In an earlier post, I discussed risk-taking decisions by boards and whether excessive risk-taking might constitute a breach of a board’s fiduciary duties, particularly in the insolvency context. A board’s potential liability for risky investment decisions begs the question, “What can boards do to better protect themselves and corporate value?” I think the growing importance of enterprise risk management could help answer this question.
The truly malfeasant board, in my experience, is the rare exception, rather than the rule. Sometimes, boards just get it wrong. Unfortunately, when that happens, the corporation and its stakeholders suffer. Enterprise risk management is geared toward better informing senior management and boards about the overall risk profile of their company and better equipping those individuals to identify, assess and mitigate risk.
Enterprise risk management “often is described as a process:
· Effected by an entity’s board, management and personnel
· Applied in strategy setting
· Applied across the enterprise
· Designed to identify potential events that may affect the entity
· Designed to manage risks to be within the company’s risk appetite
· Able to provide reasonable assurance regarding achievement of entity objectives
· Geared to the achievement of objectives in one or more separate but overlapping categories.” (The Conference Board’s Report of The Role of U.S. Corporate Boards in Enterprise Risk Management.)
In a recent survey of directors of public companies conducted by PricewaterhouseCoopers, only 5.4% of the respondents rated their “board’s ability to monitor a risk management plan to mitigate corporate exposure” as “very effective.” Most respondents rated their board’s performance in this category as either “effective” (45.1%) or “somewhat effective” (43.1%), with 6.3% submitting a response of “ineffective.” (For those of you doing the math, 0.1% rated the board’s performance as “very ineffective.”) Likewise, when asked to “estimate the effectiveness of” his or her board on monitoring risk management, with “1” being very effective” and “5” being not effective at all, the respondents’ mean response was “2.51,” the lowest mean out of the seven board responsibilities included in that particular question. Finally, only 10% of respondents indicated that their boards had a separate risk management committee.
Now to some, enterprise risk management may seem like just one more process in an already process-intensive post-Sarbanes world. That, I think, is a fair concern. I also believe, however, that enterprise risk management has the potential to be something more; something beneficial to boards and their corporations. In very simple terms, think about how much easier it is to put together a puzzle when you have the box with a picture of the completed puzzle in front of you. Understanding the big picture helps you determine where to place the various pieces. Too often, boards are asked to focus on the risks of a particular strategy or transaction without necessarily understanding the bigger picture.
Enterprise risk management will not eliminate corporate scandals and insolvencies, but it could help some boards detect potential issues earlier in the process. As with most diseases, early detection is key to a corporation’s successful financial or operational recovery. A focus on risk management also may help boards and mangers ask the right questions regarding investment opportunities and related risk. Indeed, as I discussed in yesterday’s post and as Steve Kroft explored in a recent 60 Minutes segment, many believe that the current economic crisis resulted in part from boards and management failing to understand the risks associated with credit default swaps and other derivative investments. As Harvey Goldschmid explained to Kroft, “My impression is . . . that even at senior levels [at the Wall Street investment houses], they only vaguely understood the risks. . . . And when it tumbled, there was some genuine surprise not only at the board level where there wasn't enough oversight but at senior management level.”
TrackBack URL for this entry:
Links to weblogs that reference Risk Taking v. Risk Management: