The Next Frontier for Boards, Oversight of Risk Culture

Matteo Tonello is managing director of corporate leadership at The Conference Board. This post relates to an issue of The Conference Board’s Director Notes series authored by Parveen P. Gupta and Tim Leech. The complete publication, including footnotes and Appendix, is available here.

Over the past 15 years expectations for board oversight have skyrocketed. In 2002 the Sarbanes-Oxley Act put the spotlight on board oversight of financial reporting. The 2008 global financial crisis focused regulatory attention on the need to improve board oversight of management’s risk appetite and tolerance. Most recently, in the wake of a number of high-profile personal data breaches, questions are being asked about board oversight of cyber-security, the newest risk threatening companies’ long term success. This post provides a primer on the next frontier for boards: oversight of “risk culture.”

Weak “risk culture” has been diagnosed as the root cause of many large and, in the words of the Securities and Exchange Commission Chair Mary Jo White, “egregious” corporate governance failures. Deficient risk and control management processes, IT security, and unreliable financial reporting are increasingly seen as mere symptoms of a “bad” or “deficient” risk culture. The new challenge that corporate directors face is how to diagnose and oversee the company’s risk culture and what actions to take if it is found to be deficient.

Regulators, institutional investors, and credit rating agencies have increased the call for corporate directors to strengthen board governance and board risk oversight. The Enron era saw boards of directors being accused of fiduciary failure for allowing “high risk accounting.”

Sarbanes-Oxley raised the bar significantly in the area of financial reporting for audit committees, CEOs, and CFOs of US listed public companies. In the aftermath of the global financial crisis of 2008, regulators have reached a consensus: boards should be evaluated and put on the regulatory hot seat if they fail to take steps to oversee management’s risk culture, appetite, and tolerance.

This global regulatory storm has culminated in a series of papers from the Financial Stability Board (FSB), a global regulatory advisory body formed following the onset of the global financial crisis. Its main objective is to provide guidance to national financial sector and securities regulators around the world. In its most recent paper, issued in 2014, the FSB called on national regulators to actively assess the “risk appetite framework” and “risk culture” of systemically important financial institutions (SIFI), including assessing boards’ effectiveness in overseeing their company’s risk culture. The FSB summarized the new expectations of national financial sector regulators as follows:

“…efforts should be made by financial institutions and by supervisors to understand an institution’s culture and how it affects safety and soundness. While various definitions of culture exist, supervisors are focusing on the institution’s norms, attitudes and behaviour related to risk awareness, risk taking and risk management, or the institutions’ risk culture.”

The Financial Reporting Council (FRC), the United Kingdom’s national securities regulator, reacted to the FSB’s recommendations by updating The UK Corporate Governance Code that applies to all UK public companies. Provision C.2.3 of the Code mandates that the board should annually review and report on the effectiveness of their company’s risk management and internal control systems. Specifically, Item 43 in Section 5 of the guidance requires the board, in its annual review of effectiveness, to consider the company’s “willingness to take on risk (its ‘risk appetite’), the desired culture within the company and whether this culture has been embedded.”

The FRC, recognizing that there is little tangible guidance available to boards on how to oversee a company’s culture, stated that, in 2015, the initial year of implementation of the new board oversight requirements, it will focus on “company culture: how best to assess culture and practices and embed good corporate behaviour throughout companies.”

Financial regulators globally, including the SEC, are expected to follow the UK’s lead and significantly increase their focus on board oversight of corporate culture generally, and risk culture in particular. In a global survey conducted by KMPG, 1,500 audit committee members ranked government regulation second among risks that pose the greatest challenge for their company. Oversight of risk culture may be one of those areas of new government regulation.

The purpose of this post is to provide board members with an overview of these new expectations and to outline potential handicaps that boards may encounter. The paper also offers suggestions for boards of directors on overseeing their company’s risk culture.

Board Oversight of Risk Culture: A Primer

In a 2009 report on reform in the financial services industry, the Institute of International Finance (IIF) proposed the following definition of “risk culture”:

“…norms and traditions of behaviour of individuals and of groups within an organization that determines the way in which they identify, understand, discuss, and act on the risks the organization confronts and the risks it takes.”

The Financial Stability Board (“FSB”) has emphasized the importance of risk culture in a number of recent guidance papers. Following the consideration of feedback the FSB received to the publication in 2013 of an exposure draft on assessing risk culture, the agency issued guidance on assessing risk culture in April 2014. This FSB guidance may well prove to be a turning point in the history of the evolution of regulatory supervision approaches and board risk oversight expectations.

