with contributing author Parveen Gupta, LLB, PhD
This piece originally appeared in Ethical Boardroom and is republished here with permission.
In the aftermath of the 2008 global financial crisis, postmortems were convened in countries around the world to identify what went wrong. A unanimous conclusion was that Boards of Directors of public companies in general, and financial institutions in particular, need to do more to oversee “management’s risk appetite and tolerance” if future crises are to be avoided.
This finding represents a significant paradigm shift in role expectations while introducing a new concept the Financial Stability Board (FSB) has coined effective “Risk Appetite Frameworks” (RAFs). Regulators around the world are now moving at varying speeds to implement these conclusions by enacting new laws and regulations. What regulators appear to be seriously underestimating is the amount of change necessary to make this laudable goal a reality.
Codification Of Board Risk Oversight
Immediately following the onset of the 2008 global crisis, a group called the Senior Supervisors Group (SSG) and later, the Financial Stability Board (FSB) – the world’s first global super regulator – went to work at record speed to publish, seek comments to exposure drafts and issue guidance to national bank and securities regulators around the world. Excerpts from FSB’s radical and far-reaching November 2013 guidance on risk appetite frameworks (RAF) follows:
The Board of Directors should:
a) Approve the financial institution’s RAF, developed in collaboration with the CEO, CRO and CFO, and ensure it remains consistent with the institution’s short- and long-term strategy, business and capital plans and risk capacity as well as compensation programs.
b) Hold the CEO and other senior management accountable for the integrity of the RAF, including the timely identification, management and
escalation of breaches in risk limits and of material risk exposures.
The Chief Executive Officer should:
a) Establish an appropriate risk appetite for the financial institution (in collaboration with the CRO and CFO) which is consistent with the institution’s short- and long-term strategy, business and capital plans and risk capacity, as well as compensation programs, and that aligns with supervisory expectations.
b) Be accountable, together with the CRO, CFO and business lines, for the integrity of the RAF, including the timely identification and escalation of breaches in risk limits and of material risk exposures.
Internal Audit (or other independent assessor) should:
a) Routinely include assessments of the RAF on an institution-wide basis as well as on an individual business line and legal entity basis.
b) Identify whether breaches in risk limits are being appropriately identified, escalated and reported, and report on the implementation of the RAF to the Board and senior management as appropriate.
In 2010, in response to some of the initial SSG/FSB postmortem analysis, the SEC in the U.S. introduced new proxy disclosure rules that require a general broad acknowledgment in the annual proxy that the Board is responsible for risk oversight. Since then, the Commission hasn’t taken any steps to provide more granular guidance to clarify what they expect. Perhaps in anticipation of new U.S. disclosure requirements, COSO (Committee of Sponsoring Organizations of the Treadway Commission) announced in October 2014 that it is embarking on a two-year plan to update the now dated 2004 COSO Enterprise Risk Management–Integrated Framework (ERM). A primary stated reason for the update is to assist
companies and Boards report on the effectiveness of their risk appetite frameworks.
In September 2014 in the UK, the Financial Report Council (FRC), the UK equivalent of the U.S. Securities and Exchange Commission (SEC), became the first national security regulator to codify and elevate the expectation that Boards of Directors of all UK-listed public companies must oversee management’s risk appetite and tolerance.
Securities regulators in other countries are working to codify new expectations requiring Boards visibly, and more effectively, oversee management’s risk appetite and tolerance.
Change Won’t Come Easy
The core idea that Boards of Directors should oversee management’s risk appetite and tolerance appears to be a logical extension of their role and, at least on the surface, would appear easy enough to implement if Boards and management are both willing. However, the reality is that there must be a major paradigm shift on the part of regulators, Boards, senior management, risk specialists, internal and external auditors and other risk “silos,” including safety, environment, compliance, IT security and others, to make this regulatory aspiration a reality. Some of the major roadblocks are discussed below.
Following a “perfect storm” of corporate malfeasance, the U.S. enacted the Sarbanes-Oxley Act of 2002. Section 404 requires that CEOs, CFOs and external auditors form binary opinions whether they believe internal control over financial reporting is, or is not “effective” using criteria drawn from a “suitable” control framework. The dated 1992 COSO internal control framework was deemed “suitable” by the SEC. The 1992 COSO control framework was recently replaced with the marginally better COSO 2013 control framework. Canada and other countries directionally followed the U.S. lead.
The problem is, this approach does nothing to train senior management or auditors to assess and report on the state of “residual risk,” the risk that remains after considering controls and other important risk treatments; or for Boards to assess whether they are comfortable with management’s risk appetite and tolerance. This results in the Board receiving little in the way of reliable information on the line items in the company’s balance sheets and income statements with the highest composite uncertainty – or stated another way, the highest likelihood of being materially wrong.
