INTRODUCTION

In the aftermath of the financial crisis of 2008, boards of directors have taken a much more active role in risk governance and oversight. This is partly the result of regulation, but it also makes solid business sense, which is why the trend appears to be gaining steam as stakeholder expectations continue to rise. Boards are growing more cognizant of how ERM can benefit the organization, improve relations with key stakeholders, and satisfy heightened regulations worldwide.

Among the key groups that provide independent risk monitoring—boards, auditors, regulators, rating agencies, and institutional investors—the board of directors is unique in its direct responsibility for ensuring sound risk management and the degree of leverage it has for doing so. At most organizations, corporate management bends over backward to satisfy board demands. By asking tough questions and establishing high expectations for ERM, the board can set the tone from the top and effect significant change in the risk culture and practices of an organization.¹

Studies indicate that boards are recognizing the importance of ERM and are making significant changes as a result. For one thing, the world is getting riskier. According to a 2013 survey by the Association for Financial Professionals (AFP), 59% of firms face greater earnings uncertainty relative to five years earlier.² Respondents also expect risks to increase in the next two years. In another study that same year, Accenture found that risk management was a higher priority for 98% of those surveyed.³ As boards face new threats like cybersecurity and emerging technologies, they rely on ERM to ensure that all of the key elements of effective risk management are in place. As part of this trend, board-level risk committees and joint audit and risk committees are becoming more prevalent in firms across the globe. Additionally, companies are increasingly integrating ERM into business strategy and decisions.

While boards feel that their companies have made progress in ERM, they see plenty of room for improvement. Gaps remain, for instance, between risk assessments and risk-based decision making. There is a universal need for better risk management practices and qualified board members to assist in oversight. And boards are concerned that they are not yet fully equipped to assume their new fiduciary duties to evaluate enterprise risk, set appropriate policies and risk appetite, and monitor ERM effectiveness. As a result, directors who understand regulatory requirements and have the expertise to oversee complex risks are in great demand.

This chapter will focus on the role of the board, with the support of the risk and audit committees, in ERM oversight. To ensure the effectiveness of ERM, boards are reexamining governance structure and roles; risk policies and limits; and the process of monitoring and reporting. With respect to ERM oversight, this chapter will examine three central questions:

1. What key regulatory requirements must directors consider as part of their risk governance and oversight?
2. What are current board practices for ERM?
3. What can boards do to oversee more effectively ERM and the key risks facing their organizations?

REGULATORY REQUIREMENTS

Recent regulations by the SEC, Financial Stability Board (FSB), and the Basel Committee have ratcheted up minimum standards of corporate governance. In response to deficiencies revealed during the 2008 financial crisis, these organizations established new guidelines that stress the role of risk governance structures and policy in improving ERM. The regulations address governance issues such as board composition, responsibilities, independent risk management practices, and the integration of strategic plans and risk management. While most of these regulations come from the financial services industry, where risk practices and regulations are more advanced, boards in other industries can gain valuable insights and ideas from them. Let's examine some of these requirements across the globe.

1. Board Responsibility: Capital Requirements Directive IV (CRD IV), the implementation of Basel III in the Eurozone, addresses board composition and the need for independent risk management. It vests in boards the ultimate responsibility for effective risk management. Under the directive, banks must establish suitability criteria for directors and create policies for board diversity with regard to age, professional background, and gender. Banks must also elevate the status of independent risk management and ensure that the chief risk officer (CRO) has direct access to the board. CRD IV also addresses capital shortfalls with additional systemic risk buffers, higher minimum capital ratios, and higher risk weightings on counterparty exposures.⁴

   Prioritizing Risk Management: In the United States, the Office of the Comptroller of the Currency (OCC) released heightened expectations for risk frameworks and the role of independent risk management in 2014. The additional OCC standards require public holding companies (and public non-bank financial institutions supervised by the Federal Reserve) with more than $10 billion in assets to establish appropriate stature for an independent risk committee and internal audit. Integration of strategy and risk management, long a recommended best practice for boards, is now mandatory. Boards must develop a strategic plan and update it regularly to reflect changes in the organization's risk profile.⁵