The ongoing discussion of the role of regulators in overseeing the risk culture of financial institutions raises the question of whether national regulators are equipped to assess and opine on whether a company has a poor, adequate, good, or even the more elusive, excellent risk culture. A number of respondents to the 2013 FSB exposure draft on risk culture questioned whether regulators had the capabilities necessary to form sound, repeatable conclusions on this important issue, with particular concerns expressed that it could become a “check-the-box” exercise (see, for example comment letters issued by the US Chamber of Commerce, Professional Risk Managers International Association, and the International Actuarial Association).

Risk Oversight’s comment letter even questioned whether global regulators were inadvertently handicapping efforts globally by encouraging companies to implement frameworks that purport to foster better risk culture by requiring binary (effective/ineffective) reports on internal control effectiveness.

The April 2014 FSB guidance provides a high-level vision of what it believes represents a “sound” risk culture:

A sound risk culture consistently supports appropriate risk awareness, behaviours and judgments about risk taking within a strong risk governance framework. A sound risk culture bolsters effective risk management, promotes sound risk taking, and ensures that emerging risks or risk taking activities beyond the institutions risk appetite are recognized, assessed, escalated and addressed in a timely manner.

The FSB identifies risk governance, risk appetite, and compensation as the “foundational elements of a sound risk culture.” While acknowledging that “assessing risk culture is complex,” the FSB asks national regulators to consider the following indicators of a sound risk culture during their inspections/audits: tone from the top, accountability, effective communication and challenge, and incentives. The FSB recommends that regulators consider these indicators “collectively and as mutually reinforcing” rather than individually. Details on the risk culture indicators are shown in the box, right.

The UK FRC recommends that, in conjunction with its guidance, boards, consider and discuss with senior management the following questions:

  • How has the board agreed the company’s risk appetite? With whom has it conferred?
  • How has the board assessed the company’s culture? In what way does the board satisfy itself that the company has a “speak-up” culture and that it systematically learns from past mistakes?
  • How do the company’s culture, code of conduct, human resource policies and performance reward systems support the business objectives and risk management and internal control systems?
  • How has the board considered whether senior management promotes and communicates the desired culture and demonstrates the necessary commitment to risk management and internal control?
  • How is inappropriate behaviour dealt with? Does this present consequential risks?
  • How does the board ensure that it has sufficient time to consider risk, and how is that integrated with discussion on other matters for which the board is responsible?

Other regulators around the globe could follow the UK’s lead by increasing their focus on risk oversight and risk culture. “Tone at the top” has been espoused by the head of the US SEC. In a July 2014 speech, SEC chair Mary Jo White noted:

Ensuring the right “tone at the top” for a company is a critical responsibility for each director and the board collectively. Setting the standard in the boardroom that good governance and rigorous compliance are essential goes a long way in engendering a strong corporate culture throughout an organization.

Given this renewed focus on directors as gatekeepers and “tone at the top,” board oversight of corporate risk culture could be an important area of SEC focus and scrutiny going forward.

