Do Companies Need a Board-Level Risk Management Committee?

On 19 March 2013, the Global Corporate Governance Forum* published a paper by Ivan Choi, who is a Hong Kong based colleague of mine, in their publication Private Sector Opinion.
Ivan invited me to write a foreword to his paper, which follows. The paper itself can be accessed at:
http://www.gcgf.org/wps/wcm/connect/Topics_Ext_Content/IFC_External_Corporate_Site/Global+Corporate+Governance+Forum/Publications/
The financial crisis and its rippling effects on the wider corporate sector have prompted companies to rethink how they govern and manage risk. This paper discusses the board’s role in the governance of risk and the benefits of establishing a separate board-level risk-management committee – a need that applies to financial and nonfinancial institutions, as well as large and small companies.

Foreword

All business decisions involve risk. The challenge to boards and senior management is to balance risk with acceptable reward, to create value without hazarding the enterprise. This means understanding the corporate exposure to risk, determining how those risks are to be faced, and ensuring that they are handled appropriately.

There are four possible responses to a business risk:

1. Avoid the risk. Abandon the proposed project.
2. Mitigate the risk. Make capital investments or incur on-going expenditures – for example, by obtaining standby equipment, duplicating critical components, investing in staff training – plus establish risk policies, such as requiring top executives to travel separately in case of an accident.
3. Transfer the risk. Spread the exposure to other parties. Insure against the risk, although some risks may be uninsurable. Hedge the risk by negotiating long-term contracts. Create derivative instruments, agreements with financial institutions that transfer the risk to third parties.
4. Retain the risk. In other words, accept the risk. This is often the only available solution for strategic risks.

Risk is often handled well at the operational level, taking appropriate precautions and insurance against, for example, fire, theft, employee accidents, and vehicle damage. Risks internal to the organization are usually recognized.

Risks at the managerial level tend to be less well-handled. These risks are not so obvious: product liability, loss of profits following an incident, failure of computer-based systems, reputational loss following a media allegation of corporate bribery, for example.

But risks at the strategic level may not be recognized at all, even by top management. Consider, for example, the massive fines that international banks had to pay for the Libor rate-rigging scandal, the market disaster and product liability that Boeing faced with the failure of the batteries on its 787 Dreamliner airplane, the loss of life and horrendous cost to BP of the collapse of the Deepwater Horizon oil rig, or Tokyo Electric Power’s disaster at the Fukushima Daiichi atomic power station. These examples cover catastrophic costs and huge reputational damage, but every company faces strategic risks that could threaten its existence. Many strategic plans fail to consider risk. Directors and senior management need to face up to the unexpected “what if…” questions.

This paper goes to the heart of these issues.

Crucially, it argues that successful organizations should focus on risk management at every level. But the responsibility for risk management starts with the board. The paper advocates that a board-level risk management committee, separate from the board-level audit committee, offers a sound basis for enterprise-wide risk management.

Many corporate failures can be attributed to the board’s inability to recognize the underlying risks faced by the company and to take appropriate mitigating actions.

Corporate governance and enterprise-wide risk management are interconnected. Risk management, like corporate governance, involves both conformance and performance aspects: ensuring that past and present issues are well handled while also looking to the future.

This paper differentiates the roles of the audit committees and the risk-management committee. The risk-management committee has an oversight role in developing, updating, enforcing, and monitoring the implementation of the risk-management policy on behalf of the board. Usefully, the paper makes specific recommendations on the duties of such a committee and realistically sets the benefits against the costs.
All company decisions involve risk. Sound risk management starts with board-level responsibility. This paper has important messages for board chairmen and directors, both executive and nonexecutive. The paper will also provide valuable insights for chief executives and senior management responsible for implementing the board’s risk policies. Staff involved in risk management, including the CFO and finance staff, the company secretary and secretarial staff, and the risk function if there is one, will also find this paper relevant to their work.

*The Global Corporate Governance Forum is part of the International Finance Corporation’s Corporate Governance Group. The Forum is a donor-supported facility, co-founded in 1999 by the World Bank and the Organisation for Economic Co-operation and Development (OECD) and supports corporate governance reforms in developing countries, promoting good practices in corporate governance. It also supports director training organizations engaged in implementing corporate governance reforms. Private Sector Opinion is one of their many publications. http://www.gcgf.org/wps/wcm/connect/Topics_Ext_Content/IFC_External_Corporate_Site/Global+Corporate+Governance+Forum

Bob Tricker 23 March 2013