Conference Board Press Release:
The Next Frontier for Boards: Oversight of Risk Culture
Click here to download the current issue of Director Notes, entitled, "The Next Frontier for Boards, Oversight of Risk Culture."
Over the past 15 years expectations for board oversight have skyrocketed. In 2002 the Sarbanes-Oxley Act put the spotlight on board oversight of financial reporting. The 2008 global financial crisis focused regulatory attention on the need to improve board oversight of management’s risk appetite and tolerance. Most recently, in the wake of a number of high-profile personal data breaches, questions are being asked about board oversight of cyber-security, the newest risk threatening companies’ long term success. This article provides a primer on the next frontier for boards: oversight of “risk culture.”
Weak “risk culture” has been diagnosed as the root cause of many large and, in the words of the Securities and Exchange Commission Chair Mary Jo White, “egregious” corporate governance failures. Deficient risk and control management processes, IT security, and unreliable financial reporting are increasingly seen as mere symptoms of a “bad” or “deficient” risk culture. The new challenge that corporate directors face is how to diagnose and oversee the company’s risk culture and what actions to take if it is found to be deficient. This report provides board members an overview of these new oversight expectations, outlines potential handicaps they may encounter, and offers suggestions for overseeing their company’s risk culture.
Director Notes is a complimentary publication. Please forward it to your colleagues to subscribe. Do not hesitate to contact me should you have any questions or suggestions regarding future topics. For information on membership to The Conference Board, please email us at firstname.lastname@example.org.
by Parveen P. Gupta and Tim Leech(excerpt; endnotes omitted)Over the past 15 years expectations for board oversight have skyrocketed. In 2002 the Sarbanes-Oxley Act put the spotlight on board oversight of financial reporting. The 2008 global fi
nancial crisis focused regulatory attention on the need to improve board oversight of management’s risk appetite and tolerance. Most recently, in the wake of a number of high-profile personal data breaches, questions are being asked about board oversight of cyber-security, the newest risk threatening companies’ long term success. This article provides a primer on the next frontier for boards: oversight of “risk culture.”
Weak “risk culture” has been diagnosed as the root cause of many large and, in the words of the Securities and Exchange Commission Chair Mary Jo White, “egregious” corporate governance failures. Deficient risk and control management processes, IT security, and unreliable financial reporting are increasingly seen as mere symptoms of a “bad” or “deficient” risk culture. The new challenge that corporate directors face is how to diagnose and oversee the company’s risk culture and what actions to take if it is found to be deficient.
Regulators, institutional investors, and credit rating agencies have increased the call for corporate directors to strengthen board governance and board risk oversight. The Enron era saw boards of directors being accused of fiduciary failure for allowing “high risk accounting.”
Sarbanes-Oxley raised the bar significantly in the area of financial reporting for audit committees, CEOs, and CFOs of US listed public companies. In the aftermath of the global financial crisis of 2008, regulators have reached a consensus: boards should be evaluated and put on the regulatory hot seat if they fail to take steps to oversee management’s risk culture, appetite, and tolerance.
This global regulatory storm has culminated in a series of papers from the Financial Stability Board (FSB), a global regulatory advisory body formed following the onset of the global financial crisis. Its main objective is to provide guidance to national financial sector and securities regulators around the world. In its most recent paper, issued in 2014, the FSB called on national regulators to actively assess the “risk appetite framework” and “risk culture”of systemically important financial institutions (SIFI), including assessing boards’ effectiveness in overseeing their company’s risk culture. The FSB summarized the new expectations of national financial sector regulators as follows:
“...efforts should be made by financial institutions and by supervisors to understand an institution’s culture and how it affects safety and soundness. While various definitions of culture exist, supervisors are focusing on the institution’s norms, attitudes and behaviour related to risk awareness, risk taking and risk management, or the institutions’ risk culture.”The Financial Reporting Council (FRC), the United Kingdom’s national securities regulator, reacted to the FSB’s recommendations by updating The UK Corporate Governance Code that applies to all UK public companies. Provision C.2.3 of the Code mandates that the board should annually review and report on the effectiveness of their company’s risk management and internal control systems. Specifically, Item 43 in Section 5 of the guidance requires the board, in its annual review of effectiveness, to consider the company’s “willingness to take on risk (its ‘risk appetite’), the desired culture within the company and whether this culture has been embedded.”
