Roles and Responsibilities of the Board and Management
It is essential that companies have an effective Enterprise-Wide Risk Management Program (ERM Program) and a Crisis Management Plan in place so that management and Boards of Directors are prepared, as best they can be, for both the expected and the unexpected.
Present events of the day bear this out. Such "headline events" as Iran's continued efforts to seek nuclear weapons, the European financial crisis (including the impact of the collapse of the Greek economy), political turmoil in Egypt, Libya, Syria and the Arab Spring, executive misconduct, cyber attacks, and even the "fiscal cliff" that approaches in the United States if an agreement cannot be reached on taxes and spending by the end of 2012 all clearly demonstrate one basic proposition: Change is unpredictable, its consequences can be severe, and its velocity rarely can be anticipated.
The consequences flowing from a headline event are particularly severe in the current environment because of:
- the politicization of headline events,
- the criminalization of corporate events,
- activist reaction of shareholders and the public, and
- the extremely rapid pace at which consequences often mount.
These consequences can frequently combine to create an exponential multiplier effect of even greater intensity and, accordingly, even greater risk.
The recently proposed enhanced supervision regulations of the Board of Governors of the Federal Reserve System1 reflect the Fed's recognition that preventative enterprise risk management programs and post-event crisis management programs are critical to managing and addressing risks in a dynamic and uncertain environment. Likewise, a recent article reported that staff of the Securities and Exchange Commission have held meetings about risk management with directors at financial institutions "to increase acceptability at the Board level."2 If federal banking and securities regulators are emphasizing Enterprise Risk Management, Boards of Directors and Management would be well served to emphasize it as well or risk exposing their companies to the examinations, investigations and enforcement actions which often follow new points of regulatory interest.
An ERM Program and a Crisis Management Plan at both the management and Board of Directors levels are essential to:
- mitigate risks and reduce a company's litigation exposure and, in extreme cases, perhaps are even critical to a company's survival; and
- improving business operations by forcing a risk-adjusted analysis of profitability.
The key in the process is to recognize and assess the extent of a company's likely interdependence across multiple lines of business, geographies, and product mixes when a crisis materializes in any one of these.
ERM is a process to identify, assess and mitigate risk. This remainder of this article will briefly describe a model ERM program, discuss how companies can manage through the unknown, identify the need for a crisis management template and a Crisis Management Plan for events that cannot be anticipated, along with those that are low probability and high severity that might not be possible to mitigate.
Role of ERM and Crisis Management
Scope of ERM
Enterprise-wide Risk Management encompasses all of the risks that a company faces including, in no particular order;
- Financial markets disruption
- Interest rate
- Human Resources (HR)
- Data protection and privacy
- Enforcement actions by Federal or state criminal authorities
- Governmental investigations
- Regulatory and compliance requirements
- Cyber attacks
- Information Technology (IT)
- Business Continuity and Disaster Planning
- Supply chain
- Financial disclosure
- Document retention policies and practices and disclosure (obstruction of justice or civil contempt)
- Executive misconduct or negligence (Personal and/or Professional)
- Business partners
- Third party service providers
Ethical and Cultural Imperatives for Effective ERM
There are many reasons why companies should have an effective ERM Program and compliance program.
- Provisions of the Sarbanes-Oxley Act of 2002 (the "Sarbanes-Oxley Act") and disclosure requirements regarding risk factors
- Federal sentencing guidelines
- NYSE corporate governance guidelines for its listed companies require such companies' Audit Committees to "discuss policies with respect to risk assessment and risk management."3
- Credit rating agencies' incorporation of ERM
- D&O Liability and litigation (See e.g., Caremark, Stone Ritter, Disney, etc.)
Accounting and audit review standards for internal controls certifications.
- (See, for example, Sarbanes-Oxley Section 404 which mandates that all publicly-traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness Section 404 also requires U.S. publicly-traded companies to use a control framework in their internal control assessments. Likewise, Public Company Accounting Oversight Board ("PCAOB") Auditing Standard No. 5 emphasizes the importance of top-down risk assessment and specifically requires covered companies to perform a fraud risk assessment.)4
Provisions of Dodd-Frank
- Significantly, Sections 165(b)(1) and 165(h) of the Dodd-Frank Wall Street Reform and Consumer Protection Act ("Dodd-Frank") to be implemented by recently proposed regulations, require certain financial institutions to, among other things, (1) create a separate Risk Management Committee at the Board level with specified responsibilities an (2) appoint a Chief Risk Officer with specified duties, powers and reporting lines. On December 21, 2011, the Federal Reserve Board published for comment "Proposed Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies."5 The comment period originally ended March 31, 2012, but was extended to April 30, 2012. The Fed is now reviewing the comments received before issuing a final rule.
