Print
E-MailMatteo Tonello is managing director at The Conference Board. This post relates to an issue of The Conference Board’s Director Notes series authored by Dr. Tonello and available here.
In a Director Note recently published, The Conference Board reviews current corporate practices on risk oversight by members of the board of directors of U.S. public companies. The study is based on findings from a survey of 359 SEC-registered business corporations conducted by The Conference Board in collaboration with NASDAQ OMX and NYSE Euronext. Data are categorized and analyzed according to 22 industry groups (using their Standard Industrial Classification, SIC, codes), seven annual revenue groups (based on data received from manufacturing and nonfinancial services companies) and five asset value groups (based on data reported by financial companies, which tend to use this type of benchmarking).
The publication details where the board assigns risk oversight responsibilities, whether it avails itself of dedicated reporting lines from senior management on risk issues, and the degree to which it adopts a standardized framework on enterprise risk management (ERM). Given the correlation between risk and strategy, data on the frequency and forms of strategic reviews is also presented.
The following are the main findings discussed in the study.
Adoption of an ERM framework. The integration of risk management procedures across the company has undergone a significant standardization effort. In the United States, in particular, this effort was driven by the ERM guidelines issued in 2004 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). More recently, other options have become available: in 2009, for example, the International Organization for Standardization (ISO) completed and published ISO 31000, Risk Management—Principles and Guidelines.
Companies in the financial services industries were initially the most receptive of newly introduced ERM standards. Since then, manufacturing and nonfinancial services companies have made significant progress. Slightly less than three-quarters of companies across industries reported that their risk management procedures are based on a widely accepted ERM framework.
Moreover, the popularity of ERM increases among the largest organizations. In the financial sector, for example, 85.7 percent of the largest companies (i.e., with asset value of $100 billion or greater) have adopted some form of ERM. The smallest companies (as measured both by annual revenue and asset value) were the only ones with less than a majority of ERM framework adopters.
Responsibility for risk oversight. The COSO guidelines recommend that organizations leave behind a culture of risk management that focuses exclusively on financial risk and assigns its oversight responsibilities to the audit committee only. Under ERM, risk management is an enterprise-wide series of coordinated activities that aim at elevating to the senior executive and board level any material risk that could affect the company’s ability to achieve its strategic objectives.
In addition, NYSE listing rules require audit committees to address oversight policies and procedures relative to risk assessment and risk management, as managed by the company.
Across industries, a large majority of companies perform their risk oversight function at the full-board or audit committee level. Only 4.8 percent of nonfinancial services and 2.6 percent of manufacturing companies have instituted a dedicated risk committee.
In 57.1 percent of the largest companies by asset value ($100 billion or greater), the risk oversight function is assigned to a dedicated risk committee. Only 28.6 percent of financial companies in this size group are then continuing to delegate risk oversight responsibility exclusively to the audit committee. However, risk committees appear to be used only sporadically across revenue groups, with none of the companies in the largest group (i.e. $20 billion or more in revenue) reporting having a risk committee.
Frequency of risk reporting to the board. To have strategic relevance, an ERM program should contemplate thorough, ongoing bottom-up communication on risk. Survey findings show that financial companies constitute the only industry group analyzed in which more than half of companies engaged in the practice of reporting on risk at each board meeting and as part of the regular board agenda. The percentage decreases to 30.7 in manufacturing and 34.4 in nonfinancial services; in both industries, more than 35 percent of companies indicated that their boards of directors receive information on risk from management at least annually.
The size analysis also contains interesting findings. In particular, there is a moderate direct correlation between the practice of communicating risk to directors at each board meeting and asset value, and an inverse correlation between annual risk reporting and asset value. In the smallest size group, as measured by annual revenue (less than $100 million), 41.1 percent of companies indicated that their management reports to the board on risk issues only when circumstances warrant.
Chief risk officer. For many companies, the complexity of ERM demands the appointment to a leadership role of a dedicated senior executive. Where present, the chief risk officer (CRO) relieves the senior management team of a series of direct operational responsibilities regarding the design and implementation of risk management procedures spanning the entire organization. In addition, the CRO is typically in charge of articulating the ERM development effort among functional and business unit managers.
However, CROs are still uncommon in a large majority of manufacturing and nonfinancial companies. In those industry groups, respectively, 81.2 percent and 73.6 percent have not instituted this position. When analyzed by size, 83.3 percent of the financial companies with asset value equal to $100 billion or greater avail themselves of a dedicated chief risk officer; in all of those cases, the CRO reports directly to the CEO. The direct reporting of the CRO to the CFO is more common among smaller financial companies (for example, in 16.7 percent of those with asset value of less than $1 billion).
ERM executive committee. Although most manufacturing and nonfinancial companies do not have a CRO, they are gradually adopting another important guideline for risk management integration—the institution of a risk management committee at the management level. The ERM executive committee is typically composed of a subset of senior management, including functional managers (such as the chief financial officer, chief audit executive, chief information officer, and others) and the risk owners at the business-unit level. This is a relevant board practice because board members with risk oversight responsibilities are usually invited to attend the committee meetings.
Ultimately, the role of the committee is to funnel the diverse intellectual contributions of functional managers to the CRO (or CEO, if no dedicated position has been created to lead the integrated risk management program). A total of 40 percent of companies in both the manufacturing and nonfinancial services groups reported having instituted such an ERM executive committee. There is a direct correlation between company size (as measured by both annual revenue and asset value) and the presence of the ERM executive committee. For example, all financial companies with asset value of $100 billion or greater have an ERM executive committee, compared to 50 percent of those with asset value of less than $1 billion. This data also compares to 60 percent of manufacturing and nonfinancial companies with annual revenue of $20 billion or greater and to 10.7 percent of those with annual revenue of less than $100 million.