   Since the Dodd-Frank Act was signed into law in July 2010, board-level risk committees have become more prevalent. Dodd-Frank requires large financial institutions to establish a board risk committee responsible for ERM oversight and practices, and to include among its members at least one experienced risk management expert.⁶

2. Compensation Policies: In 2014, an additional Dodd-Frank requirement took effect: Boards must review compensation policy to ensure incentives do not encourage excessive risk-taking. CRD IV also addresses compensation policy as it relates to risk management. The relationship between compensation and risk culture is also enshrined in the 2013 extended FSB guidelines as well as the 2014 OCC guidelines. OCC stresses the importance of maintaining a proper risk culture through compensation policies that reward compliance. The FSB standards address the relationship between compensation policies and adherence to risk appetite statements.

   Risk Appetite Statements: Recent regulations also strengthen the board's role in drawing up effective risk appetite statements and communicating risk management expectations to management, staff and shareholders. Both the FSB and OCC have delineated board responsibilities for monitoring and approving risk appetite statements. The OCC requires independent risk management to update systematically a comprehensive risk appetite framework, which the board must approve. In addition to addressing the linkage between risk appetite statements and compensation, the FSB requires the board to review the risk appetite framework to ensure it remains consistent with the organization's short and long-term strategy and business and capital plans.⁷

   Additionally, the National Association of Corporate Directors' (NACD) Advisory Council on Risk Oversight has identified “next practices” for boards. Echoing OCC and FSB guidelines, the NACD suggestions include developing risk appetite statements with management to “reflect the ‘overlay on strategy and risk.’” Rather than be involved in detailed strategy, boards “need to connect management's assertions to what the strategy is, then have them intelligently identify the risks.”⁸ A framework developed with management, clearly outlining how much risk the board is willing to accept in pursuit of strategic objectives, also provides shareholders greater transparency.

   Greater Transparency: New disclosure rules seek to enhance compensation practice and board accountability to shareholders. FSB's Pillar III, issued in July 2011, proposes principles for proper compensation practices and requires the disclosure of compensation policies. SEC rules adopted in December 2009 require disclosures in proxy and information statements regarding board governance structure and the board's role in risk oversight. Companies must describe the relationship between compensation policies and risk management, as well as the extent to which executive compensation may lead to excessive risk taking.

   In March 2014, the National Association of Insurance Commissioners (NAIC) implemented Own Risk and Solvency Assessment (ORSA), a regulatory reporting requirement for large insurers⁹ in the United States. ORSA Summary Reports require descriptions of the insurer's ERM framework and assessments of risk exposure, risk capital, and solvency positions under normal and severe stress scenarios. The new ORSA reporting requirement thus encourages forward-looking assessments and reinforces good risk management practices.

All of these regulations will profoundly affect risk management practices by enhancing senior management's accountability and laying ultimate responsibility for ERM oversight squarely on the board. New and emerging requirements also highlight the need for qualified directors to ensure that effective risk governance structures and policies are in place.

CURRENT BOARD PRACTICES

Recent studies suggest that boards are improving governance structure and policy to guide the ERM practices of their organizations. Increasingly, for instance, boards in industries beyond banking and capital markets are adopting ERM programs. A 2013 global study by Accenture found that more than half of companies surveyed in the energy (61%) and insurance (55%) industries have adopted an ERM program.¹⁰

Even as boards continue to recognize the need for more effective governance structures, companies are reexamining the composition and independence of the board itself. According to a 2013 PwC survey of corporate directors, 55% of boards had a separate CEO and chair while 47% of the remainder were considering the separation of these roles. In addition, a growing number of boards have committees dedicated to overseeing risk management practices. Many have instituted standalone risk committees while others have created hybrid ones overseeing both audit and risk.¹¹

According to Accenture's study, 97% of organizations employ a CRO or other senior executive to direct the risk management function. When it comes to risk, boards are not just looking at governance structure, but also policy and culture, even though only 26% feel they have achieved success in those areas “to a great extent.” As a result, 60% of boards discussed setting “the tone from the top,” in the 12 months preceding the study, and 46% increased their interaction with management to reduce fraud risk.¹²

One significant development in recent years is the institution of so-called clawback policies among Fortune 100 companies. These provisions allow firms to recoup incentive payments previously made to employees in the event of a financial restatement or revelation of ethical misconduct. The rise of clawback policies may also reflect growing stakeholder expectations and the onset of increased regulation in this area, such as new SEC requirements. I should note, however, that in practice clawback provisions are rarely triggered and few cases have attracted significant notice. Most notable is Wells Fargo in the aftermath of its cross-sell scandal. In September 2016, the board clawed back $41 million from CEO John Stumpf and $19 million from community banking head Carrie Tolstedt.

