BestPracticesRiskCommittees.pdf
6 MAY/JUNE 2012 THE CORPORATE BOARD
Regulatory reforms have long tended to re- shape boards of directors, and the changes over the past decade have been no exception. The concept of a dedicated, board-level “risk committee” has become a mandated reality at many financial-related firms. Now, the value of a risk committee is becoming more attractive across the corporate spectrum.
There is a predictable cycle of cause, effect, and re- sponse to the financial scandals, panics, and economic downturns that are part and parcel of the history of the United States. In the last century, the creation of the Federal Reserve and the Securities and Exchange Commission are two examples of such responses. The Federal Reserve was created after the panic of 1907.The Congressional response to the 1929 stock market crash and great depression was the creation of the SEC under the Exchange Act of 1934.
Fast forward to the 21st Century, and the same predictable cycle continues. Examples include Sarbanes-Oxley in 2002 (financial reporting) and the New York Stock Exchange Rule in 2003 (audit committees). The governmental response to the financial crisis (2008-2009) and so-called “great recession” continues with two new regulatory ac- tions: the SEC Amended Rule 33-9089 and the 2010 Dodd-Frank Act.
SEC 33-9089 is definitive about the board’s role in risk management oversight, but Dodd-Frank’s Section 165 is especially provocative from the risk management perspective. This is because it has produced a potentially game changing phenomenon in the corporate governance structure.
This singular innovation is the board-level risk com- mittee. At the board level, the committee’s primary responsibility is risk oversight. This means ensuring that effective and efficient risk processes and practices are in place. Those practices must also be executed in a timely manner, and a flow of relevant, but succinct, information on the most significant risks goes to the
Best Practice Risk Committees by John Bugalla, James Kallman, Christopher Mandel and Kristina Narvaez
board. Ultimately, this committee’s key concerns should be understanding, updating, and monitoring the risk profile of the organization to assure that it is aligned with a set risk position.
While most board risk committees are found in the financial and insurance sectors, an increasing number of companies in other industries are following suit.
With SEC 33-9089 and Section 165 of Dodd-Frank, a new government-mandated model of corporate governance and risk management is being codified for many companies. It is a complete package de- scribing risk management responsibilities, structure, and process. However, the formation of board level risk committees also means changing responsibilities for the existing audit committee, which has typically been assigned with risk management oversight.
Most board risk committees exist in the financial services and insurance industries. An increasing number of companies in other industries are follow- ing suit, however. Notable among them are General Motors (GM) and General Electric (GE).
JPMorgan Chase, General Electric, and General Motors are all leading companies in their respective industries. They are recent examples of organizations that have taken a progressive approach towards align- ing the risk oversight responsibilities of the board with the formation of board-level risk committees.
To date, firms with board-level risk committees remain in the minority for American companies. However, these three publicly traded companies demonstrate a strong argument on why their risk oversight functions more effectively than in com- panies lacking such risk committees.
John Bugalla is principal of ermINSIGHTS. James Kallman is assistant professor of finance at St. Edward’s University. Christopher Mandel is executive vice president with, rPM3 Solutions. Kristina Narvaez is president and chief executive officer of ERM Strategies, LLC.
THE CORPORATE BOARD MAY/JUNE 2012 7
A side-by-side comparison of JPMorgan Chase, General Electric, and General Motors’ risk com- mittee charters illustrates a common theme, and a relatively common approach. The common theme is the purpose of the committee, that its responsibility is oversight, not management. This is why an executive risk management committee is necessary and that it must partner with the board-level risk committee, especially in complex, larger corporations.
General Motors: The purpose of the Finance and Risk Committee of the board is to assist the board in its oversight of the company’s financial policies, strategies, and capital structuring, and make such reports and recommendations to the board as it deems advisable; and risk management strategies and policies, including overseeing management of market, credit, liquidity, and funding risks.
General Electric: The Risk Committee charter confirms that its “purpose shall be to assist the board in its oversight of the company’s management of key risks, including strategic and operational risks, as well as guidelines, policies and processes for monitoring and mitigating such risks…”
JPMorgan Chase: The Risk Policy Committee charter confirms “responsibility for oversight of the CEO’s and senior management’s responsibilities to assess and manage the corporation’s credit risk, mar- ket risk, interest rate risk, investment risk, liquidity risk and reputational risk, and is also responsible for review of the corporations fiduciary and asset management activities.”
One critical issue for the committee is de- fining the company’s risk appetite and risk tolerance. At the board level, setting these is a strategic issue.
One key issue is defining the organization’s risk appetite and risk tolerance. At the board level, setting the risk appetite and tolerance levels is a strategic issue. At the business unit level, risk appetites and tolerances are often seen as operational constraints. This is another reason for the formation of an execu- tive risk committee, and a partnership between the two committees.