ERM is also an essential business management tool to:
- assess and analyze business and activities on a risk-adjusted basis, i.e., higher risk businesses should have higher rate of return to justify and pay for risk mitigation efforts and potential liability
- engage in sound strategic planning and financial management which requires that all risks of every line of business and activity be assessed and balanced against profitability, and
- recognize and prepare for the interdependency of events.
It is part of a sound business practice – part of a proactive, preventative compliance culture that seeks to:
- minimize or prevent risks
- mitigate loss from failure to prevent or mitigate risk, and
- mitigate litigation.
The implementation of a proactive, preventative approach to risk management and compliance at both the Board and management level is critical. It sends a clear message to the officers and employees of the company, and to the public, that these issues are not only legal requirements, but also ethical and cultural imperatives, and represent sound business practices which should be part of a company's culture.
In addition, the nature and intensity of regulatory and enforcement responses to problems has increased significantly, and, as discussed above, all indications are that this will continue. Given the foregoing, a proactive, preventative approach to risk management will help to minimize problems and, where problems do occur, minimize the litigation, regulatory, enforcement, reputational and financial consequences. Historically, an event could lead to SEC, criminal and civil actions. In this new era, regulatory enforcement actions, Congressional investigations, Congressional hearings, actions and prosecutions by State Attorneys General, public vilification, political and governmental reaction, and shareholder and popular backlash are all foreseeable consequences of inadequate or ineffective ERM Programs.
It is imperative that management and Boards of Directors assume a leading role in ensuring that all risks facing a company are identified and assessed, and that a risk management and compliance system is in place to facilitate the proactive identification, assessment, management and mitigation of those risks. The Board must make sure that it is fully apprised of risks faced by the company, and that it can make an independent determination that management has implemented and maintained effective enterprise-wide integrated risk management policies and procedures, including internal controls and compliance. Among other things, the Board should consider whether the company's risk management and compliance system incorporates each of the following action items.
Undertake a Risk Identification and Assessment Program
An enterprise-wide risk identification and assessment program should be undertaken. In many circumstances, it may be appropriate that the assessment be undertaken by an independent third party and that it be updated periodically. This risk assessment is critical to establishing an appropriate risk management process, as outlined below.
Once a risk assessment has been completed, an enterprise-wide risk management process should be implemented. Obviously, no process is appropriate for all companies and each process must be modified and customized as required to reflect a company's business needs, operating realities and the nature of its regulatory environment. The goal of this process should be to have a holistic approach to risk prioritization, risk tolerance level and mitigation approach.
Establish an ERM Committee
An enterprise-wide risk management committee ("ERM Committee") should be established, composed of senior executives from all non-line areas (e.g., IT, finance, audit, legal, compliance, human resources, public/investor relations), and primary business line areas (e.g., heads of manufacturing, operations, geographic heads or business lines, depending on how the company is organized). This approach recognizes and accounts for the interdependency of products, geographies and business lines. The ERM Committee should assure that all risks faced by the company are identified, analyzed and prioritized, and that internal controls and procedures are in place to manage and mitigate those risks based on frequency and severity.
The ERM Committee should report directly to the audit committee of the Board or a special risk committee of the Board. The chairman of the ERM Committee should be the Chief Risk Officer and the CEO should be a member.
Risks should be assessed on an ongoing basis, and should include not only business and financial risks, but all risks the company faces, including legal, regulatory, compliance, governmental, operational, treasury, shareholder (activist), unions, communities in which the business operates, vendor, customer, product, political, environmental, international, supply, reputational, human resources, technology, insurance and audit. Monthly meetings should be scheduled and run similar to the way in which meetings of the Board of Directors are scheduled and run.
At initial meetings, each member of the committee (or senior officers from the area) should make a formal presentation assessing and identifying risk in the particular area for which he is responsible, and explaining what processes and controls are in place within that area to mitigate and manage risks identified. This identification and assessment process should be based upon a "bottom-up" informational gathering, review and assessment and mitigation recommendations. Recommendations regarding prioritization and tolerance should be made as well.