The FRC, recognizing that there is little tangible guidance available to boards on how to oversee a company’s culture, stated that, in 2015, the initial year of implementation of the new board oversight requirements, it will focus on “company culture: how best to assess culture and practices and embed good corporate behaviour throughout companies.”
Financial regulators globally, including the SEC, are expected to follow the UK’s lead and significantly increase their focus on board oversight of corporate culture generally, and risk culture in particular. In a global survey conducted by KMPG, 1,500 audit committee members ranked government regulation second among risks that pose the greatest challenge for their company. Oversight of risk culture may be one of those areas of new government regulation.
The purpose of this paper is to provide board members with an overview of these new expectations and to outline potential handicaps that boards may encounter. The paper also offers suggestions for boards of directors on overseeing their company’s risk culture. Board Oversight of Risk Culture: A Primer In a 2009 report on reform in the financial services industry, the Institute of International Finance (IIF) proposed the following definition of “risk culture”:
“...norms and traditions of behaviour of individuals and of groups within an organization that determines the way in which they identify, understand, discuss, and act on the risks the organization confronts and the risks it takes.”The Financial Stability Board (“FSB”) has emphasized the importance of risk culture in a number of recent guidance papers. Following the consideration of feedback the FSB received to the publication in 2013 of an exposure draft on assessing risk culture, the agency issued guidance on assessing risk culture in April 2014. This FSB guidance may well prove to be a turning point in the history of the
evolution of regulatory supervision approaches and board risk oversight expectations.
The ongoing discussion of the role of regulators in overseeing the risk culture of financial institutions raises the question of whether national regulators are equipped to assess and opine on whether a company has a poor, adequate, good, or even the more elusive, excellent risk culture. A number of respondents to the 2013 FSB exposure draft on risk culture questioned whether regulators had the capabilities necessary to form sound, repeatable conclusions on this important issue, with particular concerns expressed that it could become a “check-the-box” exercise (see, for example comment letters issued by the US Chamber of Commerce, Professional Risk Managers International Association, and the International Actuarial Association). Risk Oversight’s comment letter even questioned whether global regulators were inadvertently handicapping efforts globally by encouraging companies to implement frameworks that purport to foster better risk culture by requiring binary (effective/ineffective) reports on internal control effectiveness.
The April 2014 FSB guidance provides a high-level vision of what it believes represents a “sound” risk culture:
A sound risk culture consistently supports appropriate risk awareness, behaviours and judgments about risk taking within a strong risk governance framework. A sound risk culture bolsters effective risk management, promotes sound risk taking, and ensures that emerging risks or risk taking activities beyond the institutions risk appetite are recognized, assessed, escalated and addressed in a timely manner.The FSB identifies risk governance, risk appetite, and compensation as the “foundational elements of a sound risk culture.” While acknowledging that “assessing risk culture is complex,” the FSB asks national regulators to consider the following indicators of a sound risk culture during their inspections/audits: tone from the top, accountability, effective communication and challenge, and incentives. The FSB recommends that regulators consider these indicators “collectively and as mutually reinforcing” rather than individually. Details on the risk culture indicators are shown in
the box, right [. . . OMITTED. . . ].
The UK FRC recommends that, in conjunction with its guidance, boards, consider and discuss with senior management the following questions:
• How has the board agreed the company’s risk appetite? With whom has it conferred?
• How has the board assessed the company’s culture? In what way does the board satisfy itself that the company has a ‘speak-up’ culture and that it systematically learns from past mistakes?
• How do the company’s culture, code of conduct, human resource policies and performance reward systems support the business objectives and risk management and internal control systems?
• How has the board considered whether senior management promotes and communicates the desired culture and demonstrates the necessary commitment to risk management and internal control?
• How is inappropriate behaviour dealt with? Does this present consequential risks?
• How does the board ensure that it has sufficient time to consider risk, and how is that integrated with discussion on other matters for which the board is responsible?Other regulators around the globe could follow the UK’s lead by increasing their focus on risk oversight and risk culture. “Tone at the top” has been espoused by the head of the US SEC. In a July 2014 speech, SEC chair Mary Jo White noted:
Ensuring the right ‘tone at the top’ for a company is a critical responsibility for each director and the board collectively. Setting the standard in the boardroom that good governance and rigorous compliance are essential goes a long way in engendering a strong corporate culture throughout an organization.Given this renewed focus on directors as gatekeepers and “tone at the top,” board oversight of corporate risk culture could be an important area of SEC focus and scrutiny going forward.* * *
Challenges for Board Oversight
1. Many board members, because of their years of real-world experience, are able to informally gauge the risk appetite and tolerance of senior management, especially CEO/CFOs, but there is very little practical guidance available on how boards should assess and document the appropriateness of the risk culture of an entire organization.
