Board Oversight of Risk Culture: Are U.S. Boards Willing and Able to Meet the Escalating Expectations?

Over the past 15 years expectations for board risk oversight have skyrocketed. In 2002 the Sarbanes-Oxley Act put the spotlight on board oversight of financial reporting. The 2008 global financial crisis focused regulatory attention on the need to improve board oversight of what is increasingly being referred to as management’s “risk appetite and tolerance.” In the wake of a number of high-profile personal data breaches, questions are being asked about board oversight of cyber-security, the newest risk threatening long term success of companies.[1] Most recently, boards, particularly boards in the financial services sector, are being called on to actively oversee the “risk culture” of their companies. Deficient risk culture is increasingly perceived to be the root cause of major governance breakdowns and scandals. A key question that needs to be addressed is “Are U.S. boards able and willing to step up to the plate to deliver on the heightened risk oversight expectations?”. This post overviews a few of the key developments driving the escalation of these expectations, articulates roadblocks many boards face, and prescribes practical strategies for boards and companies that want to meet these new expectations.

Board Oversight of Risk Culture – A Primer

An April 2014 Financial Stability Board (FSB) guidance paper provides a high-level vision of what it believes represents a “sound” risk culture: [2]

A sound risk culture consistently supports appropriate risk awareness, behaviours and judgments about risk taking within a strong risk governance framework. A sound risk culture bolsters effective risk management, promotes sound risk taking, and ensures that emerging risks or risk taking activities beyond the institutions risk appetite are recognized, assessed, escalated and addressed in a timely manner.

The FSB identifies risk governance, risk appetite, and compensation as the “foundational elements of a sound risk culture.”

The UK Financial Reporting Council, the UK equivalent of the SEC recommends that, in conjunction with its corporate governance Code guidance, boards, consider and discuss with senior management the following questions:[3]

  • How has the board reviewed and agreed to the company’s risk appetite? With whom has it conferred?
  • How has the board assessed the company’s culture? In what way does the board satisfy itself that the company has a ‘speak-up’ culture and that it systematically learns from past mistakes?
  • How do the company’s culture, code of conduct, human resource policies and performance reward systems support the business objectives and risk management and internal control systems?
  • How has the board considered whether senior management promotes and communicates the desired culture and demonstrates the necessary commitment to risk management and internal control?
  • How is inappropriate behaviour dealt with? Does this present consequential risks?
  • How does the board ensure that it has sufficient time to consider risk, and how is that integrated with discussion on other matters for which the board is responsible?

Challenges for Effective Board Risk Oversight

  1. Lack of relevant and actionable practical guidance on how boards can assess and document the risk culture and its appropriateness within their companies.
  1. Senior management incentives (i.e., compensation, entrenchment, etc.) may result in reluctance letting boards know their “real” risk appetite/tolerance.
  1. Silo approach to enterprise risk management (ERM) in most companies may prevent the boards from receiving a consolidated report (like a balance sheet) on the state of retained risk at the entire organization level. As a result, boards may lack critical residual risk status information on their company’s top value creation and/or strategic business objectives and foundational objectives such as reliable financial reporting, compliance with laws, preventing unauthorized access to data, safety, and other social responsibility areas.
  1. Traditional internal audit processes and teams that provide point-in-time and subjective opinions on the effectiveness of internal controls may not be capable of helping boards meet Board risk oversight expectations.
  1. Risk-centric ERM processes using risk registers focusing on identifying and assessing individual risks without linkage to the related objectives and other risks impacting those objectives often don’t deliver value-relevant and actionable enterprise-level information on the composite residual risk status of key objectives.[4]
  1. Regulators, through their guidance or otherwise, while continuing to call on boards to oversee risk culture and management’s risk appetite and tolerance, continue to encourage the use of risk staff groups and internal audit functions as extended supervision/policing groups.
  1. The regulatory and compliance regime around SOX Section 404 in the U.S. drives companies to build systems to report whether their internal controls over financial reporting are “effective” but stops far short of requiring that the board be informed about the financial statement line items and note disclosures with highest composite uncertainty (i.e. the highest retained risk that the line items/notes may be materially misleading).[5]
  1. Many ERM software applications and consulting firms continue to promote the use of risk registers and heat maps that focus on identifying and assessing individual risks, but do not provide boards with a composite picture on the residual risk status linked to key objectives.
  1. Currently, significant confusion and debate exist on whether it is the responsibility of the full board or board sub-committees to oversee the company’s risk culture.
  1. Many Chief Audit Executives do not report to the board on their company’s residual risk status linked to key objectives or their opinion on the company’s risk culture and risk appetite framework[6].

There is little practical training or guidance for board members and auditors on how to effectively oversee risk culture

 The Way Forward – Some suggestions for those who want to up their game

  • Boards need to get educated on the new expectations related to board oversight of risk culture/risk appetite/risk tolerance.
  • Companies should complete a “risk culture gap assessment”.
  • Consider the benefits of a radical new approach to risk management and oversight “Board & C-Suite Driven/Objective Centric ERM and Internal Audit” that focuses on management reporting a snapshot on the state of residual risk status and internal audit providing an assurance report on the risk management process and report.
  • Regulators should consider safe harbor provisions in the area of board risk oversight to encourage better practices with less fear of punitive litigation.
  • Regulators need to mandate via new disclosure rules that CEOs are accountable for building and maintaining effective risk appetite frameworks and providing the board with reliable consolidated reports on company’s residual risk status.

How will the U.S. respond?

To date the focus in the U.S. has been on reforms in the financial services sector with little elevation of documented expectations for boards in other business sectors. It isn’t at all clear whether the SEC is prepared at this time to mandate major reforms and regulations to bring the U.S. in line with the U.K. in the area of board oversight of risk. In the absence of real and consistent pressure from pension funds, institutional investors, credit agencies and other stakeholders that are hugely impacted by corporate governance breakdowns U.S. boards may well have to decide for themselves if they want to do a better job overseeing risk culture and management’s risk appetite and tolerance.

ENDNOTES

[1] See January 23, 2015 blog post for an overview at http://www.hldataprotection.com/2015/01/articles/cybersecurity-data-breaches/data-breaches-hit-the-board-room/

[2] Financial Stability Board, “Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture,” April 7, 2014. p. 1. http://www.financialstabilityboard.org/wp-content/uploads/140407.pdf

[3] Financial Reporting Council, “Guidance on Risk Management, Internal Control and Related Financial and Business Reporting.” September 2014. p. 21. https://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/Guidance-on-Risk-Management,-Internal-Control-and.pdf

[4] See The High Cost of ERM Herd Mentality: Why traditional approaches have failed, white paper, Tim Leech http://riskoversightsolutions.com/wp-content/uploads/2011/03/Risk_Oversight-The_High_Cost_of_ERM_Herd_Mentality_March_2012_Final.pdf

[5] See Reinventing Internal Audit, Tim Leech, Internal Auditor, April 2015 for more details.

[6] See Reinventing Internal Audit, Tim Leech, Internal Auditor, April 2015 for more details

This post comes to us from Parveen P. Gupta, the Chair of the Department of Accounting and William L. Clayton Distinguished Professor at the Lehigh University College of Business and Economics, and Tim Leech, Managing Director at Risk Oversight Solutions. The post is based on their recent Director Notes article entitled “The Next Frontier for Boards: Oversight of Risk Culture” published by The Conference Board here.