Effective Enterprise Risk Oversight - The Role of the Board of Directors

Effective Enterprise Risk Oversight: The Role of the Board of Directors
Enterprise risk management is a process, effected by the entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives
COSO’s Enterprise Risk Management – Integrated Framework (2004)
The challenge facing Boards is how to effectively oversee the organization’s enterprise-wide risk management in a way that balances managing risks while adding value to the organization. Although some organizations have employed sophisticated risk management processes, others have managed risks informally or on an ad hoc basis. In the aftermath of the financial crisis, executives and their boards realize that ad hoc risk management is no longer tolerable and that current processes may be inadequate in today’s rapidly evolving business world. Boards, along with other parties, are under increased focus due to the widely-held perception that organizations encountered risks during the crisis for which they were not adequately prepared.
Increasingly, boards and management teams are embracing the concept of enterprise risk management (ERM) to better connect their risk oversight with the creation and protection of stakeholder value. ERM is a process that provides a robust and holistic top-down view of key risks facing an organization. To help boards and management understand the critical elements of an enterprise-wide approach to risk management, COSO issued in 2004 its Enterprise Risk Management – Integrated Framework. That framework defines ERM as follows:
In today’s environment, the adoption of ERM may be the most effective and attractive way to meet ever increasing demands for effective board risk oversight. If positioned correctly within the organization to support the achievement of organizational objectives, including strategic objectives, effective ERM can be a value-added process that improves long-term organizational performance. Proponents of ERM stress that the goal of effective ERM is not solely to lower risk, but to more effectively manage risks on an enterprise-wide, holistic basis so that stakeholder value is preserved and grows over time. Said differently, ERM can assist management and the board in making better, more risk-informed, strategic decisions.
An entity’s board of directors plays a critical role in overseeing an enterprise-wide approach to risk management. Because management is accountable to the board of directors, the board’s focus on effective risk oversight is critical to setting the tone and culture towards effective risk management through strategy setting, formulating high level objectives, and approving broad-based resource allocations.
COSO’s Enterprise Risk Management – Integrated Framework highlights four areas that contribute to board oversight with regard to enterprise risk management:
Understand the entity’s risk philosophy and concur with the entity’s risk appetite. Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of stakeholder value. Because boards represent the views and desires of the organization’s key stakeholders, management should have an active discussion with the board to establish a mutual understanding of the organization’s overall appetite for risks.
Know the extent to which management has established effective enterprise risk management of the organization. Boards should inquire of management about existing risk management processes and challenge management to demonstrate the effectiveness of those processes in identifying, assessing, and managing the organization’s most significant enterprise-wide risk exposures.
www.coso.org Effective Enterprise Risk Oversight: The Role of the Board of Directors www.coso.org
Review the entity’s portfolio of risk and consider it against the entity’s risk appetite. Effective board oversight of risks is contingent on the ability of the board to understand and assess an organization’s strategies with risk exposures. Board agenda time and information packets that integrate strategy and operational initiatives with enterprise-wide risk exposures strengthen the ability of boards to ensure risk exposures are consistent with overall appetite for risk.
Be apprised of the most significant risks and whether management is responding appropriately. Risks are constantly evolving and the need for robust information is of high demand. Regular updating by management to boards of key risk indicators is critical to effective board oversight of key risk exposures for preservation and enhancement of stakeholder value.
Boards of directors often use board committees in carrying out certain of their risk oversight duties. The use and focus of committees vary from one entity to another, although common committees are the audit committee, nominating/governance committees, compensation committees, with each focusing attention on elements of enterprise risk management. While risk oversight, like strategy, is a full board responsibility, some companies may choose to start the process by asking the relevant committees to address risk oversight in their areas while focusing on strategic risk issues in the full board discussion.
While ERM is not a panacea for all the turmoil experienced in the markets in recent years, robust engagement by the board in enterprise risk oversight strengthens an organization’s resilience to significant risk exposures. ERM can help provide a path of greater awareness of the risks the organization faces and their inter-related nature, more proactive management of those risks, and more transparent decision making around risk/reward trade-offs, which can contribute toward greater likelihood of the achievement of objectives.
An executive summary of COSO’s Enterprise Risk Management – Integrated Framework provides an overview of the key principles for effective enterprise risk management and is available for free download at www.coso.org. More detailed guidance, including examples about effective implementation of the key principles, is contained in the full document. COSO’s objectives are to improve organizational performance through better integration of strategy, risk, control, and governance. Our Frameworks are based on identified best practices and the development of consistent terminology and approaches that can be used by many organizations in meeting their objectives. We hope that our ERM Framework will help you in that journey to enhancing long-term stakeholder value.
*********
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a voluntary private-sector organization comprised of the following organizations dedicated to guiding executive management and governance participants towards the establishment of more effective, efficient, and ethical business operations on a global basis. It sponsors and disseminates frameworks and guidance based on in-depth research, analysis, and best practices.
American Accounting Association Institute of Management Accountants
American Institute of Certified Public Accountants The Institute of Internal Auditors
Financial Executives International
__________________________
U.S. Securities and Exchange Commission, Speech by SEC Chairman: Address to the Council of Institutional Investors, 2009 (www.sec.gov/news/speech/2009/spch040609.html).
Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management – Integrated Framework, September 2004, www.coso.org, New York, NY.