Earlier this year I wrote that directors have become much more educated in recent years about enterprise (not just financial) risk management and about their fiduciary responsibility to oversee ERM effectiveness. (See this Doug’s Note.) Directors are asking management to answer specific, substantive questions about how the company’s ERM functions and how they can (or must) become more involved. As a result, short, vague, infrequent ERM reports from management to the board are becoming a thing of the past. Management now must be more intentional in how it bridges the gap between the company’s detailed, operations-oriented risk management plan and the board’s strategic oversight perspective.
Some companies are addressing this challenge by adding a risk oversight committee to the board’s existing committee line-up. More companies are expected to follow that lead in the near future.
According to a recent E&Y study, the average S&P 500 company has one board committee in addition to its three key committees—audit, compensation and nominating/governance. The most common additional committees are finance (38% of S&P 500 companies) and executive (37%). Interestingly, the prevalence of executive committees has declined significantly in recent years, perhaps because board and key committee duties are now much more detailed and specific, which makes the traditional role of an executive committee somewhat obsolete.
Not surprisingly, as ERM is becoming mainstream and boards are becoming more involved, risk oversight committees are more common. Although the E&Y study reports that only 8% of S&P 500 companies currently have a risk oversight committee, another 11% have a compliance committee and 38% have a finance committee. Many companies have begun to add ERM oversight to the duties of those committees in recognition of its increased importance and to better define the board’s duties in that area.
The next step is to formalize ERM within the committee structure. Companies should begin by assessing current board ERM practices in light of the existing committee structure and duties. It may be that another committee should be added, whether due to the complexity of the company’s ERM, a history of troublesome risk management issues or overtaxed existing committees. Alternatively, companies might decide to combine and re-designate existing committees (creating, for example, a Risk and Compliance Committee or a Risk and Finance Committee).
So, what would a risk oversight committee do?
A risk oversight committee’s duties would include:
- Understanding the company’s enterprise-wide risk exposure and risk management processes
- Determining and articulating to management the company’s risk appetite in key risk areas, as well as enterprise-wide
- Evaluating the overall effectiveness of management’s risk management processes
- Articulating to management any changes in strategy that could impact risk management programs
- Establishing a process for receiving regular reports from management, and interim communications as needed
- Establishing the method and frequency of committee reports to the full board, as well as the extent to which the full board may itself be directly involved in risk management
- Coordinating with other board committees to the extent that there are overlapping responsibilities (for example, with the audit, finance and compliance committees)
Enterprise risk management is mainstream and here to stay. It is also complex and time consuming. Companies should consider whether their current board structure and operation properly facilitate director fiduciary duties in this essential area.