Despite these advances, boards remain skeptical of ERM's ability to create value. Fewer than one in three believe that their ERM programs have enhanced long-term profit growth, though 80% cite that as an important goal.¹³ To close the gap, boards are augmenting their ranks with risk experts in an effort to better incorporate risk management into strategic and business decisions.

On the whole, boards are taking an active role in improving ERM oversight and looking for ways to enhance their practices. Before we discuss how boards can improve ERM oversight, let's examine a case of flawed governance structure.

CASE STUDY: SATYAM

Satyam Computer Services was once the largest software company in India. Considered a leader in India's burgeoning IT sector, Satyam garnered the attention of major investment groups such as Aberdeen and Morgan Stanley.¹⁴ In 2008, the company received the World Council's Golden Peacock Award for excellence in corporate governance.

Just a year later, Satyam's chairman, B. Ramalinga Raju, admitted that the company's balance sheet inflated cash and bank balances by $1.44 billion, understated liabilities by $300 million, and reported nonexistent accrued income of $86 million.¹⁵ Raju also admitted that previously announced acquisitions totaling $1.6 billion were nothing more than “the last attempt to fill the fictitious assets with real ones.”¹⁶ The companies in question were, in actuality, owned and managed by members of Raju's family.

The public was shocked by Satyam's fall from the pinnacle of corporate governance practice, but should it have been? The company's own Form 20-F filing with the Securities & Exchange Commission, dated August 2008, revealed serious governance issues:

We do not have an individual serving on our Audit Committee as an “Audit Committee Financial Expert” as defined in applicable rules of the Securities & Exchange Commission. This is because our board of directors has determined that no individual audit committee member possesses all the attributes required by the definition “Audit Committee Financial Expert.”¹⁷

Why was the board so ineffectual? For one thing, the company had no nominating and governance committee to appoint the necessary experts. In fact, Satyam's board had just three committees: Audit (which the company admitted lacked financial experts), Compensation, and Investor Grievances. Second, though the chair and CEO were technically separate positions, they were held by brothers, a clear conflict of interest.

This lack of proper governance was undoubtedly intentional. Raju and his brothers exercised a dominant position on the board and regularly put family interests above those of stakeholders. They could easily introduce questionable strategic plans in order to cover their tracks without fear of challenge. In summary, Satyam suffered three key governance issues:

1. Board members were not qualified to oversee executive management. Few had financial backgrounds.
2. The board lacked independence and objectivity, due to the family relationship between CEO and chair and the combined power of the Raju brothers to influence decisions.
3. The company lacked transparency and accountability. Rather than enhance accountability, the board's governance structure allowed the Raju brothers to operate against the interests of shareholders.

THREE LEVERS FOR ERM OVERSIGHT

While not involved in day-to-day business activities, boards have ultimate responsibility for an ERM program that creates value for the organization. What can they do to oversee ERM and the key risks facing the organization? The answer is GPA: Governance, Policy, and Assurance:

1. Governance: The board must establish an effective governance structure to oversee risk. Issues to consider include: How should the board be organized to oversee ERM? What is the linkage between strategy and risk management? How can the board strengthen the independence of the risk management function? How can the capital structure of the organization best conform to its risk profile, including its dividend policy and target credit ratings?
2. Policy: The board must approve and monitor an ERM policy that provides explicit risk tolerance levels for key risks. Do risk management policies and tolerance levels effectively capture the board's overall risk appetite? What is the relationship between risk policies and compensation policies?
3. Assurance: Finally, the board must establish processes to ensure the effectiveness of the company's ERM program. What are the performance metrics and feedback loops used to evaluate ERM? How can management improve the structure and content of board reports? How should that assurance be disclosed to investors, rating agencies, and regulators?

