is material for strategic purposes will be channeled upstream and brought to their attention.
  9. Monitor ERM implementation and execution. In an integrated risk management environment, any activity conducted to identify, assess and respond to risk should be monitored on an ongoing basis. Monitoring functions are embedded in the program and assigned to any organizational level so that they can be performed in the ordinary course of running a business. Large companies should avail themselves of dedicated evaluation teams and sophisticated flowcharts and diagrams to ensure the enterprise-wide ramification of the monitoring function.
  10. Choose compensation policies and performance metrics to promote and track the pursuit of a risk-adjusted corporate strategy. The board should never let executive compensation issues influence the risk measure selection process. Although companies may decide to use qualitative and quantitative risk data as key performance indicators (KPIs) to encourage the enhancement of their business risk management program, corporate boards should ensure that KPIs are chosen only after completing the ERM process design.
  11. Integrate ERM with existing operational systems (i.e., IT, accounting/budgeting/planning, internal control, regulatory compliance, etc.) According to the Research Working Group findings, revisiting performance metrics to tie them to a risk-adjusted strategy, and fully integrating ERM with existing operational systems represent the most advanced (and least implemented) stages in an ERM program.

"From a corporate governance standpoint, the role of corporate directors in phases such as the compilation of the risk portfolio or the selection of adequate response strategies cannot be overstated," says Tonello.
Board members not only contribute their knowledge and expertise but also oversee the process adopted by senior managers to identify and prioritize risks. It should be understood that if a major risk is (accidentally or deliberately) excluded from the analysis, then the rest of the ERM program will suffer a major deficiency.

"As they approach ERM from a governance perspective, board members should remain aware that certain business risks may represent personal opportunities for dishonest, ill-intentioned managers. In those cases, managers may have an interest in avoiding having those categories of potential events brought to the surface and addressed in a systematic and effective way," Tonello continues.

The board should consider becoming familiar with the event identification techniques chosen by senior executives (interviews, questionnaires and surveys, facilitated workshops, market analyses, industry benchmarks, geopolitical reports), understand their limitations, and be able to critically analyze their outcomes.

Similarly, the Research Working Group recommends that responses to risk events be taken according to a set of response criteria and guidelines (the "response strategy," which may consist of risk avoidance, mitigation or undertaking, according to the risk type). The board should ensure that the response strategy is the most appropriate to respond to a risk category and is supported by a cost-benefit analysis, including:

  • A discussion of the time horizons regarding both the impact of the risk event and the implementation of the response.
  • An assessment of the resources the firm would need to deploy to implement a specific response, including the ability to access external capital to finance the response.
  • The consistency of the response with long-term business objectives.

The report is a complement to "The Role of U.S. Corporate Boards of Directors in Enterprise Risk Management," a June 2006 report from The Conference Board that illustrates findings from survey-based research on how board members perceive their risk oversight role.
Source: The Conference Board Inc.

For reprint and licensing requests for this article, click here.
Core systems Workforce management Policy adminstration Data security Compliance Security risk
MORE FROM DIGITAL INSURANCE