Why is risk governance such an important issue for any director? Of course, we all know about the major risk disasters that have led to lawsuits against boards or the resignation of executive and non-executive directors.
In 2012, Barclays’ Chairman Marcus Agius resigned over the Libor interest rate-rigging scandal. In 2011, UBS’ CEO Oswald Grübel resigned after a loss due to Kweku Adoboli’s unauthorised trading activities. In 2010, BP’s CEO Tony Hayward resigned over the company’s oil spill in the Gulf of Mexico. The same year, HP’s board of directors was sued by a US pension fund for ‘breach of fiduciary duties, gross mismanagement, waste of corporate assets, violating the California corporation code, misappropriating information, and unjust enrichment.’ (CNET, 12 August 2010).
But beyond the shocking headline stories lie deeper corporate ‘facts of life’. I was speaking at the annual conference of the Institute of Risk Management of South Africa last November in Johannesburg and heard an interesting anecdote from one of the other speakers. Apparently, in 1999 Fortune Magazine considered a project to publish a special issue to celebrate the turn of the millennium. It would have read something like: ‘The Fortune 500 Companies of 1900 – One Century Later’. According to the anecdote, Fortune dropped the idea when a quick search showed how few of them had survived – only 14, or three per cent!
According to other sources, the life expectancy of Fortune 500 companies has dropped from 75 years half a century ago to 15 years today, going towards five years in the foreseeable future at the current rate. If this is a ‘fact of life’ for the largest and most successful of companies, imagine what it might be for other organisations. Which leads me to say to directors: Staying in business is risky business!
Interestingly enough, it becomes more and more apparent that avoiding risks altogether, or taking the wrong risks, is often the biggest risk. Think about the fate of Kodak or, more recently, the reluctance of mobile phone manufacturers RIM (now BlackBerry) and Nokia to take the risk of touchscreen technology in the aftermath of Apple’s launch of its iPhone in 2007.
In fact, the level of return obtained on a project, or for a company as a whole, depends on the level of risk being undertaken. Non-profit organisations face similar relationships between risk and return, although in their case ‘return’ is obviously some significant positive metric other than profit. Decisions on risk should therefore be considered and made by the board in the same breath as decisions on investments. One ignores that relationship at its own peril – witness Barings Bank’s management and Madoff investors, who were lured by the sirens of seemingly unending above-average returns!
In that context, it should not surprise anyone to learn that risk governance has gained pro-eminence in the mind of investors, shareholders, directors, boards, trustees, regulators and even the public. In this article, I would like to present key international developments in the area of risk governance as they are being shaped by the combined forces of corporate governance codes, self-imposed best practices, regulation and listing requirements.
The state of risk management
In the past, the notion of ‘risk’ used to be understood solely as the potential for negative outcomes. For many reasons, including the fact that holding market risk instruments, such as currency or equity, exposes one to both upside and downside potential movement, risk is now generally seen to bring positive as well as negative outcomes. This view is reflected in the internationally recognised ISO31000-2009 definition of risk as being ‘the effect of uncertainty on objectives’, which can be positive or negative. It is even reflected in South Africa’s Code of corporate governance, which recommends that boards ensure ‘the risk response provides for the identification and exploitation of opportunities’ – as will be seen in the next issue.
At the same time, risk management practice has evolved from one where each risk was being managed within silos of expertise (credit, market, the environment and so on) to one where the organisation considers its entire portfolio of risks in an integrated way. This approach is called Enterprise Risk Management (ERM) and it has been defined by one important reference document as ‘a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives’ COSO, 2004).
It should be understood here that an ‘enterprise’ could be a company or any other organisation, including non-profit ones.
Why are all directors concerned?
We have already seen that the longevity of even the best companies and organisations is declining and that their demise is not only due to their over-exposure to negative risks, but also to their underexposure to the right types and levels of risk. This, in itself, should be a concern to any director. But in addition, it is worth noting that risk considerations are actually embedded within what are considered to be key roles and responsibilities of directors:
• The directors have a fiduciary duty towards the superior interests of the organisation and should be concerned that these interests are not unduly put at risk.
• In addition, directors are expected to contribute to the organisation’s strategy – and every strategy entails risks.
• Independent directors (or non-executive directors) particularly bring value to their organisation by also constructively challenging management’s proposals, which often involve considering the chances of success of their projects, or in other words, their riskiness.
• Directors, particularly of listed companies, also have an obligation of due diligence and are subject to shareholder lawsuits, which should concentrate their minds on risks.
• Directors of smaller companies often have to perform a balancing act between their roles of, on one side, supportive advisers and, on the other side, devil’s advocates to the entrepreneurial risk-taking attitude of management.
• Finally, directors of not-for-profit entities should also be particularly concerned because of their organisations’ often-limited financial capacity to bear risk.
Major aspects of selected risk governance Codes
The purpose of this article is not to cover the risk oversight aspects of all corporate governance Codes that exist internationally, but to provide some key similarities between them, as well as interesting differences that demonstrate sensible leadership in corporate risk governance around the world.
In the current issue, I highlight the key common threads amongst the Codes, while in the next issue, I will cover key aspects of the risk section of the Codes that are specific to the United Kingdom, the United States of America, Canada and South Africa – the latter representing an exemplary, ‘ideal’ model in terms of risk governance.
For more information on the different Codes and their scope of applicability, I refer the reader to the European Corporate Governance Institute: http://www.ecgi.org/codes/all_codes.php.
Common threads in risk oversight guidance
Generally speaking, the major common features of the above-mentioned corporate governance Codes – in so far as risk management is concerned – include the following responsibilities of directors:
• To approve a strategic planning process and a strategic plan that includes the organisation’s opportunities and risks.
• To identify, describe, define, or at least approve the main risks associated with the organisation’s activities.
• To ensure that an appropriate process or system is implemented to manage those risks (including a system of internal control).
The Codes also share, to a certain degree, the following guidance on additional responsibilities of directors regarding risk oversight:
• To define, or at least approve a process by which the board of directors or one of its committees will evaluate the organisation’s main risks.
• To approve the structures and processes necessary to manage existing and emerging risks.
It is interesting to note that even if a board delegates the more detailed risk oversight tasks to a committee, all directors are responsible for the identification of main risks and their inclusion in strategy, and for ensuring an appropriate risk management system of those risks. Additionally, it is recommended that directors approve how the main risks will be evaluated and how the risk management function handles not only existing risks but potential new risks.
Those five points really seem to represent the essence of what leading corporate governance Codes advocate regarding the oversight of an organisation’s main risks as well as its risk-management framework by its board of directors.
In the next issue, I will present some of the remarkable key risk governance prescriptions of the national codes of the UK, the US, Canada and South Africa; important developments and trends in global best practices, as well as practical ways in which smaller organisations can apply.
Ghislain Giroux Dufort is President of Baldwin Risk Strategies Inc. He is a member of The Institute of Risk Management South Africa and is a graduate of the Financial Times’ Non-Executive Directors Certificate. This article represents his personal opinion.