270 likes | 397 Views
Board Oversight in Risk Management. 2nd National Conference on CORPORATE COMPLIANCE & ROLE OF INDEPENDENT DIRECTORS February 15, 2013. “.
E N D
Board Oversight in Risk Management 2nd National Conference on CORPORATE COMPLIANCE & ROLE OF INDEPENDENT DIRECTORS February 15, 2013
“ Effectively integrated with strategy-setting, risk management should invigorate opportunity-seeking behavior by helping managers develop the confidence that they truly understand the risks and have the capabilities within the organization to manage those risks. The result: management and the board fully understand the downside and how much it might hurt. They also know what to watch over time. Everret Gibbs & Jim DeLoach, Protiviti Managing Directors “Which Comes First…. Managing Risk or Strategy Setting? Both!” Financial ExecutiveMagazine ”
Board Risk Oversight – COSO & Protiviti Survey • The Committee of Sponsoring Organizations of the Treadway Commission (COSO) commissioned Protiviti to conduct a survey to develop a deeper knowledge of the current state of the risk oversight process and the desired future state • The results of the survey provides valuable insights into: • How boards are fulfilling their risk oversight obligations; • The maturity of their processes; and • The key areas offering opportunities for improvement of the risk oversight process. Given the intensive regulatory environment across countries, risk oversight has become a high priority on the agenda of most board directors. Boards are taking a fresh look at the qualifications of their members, how they operate and their expertise to understand and manage the enterprise’s risks.
Board Risk Oversight – General Outcomes (1/2) Boards are not formally executing mature and robust risk oversight processes, although the risk oversight responsibility generally resides with the board Overall dissatisfaction in the way risk is considered in the context of the organization’s overall strategy and there are one or more obstacles inhibiting the risk oversight process Risk Reports not received annually by most boards are generally received on a need / ad-hoc basis or not at all In the absence of routine risk appetite dialogue, risk appetite may not always get driven down into the business to set risk tolerances and operating limits
Board Risk Oversight – General Outcomes (2/2) Action plans to address deviations from risk tolerance parameters require improvement Monitoring of the organization’s risk management process isn’t done at all or is executed ad hoc Many companies have a process to apprise the board of the most significant risks and how those risks are managed. However, in relatively few organizations is the process is well defined and rigorous
Role of the Board in the Risk Oversight Process Over 74% respondents indicated that their boards are not formally executing mature, quantifiable and robust risk oversight processes Source: COSO-Protiviti Risk Oversight Survey 2010
Board’s Involvement in the Risk Oversight Process • Findings suggest that the boards are gaining valuable support by assigning aspects of their risk oversight responsibilities to their various standing committees • The risks inherent in the scope of each delegated committees activities are set forth in the respective committee charter. For e.g. • Audit committees typically oversee financial reporting risks and certain compliance risks that have financial reporting implications • Governance committees oversee governance risks as board leadership and composition, board structure, etc. Source: COSO-Protiviti Risk Oversight Survey 2010
To enhance the transparency of the oversight process, organizations may want to consider documenting formally, the roles and responsibilities related to the risk oversight in the board or committee charters
Does Your Board: Provide ‘active oversight’ in developing the overall strategy? Possess a good understanding of the risks to the strategy – those that may limit value creation and even cause the strategy to fail? Ask probing questions – including those that challenge assumptions of the strategy? Have an understanding of the key risk indicators in place to alert decision makers to a strategic risk? Assess potential new risks the strategy can create? Prepare for if the strategy fails?
Where does this take us? What Does This Mean For Us?
Enterprise-Wide Challenges In Risk Management Chief Risk Officer (CRO) Chief Compliance Officer (CCO) CIO CFO / VP Finance • Balancing the range of enterprise risks • Evaluating business requirements and technical risk capabilities • Reducing organizational cost of risk exposure and cost of mitigation or acceptance • Increasing efficiency & consistency of compliance processes • Reducing regulatory actions by reducing compliance violations • Planning and oversight of compliance management resources • Identifying and implementing optimal detective & preventative controls • Timely notification of control issues, material weaknesses and violations • Reducing the total cost of Governance and Risk Management • Accurate and comprehensive information on financial exposure, compliance and audit • Ensuring Auditable secure information • Automating risk management process • Eliminating multiple internal governance and risk management solutions • Implementing IT platform for standardization, simplification & security
Where Should Our Focus Be? 1 Governance Risks Risks related to director’s decisions regarding board leadership, composition and structure, director and CEO selection, and other governance matters 2 Critical Enterprise Risks The top five to ten risks that can threaten the company’s strategy, business model or viability 3 Board Approval Risks The risks related to decisions the board must make with respect to important policy areas, such as major strategic initiatives, acquisitions or divestitures, major investments, entry into new markets etc. 4 Business Management Risks Risks associated with ongoing day–to–day business operations 5 Emerging Risks Emerging risks outside the scope of categories (1) through (4) Most organizations today focus on the Business Management Risks only, which may end up creating ‘Blind Spots’ with respect some key existing and emerging risks
