Of interest to me is how, and how well, risk management information has been making its way into governance frameworks of companies, and I had the chance to hear firsthand about this when I was at an assembly of large company chief risk officers in October 2007. The topic of my discussion was how risk management organizations (RMOs) and boards of directors interact — and it was clear from the group interaction that top-level practices differed extensively.
So as a followup to that assembly, my colleague David R. Koenig, the former chairman of PRMIA, and I conducted a survey of very large corporations around the world, and the results confirmed that a standard of best practices for employing risk management within a governance structure does not yet exist.
Our survey results also confirmed something else: there is substantial change occurring within governance structures toward a more robust incorporation of risk management. And we found that while some companies employ ongoing efforts for the communication and improvement of governance and risk management practices within their board and employee populations, a very substantial number of others do not have such capabilities in place.
Our survey shows a wide variety of approaches currently being used to facilitate interactions between RMOs and boards — even within the same industry — and that meaningfully different approaches to risk/governance implementation exist at many levels in the companies: at the board committee and executive level, in the chains of reporting within the executive suite and in patterns of communications to governance structures.
Not surprisingly, an audit committee is the most frequent choice for board oversight of risk management, but still was the choice of less than one third of our survey respondents. The remaining choices span a wide range of board entities. Risk committees are emerging as an important board-level committee, but they only accounted for 17 percent of the risk oversight assignments reported to us. There are many factors that can account for this wide dispersion of choices, but it certainly suggests that the board of directors interface with the risk management organization is far from settled into a widely acceptable pattern, and the relationship will continue to evolve.
We asked participants about their objectives for risk management and found they also differ even between participants in the same industry and are almost always multifold. Most of our survey participants agreed on loss avoidance and control as objectives, while a smaller number — but still a majority of respondents — also identified securing a competitive advantage as an objective.
Finally, we found the most significant task lacking with many (but certainly not all) of our survey group was effective communication and education on risk policies for employees, a surprising gap in this important element of good governance practice.
It’s clear that further study of means for effective communication of the corporate appetite for risk, risk policy and risk data/reporting expectations is warranted to ensure that firms are creating the kind of effective culture that boards are increasingly seeking to foster. And if there is an expectation that employees are engaged in best practice governance and risk management, it must be modeled and communicated from the top to be achieved.
The full study is scheduled for publication by Wiley-Blackwell later this year in their monograph series, “Corporate Boards: Managers of Risk, Sources of Risk.”