RISK COMMITTEES
Suggested Browsingmmmmmn How Committee Charters Allot Risk
Audit Committee Charters
JPMorgan Chase www.jpmorganchase.com/corporate/About-JPMC/audit-committee-charter.htm
General Electric www.ge.com/pdf/company/governance/board/ge_audit_committee_charter.pdf
General Motors http://investor.gm.com/corporate-governance/docs/Audit.pdf
Risk Committee Charters
JPMorgan Chase www.jpmorganchase.com/corporate/About-JPMC/risk-committee-charter.htm
General Electric www.ge.com/pdf/company/governance/board/ge_risk_committee_charter.pdf
General Motors http://investor.gm.com/corporate-governance/docs/2012-FRC-Finance-Risk-Committee-Charter.pdf
8 MAY/JUNE 2012 THE CORPORATE BOARD
General Motors: “The committee shall: review with management the company’s risk appetite and risk tolerance, the ways in which risk is measured on an aggregate, company-wide basis, and the setting of aggregate and individual risk limits (quantitative and qualitative, as appropriate) and the actions taken if those limits are exceeded.”
General Electric: The committee is “to review and discuss with management the company’s risk appetite and strategy relating to key risks, includ- ing credit risk, liquidity and funding risk, market risk, product risk and reputational risk, as well as guidelines, policies and processes for monitoring and mitigating such risks.”
JPMorgan Chase: “The Risk Policy Committee shall approve and periodically review the corpo- ration’s risk appetite policy, and review actual or forecast results exceeding risk appetite tolerances.”
Another key common element is collaboration and communication between the risk and audit commit- tees. At GM, the charter states “The committee shall coordinate with the chair of the audit committee to ensure that both receive all information necessary to permit them to fulfill their duties and responsibilities with respect to oversight of risk assessment and risk management.”
GE’s charter states it is, “to receive, as when ap- propriate, reports from the company’s corporate audit staff and GE Capital’s internal audit function on the results of risk management reviews and assessments.” At JPMorgan Chase, the committee will “meet not less than semi-annually with the audit committee on topics of common interest.”
Boards seek risk intelligence to ensure future opportunities and threats to the company’s performance are appropriately managed.
In order to carry out their risk oversight responsibili- ties, board-level risk committees are best supported by specific features. These include:
A reporting structure that provides them with the appropriate information that defines the firm’s risk profile.
A reporting system that provides an audit of the effectiveness of the risk management process.
A system that affords an evolving understanding of key risks to the company.
Boards are now finally asking management about the nature of the risk intelligence process which is in place. Boards seek information about new or emerging risks, and the extent to which these risks require more in-depth analysis. This is being done to ensure future opportunities and threats to the company’s performance are appropriately managed.
The formation of an executive-level risk commit- tee should provide the board with information about the key elements of risk management relevant to the oversight process. The responsibility of the execu- tive risk committee should ideally be to approve the design and implementation strategies of the risk management process for the entire business.
Beyond the effectiveness and efficiency of risk processes, the key focus of the executive risk com- mittee should be risks that can most significantly impact the performance of the company. This forum is where these risks should be vetted before a selected subset is reported to the board.
The essential analysis involves a clear understand- ing of who owns each risk, how effectively the risks are being managed, and the extent to which they may materially alter the risk profile of the company. Similar analysis should be applied to emerging and unanticipated risks that require greater understanding over time, especially with regard to their velocity (the speed at which they may either positively or negatively affect performance).
Benefits of this executive-level risk committee include:
A more comprehensive and complete view of risk.
Enhanced understanding of inter-relationships and inter-dependencies among key risks.
An appreciation for both the positive and nega- tive correlations that can increase the impact of risk.
Understanding of how the risks may materially impact the risk profile.
Analyzing and recognizing which risks could have
J. Bugalla, J. Kallman, C. Mandel and K. Narvaez
THE CORPORATE BOARD MAY/JUNE 2012 9
RISK COMMITTEES
the greatest impact on the company provides an internal early warning system for factors that could impact business performance. This early warning system should provide the company with opportu- nity to develop alternative strategies and advance management efforts.
An executive-level risk committee forces risk management out of the typical silos, ensuring a cross-enterprise view.
If a core focus of the executive risk committee is key risks of the business, its membership must logi- cally be a core team of executive managers. These managers must represent all key stakeholders who are essential in the performance of the company. They should work in concert with the board to determine the firm’s risk position (the risk appetite and tolerance), and the system of measurements and parameters.
The team also includes other managers who ensure that the company’s risk profile stays within accept- able parameters. This includes managers whose job is to ensure that external risk stakeholders, such as rating agencies and regulators, are satisfied that risk is well managed. This spread of risk functions means forcing risk management out of the typical silos in which they traditionally sat. Thus the system ensures a cross-enterprise view.