In the previous chapter, we discussed the GPA model in the context of the three lines of defense. Let's examine these board levers in greater detail in terms of regulatory expectations and board risk oversight practices.

Governance

A fundamental step in ERM oversight is to establish an effective risk governance structure at the board level. Risk governance delineates the oversight roles and decision points for the board and its committees, as well as its relationship with management.

To exercise its responsibility, the board needs directors with the expertise to provide independent analysis of the company's strategy, its execution, and the risks it takes on. The board must act objectively and in the best interests of the organization's stakeholders. Charged with recruitment and training of board members, the Nominating and Governance Committee should seek candidates with demonstrated industry and risk management expertise. Mandates such as Dodd-Frank require boards to establish risk committees that include a qualified expert, but boards would do well to look beyond regulatory checklists. Rather, they should appoint directors who can add strategic value to the company. For example, bank boards should consider the following criteria for a risk expert:

• An understanding of risk governance and management practices at financial institutions, including board risk oversight, risk policy and appetite, monitoring and assurance processes, and risk reporting and disclosure requirements.
• Experience as chief risk officer, and/or actively supervising the chief risk officer of a large, complex financial institution.
• Knowledge of banking regulations and standards, such as Dodd-Frank, Basel II and III, SEC, ORSA, OCC, FSB, and Federal Reserve requirements.
• Experience in the identification, assessment, and management of the key risks faced by financial institutions, including strategic, business, market, liquidity, credit/counterparty, operational, IT, cybersecurity, and systemic risks.
• Knowledge of ERM, including assessment of cross-risk interdependencies and aggregate risk profiles.
• Ability to oversee the CRO's implementation of the ERM program and lead and/or advise the board on major risk governance and policy issues, as well as guide and/or challenge management on recommended risk strategies, plans, and assumptions.
• Experience in overseeing and/or executing applications of key risk management tools, including value at risk, economic capital, risk-adjusted pricing and profitability models, risk-control assessments, stress testing, and scenario analysis.
• Understanding the usefulness and limitations of risk management tools, including a solid grasp of derivatives and hedging strategies.

The board should discuss whether the CEO or an independent director should also serve as chair of the board. The chair leads the board, which holds the responsibility of management oversight, while the CEO is directly responsible for management. A split CEO and chair eliminates the possibility of a conflict of interest. This structure also supports the board's primary responsibility for oversight without excessive involvement in day-to-day management. Despite these advantages, most major U.S. banks (for example, J.P. Morgan and Morgan Stanley) retain combined CEO/chairs with relative success. In cases where the board retains a combined CEO/chair, it usually designates a lead independent director (LID) to assume overall responsibility for oversight of the CEO and management. Advocates of a combined CEO/chair argue that the individual in such a position has a superior understanding of the organization, but critics cite the importance of board independence for objective decision-making. Whatever the structure, the composition of the board should support the flow of information between senior management and directors and enhance the board's ability to carry out its oversight responsibilities.

Risk Committee of the Board

While the full board retains ultimate responsibility for risk oversight, a growing number of organizations have established a separate risk committee to oversee ERM processes. This committee reviews reports from executive management and provides the full board with data and analysis regarding the organization's risk profile and emerging risks. Consider the typical components of a risk committee charter:

• Purpose: Introduces the objective of the committee and gives a concise statement of responsibility in oversight.
• Composition and Meeting: Includes the number of members on the committee and qualification requirements such as expertise and experience. It might include a statement of regulatory requirements for risk experts as well.
• Responsibilities and Duties: Covers the responsibilities of the committee in terms of ERM and reporting duties for management and the CRO (if applicable). May include a description of how the risk committee coordinates with the audit committee to ensure internal audit meets risk-governance requirements. If the company has a CRO, the charter should define that role. Lastly, it should outline the requirements and responsibility for reviewing management reports.

The risk committee should review its charter regularly and update it to reflect regulatory requirements and the needs of the organization.