Internal Audit “Direct Report” Audit Methods
A large percentage of public companies maintain internal audit functions that complete spot-in-time audits and report “material weaknesses,”
“control deficiencies,” areas needing improvement and the like. What these audit opinions represent using a risk lens is an opinion whether the
auditors like or dislike the controls in place, and by extension, whether they like or dislike the current state of retained/residual risk.
How they have formed their like and dislike opinions on the state of residual risk is often unclear. More importantly, all agree, including the global Institute of Internal Auditors (IIA), that in spite of the apparent contradiction with current practices, it is the job of management and the Board, not internal audit, to decide how much retained risk is acceptable in pursuit of an organization’s business objectives.
Compounding the problem, internal auditors in a large percentage of companies today do not use risk assessment methods designed to identify
and assess the current state of residual/retained risk. Most don’t know how to appropriately use recognized risk frameworks or risk vocabulary in their daily work. Very few internal auditors have received much, if any, training on how to identify and consider the full range of risk treatments. It simply isn’t part of the current core curriculum or training offerings. The focus has been on identifying “internal controls,” often without linking these controls to specific risks. It has not, with few exceptions, been on providing a consolidated entity level report on the current residual risk status related to key objectives for senior management and Boards.
In the absence of reliable information on the state of residual risk from business units and assurance specialists, senior management and, most importantly, Boards of Directors are handicapped in their efforts to oversee management’s risk appetite and tolerance. Regulators globally continue to support this “direct report/control-centric” audit approach, while at the same time calling on Boards of Directors to oversee management’s risk appetite and tolerance – a regulatory imposed recipe for confusion and future governance failures.
Traditional “Risk-Centric” ERM Methods
The idea that management and Boards should be actively and transparently involved in “risk management” is not a new one. Australia was the first country to pioneer a risk management standard in the mid-1990s (AS/NZ 4360). Gradually, over the next decade, other countries followed suit. In the U.S., COSO released its own ERM framework in 2004 and ISO, the world’s international standards setter, released the world’s first global risk management standard in 2009.
For a variety of reasons, including support from the consulting sector and resistance from management, the world has generally interpreted ERM to mean an annual exercise (with limited time and efforts) to build and maintain “risk registers,” now increasingly being referenced less charitably as “risk lists.” These risk registers are accompanied by color-coded “heat maps” showing which risks had been rated as RED, based on the likelihood and impact of each risk and controls in place. Boards receive lists of the top 10/20/50/100 risks. Often these are standalone lists with no linkage to related business objective or a clear map showing how the top risks impact which business objectives. The fact that most important business objectives have 10 or more significant risks that create uncertainty over whether the objective will be achieved has been, and is still today, largely ignored.
Practical Advice on How to Actually Do It
In 2009, not long after commissions globally started to report their conclusion that weak/deficient Board oversight of management’s risk appetite and tolerance was a central root cause of the global crisis, the National Association of Directors (NACD) in the U.S. released its seminal Blue Ribbon Commission report, Risk Governance: Balancing Risk and Reward. This report calls on Boards to increase their focus and attention in this area and proposes six key Board risk oversight duties. What is missing in that report, and what is still largely unaddressed by the NACD and other director associations and regulators globally, are the practical steps and major changes companies must make, including the training and new tools necessary to help Boards fulfill their new fiduciary duty to oversee management’s risk appetite and tolerance.
Human Aversion to Radical Change
Last, but certainly not least, major changes are needed in regulatory attitudes and the corporate functions and processes that create and provide
information on the state of retained risk. It is likely that not all CEOs want their Boards of Directors to know all the areas of high retained risk. For a variety of reasons, there may also be more than a few Boards that don’t want to know “the whole truth and nothing but the truth.”
Unfortunately, more than a few C suites have kept Boards in the dark in the past as management pursued strategies more aligned with maximizing their personal goals than with the long-term success of their organizations. Major changes are needed in internal audit charters, training, certification and methods. ERM specialists need to focus on developing new methods and tools that provide ethical senior management teams and boards with a consolidated report on the state of retained risk across the enterprise, including risks that threaten the achievement of the organization’s top strategic objectives, as well as foundational objectives relating to legal compliance, reliable financial statements, data security, business continuity and the like.
In summary, an old adage applies: Regulators should practice what they preach. If regulators truly want Boards of Directors to be more effective overseers of management’s risk appetite and tolerance, they should complete formal risk assessments on their stated objective of legislating better and more effective Board risk oversight. Once they have properly identified the full range of significant risks to this objective, with the support of groups like the NACD, Financial Executives International (FEI) and IIA and the myriad of risk associations, they need to develop risk treatment strategies to reduce the very real likelihood that senior management and Boards will not embrace this new regulatory imperative. Regaining the trust of investors and the public around the world is a goal that’s worth the effort.