The Executives in the Divisions should engage in a Sarbanes-Oxley-like financial reporting certification process to assure that they and their divisions take this process seriously. This decentralized bottom-up approach is designed to ensure that the process appropriately reflects, recognizes and assesses risks as identified at the operating levels and puts accountability at these levels of the enterprise.
However, by making this presentation to the centralized risk management committee, the members can offer an assessment of how the risk in a particular area interrelates with risk in the various other line and non-line areas of the company. Once the initial meetings have identified, assessed and discussed controls in place to manage and mitigate risk, a risk prioritization should be undertaken to determine the frequency of subsequent presentations. Most importantly, this should include stress testing and operational war games to determine risks and mitigation in extreme financial, operational, IT, vendor, customer, and supply chain circumstances.
An ongoing enterprise-wide risk assessment should be prepared based on the presentations so that a holistic, enterprise-wide approach to prioritization, tolerance and mitigation can be adopted. The risk prioritization enables the risk management committee to determine the frequency and scope of presentations by each of the line and non-line units similar to the way in which an auditor undertakes a risk prioritization to determine the frequency and scope of audits within a company.
This assessment should reflect a "heat-mapping" of probability or likelihood and severity. The obvious example is BP in the Gulf-a low probability event but with very high severity if it happens.
On a scheduled going-forward basis, formal presentations by each division of the company to the ERM Committee should describe and analyze:
- All risk their areas face;
- What controls have been or will be put in place to minimize these risks;
- Where loss has occurred or might occur;
- What is the probability and severity;
- What monitoring is being done;
- What stress testing has been done; and
- How to assure proper accounting and reporting of financial data disclosure policies and procedures.
The ERM Committee should review new products, geographic expansion or business initiatives. In addition to regularly scheduled presentations, ongoing meetings should require each line and non-line executive to discuss any new products, activities or significant new relationships, or geographic expansions and assess the risk associated with them for group discussion and incorporation into the ongoing risk assessment, management and mitigation program and as part of a process of calculating risk-adjusted profitability.
In order to assure the oversight and accountability of the ERM process, there should be a risk self-assessment process by each division and a periodic audit or review by the risk management division or by audit to independently review the risk identification, assessment and mitigation results of each division. The results of this process should be evaluated as part of employee performance evaluations.
Implement an ERM Committee Board Reporting Process
The Board or a Committee of the Board should receive regular written and oral reports from the ERM Committee and the Chief Risk Officer so that it can independently assess the approach of management through the ERM Committee in identifying, assessing, prioritizing and mitigating risk.
However, there are several Board models for ERM Reporting and Oversight at the Board level:
- Audit Committee
- Audit and another Committee
- Business/Finance Committee
- Risk Committee
- Full Board
Establish a Crisis Management Plan
Crisis Management is what to do when a risk materializes - whether identified or not. A crisis management plan is essential to minimize loss and litigation and ,given the current environment, must be multidisciplinary and address:
- public relations and communications
- Board involvement and role
legal – strategy for simultaneous actions:
- Department of Justice (DOJ)
- civil shareholder suits
- internal investigations
- congressional investigations
- regulatory investigations
- State attorney general actions
- management's role
- employees (How do you keep them going? Tired, demoralized, uncertain, scared, angry)
- reputation and brand
A crisis management plan properly developed and implemented will reduce the risk of litigation and the losses and reputational risk if litigation occurs.
A crisis is like an iceberg—you can really only see the little part sticking out of the water but it is the mass of ice underneath that can do the most damage.
When management and Boards think about a crisis that might result in an investigation or litigation, it is critical to be prepared to get on top of the issue quickly. In this environment, a headline-grabbing crisis—the tip of the iceberg—results in simultaneous or rapid sequential civil litigation, governmental investigations by the SEC, DOJ, primary regulatory agency, congressional investigations, congressional hearings, political reaction or intervention and actions by state Attorney Generals. The strategies for each are different and require an integrated, coordinated, holistic response. The key is to get the facts quickly—most often an independent investigation is necessary to get the facts. In addition to legal issues, these events generate customer, vendor, supplier, local community, reputational, and employee reaction.
- Misinformation or bad information can often times create more problems than the underlying acts.
- An immediate factual investigation is imperative.
- Information disclosure - advertent and inadvertent.
- The impact of these investigations and the facts for the company and the employees can be paralyzing and distracting. The political and public relations issues are overwhelming. But there is customer, consumer, producer, shareholder and public reaction as well.
