The risk oversight function of the board of directors has never been more critical and challenging than it is today. In the context of the current global financial crisis and the swooning global economy, companies now face risks that are more complex, interconnected and potentially devastating than ever before. Risk from the financial services sector has contributed to large-scale bankruptcies, bank failures, government intervention and rapid consolidation. And the repercussions have spread to the broader economy, as companies in nearly every industry have suffered from the effects of a global paralysis in the credit markets, sharply reduced consumer demand and extremely volatile commodity, currency and stock markets. In addition, the public and political perception that undue risk-taking has been central to the breakdown of the financial and credit markets is leading to an increased legislative and regulatory focus on risk management and risk prevention. In this environment, boards and companies must be mindful of the possibility that courts will apply new standards, or interpret existing standards, to increase board responsibility for risk management.
But what exactly is the proper role of the board in corporate risk management? The board cannot and should not be involved in actual day-to-day risk management. Directors should instead, through their risk oversight role, satisfy themselves that the risk management processes designed and implemented by executives and risk managers are adapted to the board’s corporate strategy and are functioning as directed, and that necessary steps are taken to foster a culture of risk-adjusted decision-making throughout the organization. Through its oversight role, the board can send a message to the company’s management and employees that corporate risk management is not an impediment to the conduct of business nor a mere supplement to a firm’s overall compliance program but is instead an integral component of the firm’s corporate strategy, culture and value generation process.
Given the increased significance of the risk oversight role in the current risk environment, a company’s risk management system should function to bring to the board’s attention the company’s most material risks and permit the board to understand and evaluate how these risks interrelate, how they affect the company, and how management addresses these risks. It is important for directors to have the experience, training and knowledge of the business necessary for making a meaningful assessment of the risks that the company faces, however complicated they may be. The board should also consider the best organizational structure to give risk oversight sufficient attention at the board level. In some companies, this may include creating a separate risk management committee or subcommittee. In others, it may be sufficient to have the review of risk management as a dedicated, periodic agenda item for an existing committee such as the audit committee, in addition to periodic review at the full board level. While no “one size fits all,” it is important that risk management be a priority and that a system for risk oversight appropriate to the company be put in place.
My colleagues Daniel A. Neff, Andrew R. Brownstein, Steven A. Rosenblum, Adam O. Emmerich, Sabastian V. Niles, Shaun J. Mathew, Brian M. Walker, and Philipp von Bismarck and I have prepared a memorandum entitled “Risk Management and the Board of Directors” that considers these and related considerations. The memorandum (1) outlines the risk oversight obligations of the board of directors and certain best practices derived from governmental and regulatory sources, (2) discusses some of the common areas of risk that companies may face, and (3) provides recommendations for structuring and improving risk oversight at the board level.
The memorandum is available here.