Why Is It Important Today More Than Ever? (1/2) Ten Major Challenges Facing Businesses Regulatory changes and increased regulatory scrutiny which may affect operations Economic conditions in current markets may not present significant growth opportunities Volatile global economic and political conditions Succession challenges and the ability to attract /retain top talent may constrain efforts to achieve operational targets Organic growth through existing customers presents a significant challenge Source: Protiviti Bulletin: Setting the 2013 Audit Committee Agenda
Why Is It Important Today More Than Ever? (2/2) Ten Major Challenges Facing Businesses Ensuring identity management and information security protection could require resources which the organization may not have Resistance to change could restrict the organization from making necessary adjustments to the business models and core operations Organizations may not be able to meet performance expectations as well as competitors An unexpected crisis could likely have a significant impact on reputation Inability to use data analytics and big data to obtain the needed market intelligence Source: Protiviti Bulletin: Setting the 2013 Audit Committee Agenda
Gaps Observed In the Indian Scenario Shareholders Board acts as a ‘Paper’ board Composed of family & insiders Lack of Financial & Risk ‘literacy’ Board of Directors Informal working procedures Narrow focus on financials only Audit Risk Other (Nom, Remun.,etc) No or ineffective sub-committees Unclear on oversight role for Risk & Control No clear division between Board & Mgt Uninformed board – poor Mgt information Management Operations Internal Audit External Audit Financial & Admin Management Risk Management Internal Control
Companies Bill 2012 – An Attempt to Address Some Gaps • Crisper definition of ‘Independent Director’ which limits their relationship with promoters, management and Directors, as well as with auditors and other stakeholders • Limiting the number of memberships as Directors so as to improve the overall time and attention dedicated to the role as a Director • Requirement for attendance at Board Meetings to bring more seriousness to the responsibilities and role expected from a Director • Requiring the presence of a minimum number of Independent Directors on the Board of Directors • Limiting the tenure of Independent Directors so as to not compromise the ‘independence’ of the Board of Directors owing to longer tenures • The bill seeks to address gaps in terms of ‘COMPENTENCIES’ and ‘PARTICIPATION’ of Directors to do justice to the roles and responsibilities of Directors
Risk Oversight Agenda In the Current Scenario What is Risk Management ?
Shaping The 2013 Risk Oversight Agenda The complexity and velocity of change in an increasingly interdependent world are altering the dynamics of doing business. Such changing markets and circumstances spawn new risks, alter risk profiles, and reduce the effectiveness of established risk management capabilities. Protiviti’s Risk Oversight Agenda ensures companies take such changes into account.
2013 Risk Oversight Agenda – Key Considerations (1/5) With the beginning of the new year, it is imperative to check if the 2013 agenda for Board risk oversight is appropriately focused. This can be done by considering the following questions as reminders: 1 • How often are matters other than ‘financials’ on the Audit Committee agenda? • Does the board discuss strategy, risks to strategy, sustainability initiatives and areas other than financials? • Has the company’s risk profile changed? • Has management updated the assessment of the organization’s most critical enterprise risks? Is the update consistent with the Board’s view? 2
2013 Risk Oversight Agenda – Key Considerations (5/5) 3 • Does the Board periodically assess performance of Independent Directors? • Performance could be linked to the time they spend in discussions on strategy and issues facing the your company, past experiences they may have had, and other active involvements they may have currently • How robust and frequent is your audit committee’s evaluation of the external auditor? • Consider the evaluation criteria/metrics the board might want to set so as to evaluate them at the time of change in auditors 4
2013 Risk Oversight Agenda – Key Considerations (2/5) 5 • Is the Board satisfied with the identification process in place for emerging risks? • Are risk assessments providing directors with insights they didn’t previously have? • Is the Board giving appropriate consideration to technology-related risks? • Rapid technological innovation is creating new risks in return for faster and more accessible data, making companies rethink as to how they can create value for customers 6
2013 Risk Oversight Agenda – Key Considerations (3/5) 7 • Is the Board satisfied with the risk reporting it receives? • Risk reporting provides information about the critical enterprise risks and summarizes how those risks are managed. It is the responsibility of the Board to communicate additional information to the management • Does the Board understand key assumptions underlying the organization’s strategy? • The Board must check if these assumptions are being used to identify risk indicators to provide early warning of critical strategic assumptions becoming invalid as the company executes its strategy in a changing environment 8
2013 Risk Oversight Agenda – Key Considerations (4/5) 9 • Does the Board periodically check for potential issues in company's culture and incentive compensation structure? • Lack of transparency, conflicts of interest and unbalanced compensation structures are warning signs for the Board, that have the potential of undermining the effectiveness of risk management • Is the Board satisfied with the sufficiency of resources within the company’s risk management? • Directors should inquire whether appropriate policies, processes, people, reporting, tools and incentives, along with a supportive culture are in place to mitigate key risks 10
2013 Risk Oversight Agenda – Key Considerations (5/5) 11 • Does the Board periodically assess its risk oversight processes? • With an ever-changing business, technology and industry environment, an important question to ask is whether the Board has the requisite expertise to provide effective risk oversight • Is the company prepared to respond to extreme events? • Does the company have response plans for unlikely extreme events (These are events no one can predict or see coming)? 12