- Companies must proactively monitor social media and blogs to gather intelligence on what is happening and what messaging is going on, including allegations or facts that may impact the investigative process.
The failure of Boards and companies to respond quickly and appropriately can result in creditors, suppliers and customers all acting irrationally. This, in turn can quickly send a company into a death spiral.
- What are the quick step actions for Boards that all crisis plans should include?
- A predetermined list of advisors who know the company, and immediate fact-finding – a careful, truthful, deliberate response is necessary no matter how painful.
- The Board should decide ahead of time what its role will be – how involved it will be. In this environment, and this is not a widely-held view, a Board, or a committee, must be intimately and actively involved with management. Communications and information flow to the Board is critical. There should be no surprises.
What should the level of involvement be - what, how much and how:
- Chair/Lead Director/Audit Committee Chair/ Special Committee Chair
- Updates, Special meetings
- Information flow
- Key decisions, alternatives, implications
Adopt a Communication Plan
- A communications plan to all stakeholders and constituencies including employees, vendors, customers, suppliers, regulators – is critical. Again, there must be confirmed, fact-based, open and honest communication. Immediate action and government cooperation is critical in mitigating punishment under the Sentencing Guidelines.
It is critical to get the facts:
- must be confirmed and irrefutable to maintain credibility and trust as soon as possible.
- no premature or false or misleading statements.
What Are the Looming Risks That Seem to be on the Up-and-Coming That Will Threaten Companies and Quickly Change Board Agendas?
- Whistleblowers creating transparency and the impact of these events on reputation;
- Cyber attacks;
- Environmental events;
- Industrial espionage, labor events – strikes, stoppages;
- Government enforcement action;
- Actions of business partners or third party service providers;
- Shareholder activism;
- Financial markets disruption;
- Political unrest;
- Cloud computing.
But in a recessionary economic environment, problems are also created or exacerbated, for example, by public reaction, witness the Occupy Wall Street movement or near riots in London. But the biggest worry is that a company cannot anticipate all the high severity/low probability events. It is critical to have a crisis management process that enables a company to react to an event that it cannot predict, prevent or where the probability of occurrence is so low that the company cannot direct sufficient resources to seek to mitigate.
Advice to Management and Board's of Directors on Mitigating Risks and Reducing Litigation Exposure
Prevention, Prevention, Prevention.
Many crises could be prevented or mitigated by an effective tone at the top, and by ethics and compliance programs that detect a crisis before it materializes. Many crises are the result of long-standing business behavior that has been tolerated or rationalized by management.
An effective ERM Program is a critical component of prevention – by identifying, assessing and implementing risk mitigation efforts some events can be prevented and others mitigated.
Carefully establish effective ERM systems that:
- can identify and assess risks and put risk mitigation programs in place, including business continuity plans, and that ensure there is an adequate level of stress testing; and
- provide risk-adjusted analysis of a company's existing and proposed business lines, products, activities and geographic operations.
Be prepared for what you cannot anticipate, have a crisis management process in place. In the U.S., under the COSO framework the Board has the ultimate responsibility for risk management. Part of risk management is crisis management and part of crisis management is business continuity planning.
The Role of In-House Counsel
Executive Management ERM Process
Persuade Executive Management and the Board of Directors to create a holistic, empowered substantive Enterprise Risk Management process at the executive management level as described in this article reporting directly to the Board of Directors to mitigate liability and risk exposure, and
Analyze best practices and advise and counsel executive management how ERM should be structured and the business benefits of risk identification and assessment of business expansion and activities so that they can be assessed for profitability on a risk adjusted basis.
Legal Risk and the ERM Process
As part of the executive management ERM process, in-house counsel should identify assess, prioritize and take steps to prevent or mitigate legal risk and liability.
Board of Directors ERM Process
Analyze and advise the Board of Directors with respect to its roles of oversight and responsibility for ERM.
Advise the Board of Directors as to a corporate governance structure at the Board level to oversee and assess the executive management ERM process and the establishment of appropriate independent reporting lines from the chief risk officer and executive management ERM committee to the Board or a Board Committee.
* * *
In the current environment of polarization, criminalization, and the rapid pace at which consequences mount, there are a number of legal and business reasons that make it critical to have an effective ERM Program and Crisis Management Plan in place in order to minimize liability and loss. Likewise, in an environment where the SEC, DOJ, state attorney generals, a company's primary regulator, Congress, the Administration and the press may all be involved, the need for a multi-disciplinary management plan and team is essential.