Governance of Enterprise Risk Management

By Sajith J.Kurukulasuriya

Risk management techniques have seemed to evolve as businesses continue to grow. Enterprise Risk Management (ERM) takes a wide-angle view of a company’s risks at an enterprise level and is believed to have a more strategic focus. However without proper governance relationships ERM has no strategic focus and existing ERM programs will not be effective.

The board of directors is responsible to provide oversight on risk management by ensuring management carries out risk management activities with a high sense of responsibility and accountability. In fulfilling the oversight responsibility, the board should first determine the risk profile of the company. The board should consult with the shareholders, management and key stakeholders when determining the risk profile. Second, the board is responsible for establishing a risk framework and risk policy for the organisation. Third, the board should determine if the business strategy and the business model are developed based on the firm’s appetite for risk, and approve the strategic plan.  

Do boards need a separate risk committee? And why should audit committees not be given the full risk oversight responsibility? The increasingly growing complex organisational structures and regulatory requirements have compelled organisations with serious responsibilities. Regulators in the United States and Canada are pushing large publicly traded companies to have strong ERM systems and internal controls in place to mitigate risks. Boards of directors are finding it increasingly difficult to keep up with growing risk oversight responsibilities. 

Traditionally, boards appoint the risk oversight responsibility to the audit committee, but do they have the necessary skills to deal with all the complex non-financial risks? Audit committees usually comprise of accountants and financial experts. Therefore it is important for boards to form a risk committee of the board of directors to oversee the non-financial risks of the organisation. The risk committee should consist of all independent directors and directors with expertise in handling non-financial risks. For example, terrorism is continuing to be a growing risk factor globally, and how well can an accountant of the audit committee mitigate terrorism related risks? 

A former military personnel with experience and expertise on warfare would know exactly how to mitigate such risks. Boards should therefore delegate the financial risk responsibility to the audit committee and non-financial risk oversight to the risk committee. This approach will help the board to fulfil its oversight responsibility effectively and improve governance standards of the organisation.

Many organisations, appoint the dual responsibility of managing finances and risks to the CFO. This dual role has many drawbacks for the company. First, if the CFO is also the CRO (Chief Risk Officer) of the company, a conflict of interest exists in that arrangement. The CEO has the leverage over the CFO and there’s a risk of important information relating to risks not flowing up to the board level. Secondly, there is a chance of executive decisions being overly biased. 

Therefore, the risk committee should hire and pay a separate CRO to manage risks at the management level of the company, and the CRO must report directly to the risk committee and report to the CEO on a dotted-line. This arrangement avoids potential conflict of interests and facilitates the ERM process, thus it is seen as complementary to corporate governance best practices.

Finally, boards can improve the level of transparency of the organisation by disclosing how risks are identified and reported to the board on the annual report. Also all material risks and deficiencies in internal controls must be disclosed on quarterly reports and annual reports. E.g. the US Securities and Exchange Commission now requires public companies to disclose risks associated with climate change. While these practices make organisations more effective and provide greater accountability, it enhances the quality of governance of enterprise risk management.

(The writer is currently pursuing a Master’s degree in Financial Accountability at York University in Toronto, Canada and is a CIA (Certified Internal Auditor) candidate of the Institute of Internal Auditors. He holds a Bachelor’s degree in Accounting (USA) and has worked in the capacity of an Accountant in the United States. Find more articles: http://www.grpmsolutions.com).