2. Senior management, including the CEO and CFO, may be reluctant to let the board know their “real” risk appetite/tolerance, as it may conflict with compensation systems and/or career advancement goals. It is now well-documented that one of the risks that boards face is “asymmetric information” (the risk that management knows things about the state of risk that the board does not) when overseeing management’s risk appetite and tolerance.
3. Many boards may not receive a consolidated report (like a balance sheet) on the state of retained risk across their company’s top value creation and/or strategic business objectives and foundational objectives such as reliable financial reporting, compliance with laws, preventing unauthorized access to data, safety, and other social responsibility areas. A recent study indicates “only 30 percent describe their ERM process as systematic, robust, and repeatable with regular reporting of top risks to the board. That percentage is higher (55 percent) for large organizations and public companies (59 percent)”. Only a consolidated report on residual risk status provides a window for the board on the interrelationships between objectives and related risks that cross multiple risk and assurance silos.
4. Traditional internal audit processes and teams that provide point-in-time and subjective opinions on the effectiveness of internal controls are not well-equipped to provide boards with opinions on an organization’s risk culture, the effectiveness of risk management processes, or consolidated reports on residual risk status linked to key strategic and foundation objectives.
5. Risk-centric ERM processes that use risk registers that focus on identifying and assessing individual risks without linkage to related objectives and other risks impacting those objectives may not deliver concise, reliable enterprise-level information on the composite residual risk status linked to key strategic and foundation/potential value erosion objectives.
6. Regulators, while increasingly calling on boards to oversee risk culture and management’s risk appetite and tolerance, continue to favor the use of risk staff groups and internal audit functions as extended supervision/policing groups. This regulatory bias may handicap the efforts of progressive boards who much rather have their internal audit and risk specialists to work collaboratively with management to enhance risk processes and foster better and candid disclosure of all significant retained risk situations.
7. The regulatory and compliance regime around SOX Section 404 in the United States drives companies to build systems to report whether their “internal controls over financial reporting are effective,” but stops far short of requiring that the board be told about the financial statement line items and note disclosures with highest composite uncertainty (i.e. the highest retained risk that the line items/notes may be materially wrong).
8. Many ERM software applications and consulting firms continue to promote the use of risk registers and heat maps that focus on identifying and assessing individual risks, but do not provide boards with a composite picture on the residual risk status linked to key objectives.
9. Boards of directors may be relying too much on reports by the subject matter experts (including chief legal officers, chief internal auditors, heads of compliance or safety, and other assurance leaders) that state that controls are working and “effective” or “ineffective,” instead of information on the highest residual risk status objectives needed to effectively monitor a company’s overall risk appetite and risk culture.
10. Currently, significant confusion and debate exist on whether it is the responsibility of the full board to over-see the company’s risk culture, including management’s risk appetite and tolerance, or whether various board committees are individually responsible for different risk oversight functions. This may handicap efforts to create an overall picture of the company’s risk culture and management’s risk appetite/tolerance.
11. Although the chief audit executives of many large corporations now have a solid line relationship to the audit committee of the board, many still do not report to the board on their company’s residual risk status linked to key objectives or their opinion on the company’s risk culture and risk appetite framework. This may be simply because their boards haven’t asked for this information or because the chief audit executive doesn’t know how.
12. There is little practical training or guidance for board members and auditors on how to effectively oversee risk culture, including the effectiveness of risk appetite frame-works adopted by a company, from associations like the National Association of Corporate Directors (NACD) in the United States and Institute of Corporate Directors (ICD) in Canada. On the audit front, the curriculum and professional practice standards for Certified Internal Auditors (a professional designation awarded by the IIA) continue to be heavily weighted towards training auditors to do spot-in-time internal audits that produce subjective opinions on internal control effectiveness and “control deficiencies” and “material weaknesses”; not reports on the current state of residual risk status linked to top strategic and foundational objectives. Although the Institute of Internal Auditors (IIA) is encouraging its members to transition from traditional methods to ones more aligned with the FSB expectations, real progress to date has been slow.