Challenges for Board Oversight

  1. Many board members, because of their years of real-world experience, are able to informally gauge the risk appetite and tolerance of senior management, especially CEO/ CFOs, but there is very little practical guidance available on how boards should assess and document the appropriateness of the risk culture of an entire organization.
  2. Senior management, including the CEO and CFO, may be reluctant to let the board know their “real” risk appetite/tolerance, as it may conflict with compensation systems and/or career advancement goals. It is now well-documented that one of the risks that boards face is “asymmetric information” (the risk that management knows things about the state of risk that the board does not) when overseeing management’s risk appetite and tolerance.
  3. Many boards may not receive a consolidated report (like a balance sheet) on the state of retained risk across their company’s top value creation and/or strategic business objectives and foundational objectives such as reliable financial reporting, compliance with laws, preventing unauthorized access to data, safety, and other social responsibility areas. A recent study indicates “only 30 percent describe their ERM process as systematic, robust, and repeatable with regular reporting of top risks to the board. That percentage is higher (55 percent) for large organizations and public companies (59 percent)”. Only a consolidated report on residual risk status provides a window for the board on the interrelationships between objectives and related risks that cross multiple risk and assurance silos.
  4. Traditional internal audit processes and teams that provide point-in-time and subjective opinions on the effectiveness of internal controls are not well-equipped to provide boards with opinions on an organization’s risk culture, the effectiveness of risk management processes, or consolidated reports on residual risk status linked to key strategic and foundation objectives.
  5. Risk-centric ERM processes that use risk registers that focus on identifying and assessing individual risks without linkage to related objectives and other risks impacting those objectives may not deliver concise, reliable enterprise-level information on the composite residual risk status linked to key strategic and foundation/potential value erosion objectives.
  6. Regulators, while increasingly calling on boards to oversee risk culture and management’s risk appetite and tolerance, continue to favor the use of risk staff groups and internal audit functions as extended supervision/policing groups. This regulatory bias may handicap the efforts of progressive boards who much rather have their internal audit and risk specialists to work collaboratively with management to enhance risk processes and foster better and candid disclosure of all significant retained risk situations.
  7. The regulatory and compliance regime around SOX Section 404 in the United States drives companies to build systems to report whether their “internal controls over financial reporting are effective,” but stops far short of requiring that the board be told about the financial statement line items and note disclosures with highest composite uncertainty (i.e. the highest retained risk that the line items/notes may be materially wrong).
  8. Many ERM software applications and consulting firms continue to promote the use of risk registers and heat maps that focus on identifying and assessing individual risks, but do not provide boards with a composite picture on the residual risk status linked to key objectives.
  9. Boards of directors may be relying too much on reports by the subject matter experts (including chief legal officers, chief internal auditors, heads of compliance or safety, and other assurance leaders) that state that controls are working and “effective” or “ineffective,” instead of information on the highest residual risk status objectives needed to effectively monitor a company’s overall risk appetite and risk culture.
  10. Currently, significant confusion and debate exist on whether it is the responsibility of the full board to oversee the company’s risk culture, including management’s risk appetite and tolerance, or whether various board committees are individually responsible for different risk oversight functions. This may handicap efforts to create an overall picture of the company’s risk culture and management’s risk appetite/tolerance.
  11. Although the chief audit executives of many large corporations now have a solid line relationship to the audit committee of the board, many still do not report to the board on their company’s residual risk status linked to key objectives or their opinion on the company’s risk culture and risk appetite framework. This may be simply because their boards haven’t asked for this information or because the chief audit executive doesn’t know how.
  12. There is little practical training or guidance for board members and auditors on how to effectively oversee risk culture, including the effectiveness of risk appetite frameworks adopted by a company, from associations like the National Association of Corporate Directors (NACD) in the United States and Institute of Corporate Directors (ICD) in Canada. On the audit front, the curriculum and professional practice standards for Certified Internal Auditors (a professional designation awarded by the IIA) continue to be heavily weighted towards training auditors to do spot-in-time internal audits that produce subjective opinions on internal control effectiveness and “control deficiencies” and “material weaknesses”; not reports on the current state of residual risk status linked to top strategic and foundational objectives. Although the Institute of Internal Auditors (IIA) is encouraging its members to transition from traditional methods to ones more aligned with the FSB expectations, real progress to date has been slow.

The Way Forward

The following recommendations aim to help corporate boards enhance risk governance at their companies.

Get educated on the new board oversight of risk culture expectations. Consultants and the Institute of Internal Auditors are following these trends closely. Boards can proactively request that subject matter experts, consulting firms, chief internal auditors, and chief risk officers provide them with briefings on board oversight of risk culture expectations and inform them on the urgency with which the local regulators, the courts, institutional investors, credit rating agencies, activist investors, and others will likely act to hold management and boards more accountable in this area. Directors of companies in the financial services sector in particular should expect regulators to quickly elevate expectations of board oversight of risk culture.

In the UK, in addition to requiring boards to make key public disclosures regarding responsibility for risk oversight and how that responsibility is discharged, starting in 2015, external auditors will also be required to confirm that nothing has come to their attention that suggests that the required representations on risk governance from board chairs regarding risk oversight practices, including board oversight of risk culture, are wrong or misleading. It’s uncertain whether there will be new codified regulatory expectations in this area for all publicly listed companies in the United States and Canada.

Complete a risk culture gap assessment. The criteria selected for a gap assessment will vary by business sector and by jurisdiction. For large international financial sector organizations, the FSB guidance on sound risk culture provides a high bar to assess against. Local national regulators may have adopted lower expectations in the area of risk governance that can be used as appropriate benchmark criteria for a gap assessment, unless the business case for change presented by the FSB in their “raise the bar” risk culture oversight guidance is appealing to the board.

For US public companies outside of the financial services sector, little has been codified by the SEC regarding board risk oversight requirements beyond the broad and generalized 2009 proxy disclosure requirements described in the SEC’s Proxy Disclosure Enhancements rule. However, public remarks by SEC commissioners in 2014 and 2015 have stressed the importance of effective board risk oversight, and may signal that more SEC codification of board risk oversight expectations may be coming.