Audit Committee

The audit committee charter is complimentary to that of the risk committee. The audit function provides evaluations that assist the risk management processes. While internal audit does not aid in the development of risk management processes it can play an important role in assurance. Internal audit assesses reporting of key risks and ensures that the risks are properly evaluated. As internal audit directly reports to the audit committee, the risk committee and audit committee should interact to enhance the organization's review of risk management while remaining independent of one another. For companies with joint audit and risk committees, it is critical that each mandate receives proper allocation of time and attention, and that membership includes both distinct skill sets.

Responsibilities of the Board vs. Management

Boards and management often express a need for more clarity in terms of roles and responsibilities. In theory, at least, the board and management serve distinct functions that may be likened to the legislative and executive branches of the U.S. government. The board, like Congress, represents the interests of shareholders and other stakeholder groups while management operates the company in the same way that the White House executes policy. But in the real world, as in politics, roles and powers may overlap. A board with poorly defined responsibilities may encroach on management's purview or, in the other extreme, fail to examine and challenge management's decisions. Figure 9.1 outlines the alignment and key differences between board and management responsibilities with respect to each aspect of ERM implementation.

There is one area in which board and management should work in perfect concert: setting the “tone from the top” and fostering a culture of integrity and honesty across the organization. While boards should encourage intelligent risk taking, they must also demand zero tolerance for unauthorized and unethical behavior. One way to do this is to ensure the independence of the risk management function, allowing risk managers to carry out their responsibilities without fear of reprisal. In practical terms, this means there ought to be a direct line of reporting from the risk function, headed by the CRO or equivalent, to the board, ideally represented by its risk committee.

The CRO would still be on the CEO's executive committee, but under exceptional circumstances (for example, excessive risk taking, major internal fraud, or significant business conflicts), the CRO should be able to escalate risk issues directly to the board without concern about his or her job security or compensation. Such stature resonates with the entire company and empowers risk management functions to promote good risk practices.¹⁸ See the E*TRADE Financial case study in the next chapter for more discussion on this topic.

Value-Creation from Integrating Strategy and Risk

Monitoring strategy has long been the purview of boards, so as boards become more active in ERM, it makes sense that strategy and risk management will become increasingly integrated. In fact, strategic risk management is key to a successful ERM program. It preserves and creates value for the organization, and it may uncover opportunities the organization has failed to exploit. Let's examine how this worked for the Danish toymaker LEGO.

A 2013 article in the Wall Street Journal highlighted LEGO's success in strategic risk management. Just a decade earlier, however, the company confronted near-bankruptcy because of strategic missteps.¹⁹ At the time, LEGO faced emerging competitors, changing demographics, and the maturing of its lucrative Star Wars and Lord of the Rings licensed product lines. In 2006, senior director of strategic risk management Hans Laessoe saw the need for dramatic change. He began by identifying LEGO's major strategic risks and projecting them forward using Monte Carlo simulations; active risk and opportunity planning; and scenario analysis. Among his discoveries was that in some cases the organization was actually too risk averse. As a result of his efforts, LEGO managed an average growth of 21% and a profit growth of 34% over 2007 to 2013 despite a stagnant overall toy market.²⁰

In an effort to take similar advantage of prudent risk opportunities, today's boards are pushing management to integrate risk management more fully into strategic planning. We'll take a closer look at this synergy in Chapter 15, but for now suffice it to say that senior executives will need to rethink their approach. They must make sure that strategic initiatives are consistent with the organization's risk appetite, and adapt them as its risk profile shifts. They should develop contingency plans so that the company can change course to avoid unforeseen obstacles or seize new opportunities. And they must see risk controls not as impediments to business activity but integral to value creation. Before they can do all that, however, companies must set forth clear policies around risk management.

CONCLUSION

With growing uncertainty and ever-increasing stakeholder expectations, board responsibilities in ERM oversight are not without challenges. Boards are not involved in day-to-day enterprise activities, and they have limited time to review materials and meet with management. Nonetheless, the board, with the support of its committees, is charged with overseeing risk management and ensuring such processes create value for the organization. As we discussed, the board has three key levers for doing so: a well-thought-out governance structure to organize risk management and oversight activities; risk policies to articulate the board's expectations in regard to risk appetite and tolerance; and assurance processes and feedback loops to gauge the effectiveness of the ERM program. With these tools, the board can effectively implement its ultimate responsibility for risk management to regulators, shareholders, and other stakeholders.