This group should ensure that risks associated with especially volatile exposures, such as financial reporting and compliance, mergers and acquisitions, and human capital, are effectively managed. Finally, everyone in this group should ensure that other critical issues, such as preserving the organizational reputation and brand, are sufficiently protected. This demands relevant, effective controls, and the implementation of the right management strategies.
Having an executive risk committee sends two critical messages throughout the company. First, that risk management processes are not constraints imposed on management unnecessarily. Instead, it sends a signal that effective management of risk is critical to ultimate success.
The second vital message is that cross-functional collaboration at the top should be a model for other management levels and functions. Cross-functional collaboration at the executive risk committee should manifest through the organization to all other levels. Examples include measuring a risk within a portfolio of risks and calculating the potential impact. This cross-functional portfolio approach is essential for understanding litigation trends, opportunities for new products, and risks from mergers and acquisitions.
Because of their corporate-wide responsibilities, executive management also has greater insights for spotting multiple risk correlations. This higher level of management can appreciate emerging or unantici- pated risks that are potential threats or opportunities.
The executive risk committee should operate with a board-issued charter that includes a process for risk intelligence gathering and use. “Risk intelligence” is the organizational ability to collect and analyze data, statistics, and other information regarding risks. Their volatility is combined with systematic analysis, interpretation, and presentation. It culminates in de- cision making. This intelligence system enables the executive risk committee to get the right information to the right people who have the authority to make key decisions.
Critical to the effective management of risk, especially across large, complex organizations, is the need to include risk management as an element in the performance evaluation of executives. This should include an assessment of both their skills in managing risks and their ability to collaborate and coordinate their responses with others. Without ac- countability, any risk management process will be an afterthought, and continuously challenged by other priorities.
The more closely aligned and integrated the risk and business strategies, the more likely the firm will meet its plan. Collaboration be- tween risk and planning leaders is essential.
Successful risk committees must include at least an indirect alignment with the planning processes.
10 MAY/JUNE 2012 THE CORPORATE BOARD
This connection should be to both the strategic and operational processes. Many firms miss goals only as a result of risks that are either poorly managed or overlooked. By contrast, the more closely aligned and integrated the risk and business strategies, the more likely it is the firm will meet or exceed its plan. Collaboration between risk and planning leaders is essential to enable this success.
While “committees” are often viewed as just more bureaucracy (and often are), the keys to using an executive risk committee effectively is making it actionable and decision oriented. There will always be the tendency to use the forum largely for information sharing. While necessary, this should not become the committee’s core purpose. Keep the executive risk committee dynamic and action oriented.
Historically, audit committees were respon- sible for risk management oversight. This is changing.
In many firms, the audit committee has histori- cally had risk management oversight responsibili- ties. However, the audit committee charters of GM, GE, and JPMorgan Chase all have oversight of the integrity of their respective financial statements as a primary purpose.
General Motors: “The purpose of the Audit Com- mittee is to assist the GM board of directors in its oversight of the integrity of GM’s financial state- ments, GM’s compliance with legal and regulatory requirements, the qualifications and independence of the external auditors and the performance of GM’s internal audit staff and external auditors.”
General Electric: “The purpose of the committee shall be to assist the board in its oversight of the in- tegrity of the financial statements of the company, of the company’s compliance with legal and regulatory requirements, of the independence and qualifications of the independent auditor, and of the performance of the company’s internal audit function and inde- pendent auditors.”
JPMorgan Chase: “The purpose of the Audit Com- mittee is to assist board oversight of: the independent registered public accounting firm’s qualifications and independence; the performance of the corporation’s internal audit function and independent registered public accounting firm; and management’s respon- sibilities to assure that there is in place an effective system of controls...”
Corporations that have formed a board-level risk committee view risk management as a strategic function, and are progressing to- wards risk management best practices.
Companies that have formed board-level risk committees demonstrate a strong argument on why their risk oversight functions more effectively than those lacking committees. By actively exercising its oversight role, the board sends an important mes- sage to the company’s senior management and its employees that corporate risk management activities are not roadblocks to conducting business. However, because board-level risk committees perform an oversight role, executive risk committees are also needed for actual practice of risk management.
J. Bugalla, J. Kallman, C. Mandel and K. Narvaez
Reprinted by THE CORPORATE BOARD 4440 Hagadorn Road Okemos, MI 48864-2414, (517) 336-1700
www.corporateboard.com © 2012 by Vanguard Publications, Inc.
Copyright of Corporate Board is the property of Vanguard Publications and its content may not be copied or
emailed to multiple sites or posted to a listserv without the copyright holder's express written permission.
However, users may print, download, or email articles for individual use.