Consider a Board & C-Suite Driven/Objective-Centric approach to ERM and Internal Audit. Traditional “risk-centric” approaches to ERM and traditional internal audit methods have not resulted in the type of risk culture oversight and risk appetite frameworks increasingly urged by regulator. Radical, not incremental change is required. A Board & C-Suite Driven/Objective-Centric ERM and internal audit approach calls for active board and C-Suite involvement in overseeing the effectiveness of their organization’s risk frameworks. Management, with board oversight, specify which end result objectives they want formal assurance on, the level of risk assessment rigor they think is warranted, and the level of independent assurance they want that the risk assessments are producing reliable assessments of the current state or residual risk. Appendix 1 of the complete publication provides an overview of the key elements of this approach. Under this approach ERM specialists work to create robust risk assessment processes capable of delivering materially reliable consolidated reports on residual risk status for senior management and the board. Internal audit groups transition from spot-in-time audits that produce subjective opinions on “control effectiveness” on a small percentage of the risk universe for the board to the expanded role envisioned by the 2013 FSB report “Principles for an Effective Risk Appetite Framework.” The FSB guidance calls for internal audit departments to focus on providing reports to the board on the effectiveness of the organization’s entire risk management/risk appetite framework.

Regulators should consider safe harbor provisions in the area of board risk oversight. One can argue that one of the reasons that the UK has taken the lead in the area of board risk oversight is its less punitive legal system. The punitive nature of the US legal system elevates litigation risk that can sometimes come with truly effective risk assessment processes and disclosures. This has sometimes been labelled the “two-edged sword” of risk management. Regulatory reforms could provide some form of safe harbor for companies and boards that, in good faith, implement risk appetite frameworks that report on the state of residual risk linked to key strategic and foundation objectives. Until then, legal counsels must be engaged when their company’s boards are informed of residual risk status information that may include evidence of illegality, contractual noncompliance, non-use of viable controls to mitigate certain risks, conscious acceptance of certain risks, and other potentially damaging information.

Hold the CEO accountable for building and maintaining effective risk appetite frameworks and providing the board with periodic consolidated reports on the company’s residual risk status. A key reason that progress on implementing robust ERM systems has been slow is a lack of C-suite accountability to provide the board with consolidated enterprise reports on the current state of residual risk. The FSB guidance on effective risk appetite frameworks calls for substantially increased CEO accountability. In this regard, the FSB stated:

4.2 The chief executive officer should:

a) establish an appropriate risk appetite for the financial institution (in collaboration with the CRO and CFO) which is consistent with the institution’s short and long-term strategy, business and capital plans, risk capacity, as well as compensation programs, and aligns with supervisory expectations;

b) be accountable, together with the CRO, CFO, and business lines for the integrity of the RAF, including the timely identification and escalation of breaches in risk limits and of material risk exposures;

Once the CEO is assigned responsibility for end results like those described above, he/she can decide how best to allocate specific roles to ensure his/her responsibility to provide the board with reliable information on the current residual risk status related to key objectives is fulfilled. That may entail appointing a chief risk officer or, in smaller organizations, assigning responsibility to a chief operating officer, a senior vice president, or the organization’s chief internal auditor to lead efforts to implement effective entity-level risk management and risk oversight processes. The key is that the CEO should be clear that it is his/her job to ensure both the reliability of the process that produces risk status information for boards as well the reliability of the regular report to the board on the current areas of highest retained risk and the objectives impacted.

History has shown that regulator zeal is often heavily influenced by the political agenda of the day. The Sarbanes-Oxley Act of 2002 and 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act are just two examples of this. Financial sector governance reform is moving ahead at full steam globally because of a continuing flow of what the SEC Chair White has termed “egregious corporate conduct.” The 2008 global financial crisis and the London Interbank Offered Rate (LIBOR) and foreign-exchange rate fixing scandals, multi-billion dollar anti-money laundering settlements, and allegations that banks provided clients with tax evasion services raise big questions about the risk culture of large banks and, for their directors, questions about the effectiveness of board risk oversight. All US-listed companies are advised to monitor SEC actions in this area closely and it is likely that other countries will follow the UK’s lead in this area over the next decade. Good governance is fundamentally about a country’s ability to attract and grow capital and drive national growth and prosperity by maintaining fair and equitable capital markets. Effective board oversight of risk culture is now considered a key to achieving this goal.

The complete publication, including footnotes and Appendix, is available here.

Both comments and trackbacks are currently closed.
  • Subscribe or Follow

  • Supported By:

  • Program on Corporate Governance Advisory Board

  • Programs Faculty & Senior Fellows