Our blog

October 8, 2012

Traditionally, the role of risk management in a business setting is delegated to executive management.  It is their responsibility to manage a company’s risk by ensuring that appropriate policies/procedures are in place and executed in accordance with selected performance goals and risk tolerances.   However, as the term “risk” has broadened in scope to include not just direct financial risk, but other areas of a company’s operations where lack of oversight can impact the bottom-line, boards of directors are increasingly taking a more active role in risk management.  Although the U.S. Securities and Exchange Commission (SEC) has spurred this effort, boards are quickly realizing that they can no longer blindly delegate the responsibility of risk management to their executive teams.

Beginning in 2010, the SEC required public companies to describe within their proxy statements the role of the board of directors with respect to risk management.  How boards have responded to this less than subtle nudge from the SEC, has been interesting to say the least.  Proxy statements have revealed two common practices by boards in addressing risk management.  The most common approach is the committee model, which places risk oversight in the hands of either a newly created standing committee of the board or an existing one.  According to a study done by the Conference Board of 30 companies in the Dow Jones Industrial Average, 52 percent of non-financial and 60 percent of financial companies delegate the primary responsibility for coordinating risk oversight to the audit committee or a dedicated, stand-alone risk committee.  Many companies use the committee model, including American Express, Boeing, and Chevron. 

Another approach to board oversight of risk management is the “active board model.” The Conference Board reports that 40 percent of non-financial and 48 percent of financial companies rely on an active board model. This model puts the responsibility of risk oversight on the entire board. In this model, a company’s chief risk officer (or similar position) reports to a committee tasked with risk oversight, as well as  to the entire board.  Notable companies using this model include CAT, Coca-Cola, and IBM. Coca-Cola’s recent proxy statement states that “strong Directors chair the various committees involved in risk oversight, (but) there is open communication between management and Directors, and all Directors are actively involved in the risk oversight function.” Of course, the problem with a proxy statement is that in many ways it has become a company’s public relations statement.  The only real way to assess whether a company has embraced the active board model in risk management is to dissect their meeting minutes.  This is something that really only happens when the SEC steps in to investigate a scandal – i.e. when it is too late.  

The most important aspect of the risk management strategy of a company (be it a public, private or non-profit organization) is that its entire board must buy into it in order for it to be successful.  For this reason, we will see a gradual move towards the active board model as the risk management standard in corporate governance best practices  — the risks associated with the alternative approach is simply too great.

Share this story
Back to top