Guidance for boards on their oversight of risk management
The law firm of Wachtell, Lipton, Rosen & Katz has provided good advice for boards on the exercise of their responsibilities for oversight of risk management. You can access the report here (feel free to check out the other files I have uploaded to my Linkedin profile).
Here are some excerpts of particular interest (the bolding is mine, to highlight key words/sections):
- “The risk oversight function of the board of directors continues to take center stage…and investor and public expectations for board engagement with risk continue to be high. The reputational damage to boards of companies that fail to properly manage risk is a major threat.”
- “What exactly is the proper role of the board in corporate risk management? The board cannot and should not be involved in actual day-to-day risk management. Directors should instead, through their risk oversight role, satisfy themselves that the risk management policies and procedures designed and implemented by the company’s senior executives and risk managers are consistent with the company’s corporate strategy and risk appetite, that these policies and procedures are functioning as directed, and that necessary steps are taken to foster a culture of risk-aware and risk-adjusted decision-making throughout the organization. The board should establish that the CEO and the senior executives are fully engaged in risk management.”
- “Through its oversight role, the board can send a message to the company’s management and employees that comprehensive risk management is neither an impediment to the conduct of business nor a mere supplement to a firm’s overall compliance program, but is instead an integral component of the firm’s corporate strategy, culture and business operations.”
- “The “tone at the top” established by the board and the CEO shapes corporate culture and permeates the corporation’s internal and external relationships. The board and relevant committees should work with management to promote and actively cultivate a corporate culture and environment that understands and implements enterprise-wide risk management.”
- “Comprehensive risk management should not be viewed as a specialized corporate function, but instead should be treated as an integral component that affects how the company measures and rewards its success.”
- “Companies will, of course, need to incur risk in order to run their businesses, and there can be danger in excessive risk aversion, just as there is danger in excessive risk-taking.”
- “But the assessment of risk, the accurate calculation of risk versus reward, and the prudent mitigation of risk should be incorporated into all business decision-making.”
- “In setting the “tone at the top,” transparency, consistency and communication are key: the board’s vision for the corporation, including its commitment to risk oversight, ethics and intolerance of compliance failures, should be communicated effectively throughout the organization. Risk management policies and procedures and codes of conduct and ethics should be incorporated into the company’s strategy and business operations, with appropriate supplementary training programs for employees and regular compliance assessments.”
The guidance includes 11 tasks that should be considered as part of their oversight role. Any board taking this approach will be delving deep into the effectiveness of the risk management program. This is far more than ‘checking the box’.
One of the recommended actions I like, along with emphasis on independence and authority for the risk management office, is that “any committee charged with risk oversight should hold sessions in which it meets directly with key executives primarily responsible for risk management, just as an audit committee meets regularly with the company’s internal auditors and liaises with senior management in connection with CEO and CFO certifications for each Form 10-Q and Form 10-K.”
What are your favorite ‘bits’ from the document? Is there anything you disagree with? Is anything missing?
From Dilbert by Scott Adams (http://search.dilbert.com/comic/Risk%20Management)