Is risk overwhelming the board of directors?
It's a daunting question, made even more unnerving by the fact that it is an increasingly valid question to ask in light of recent risk management lapses and related regulatory developments.
"What's become increasingly clear is the fact that today's director is being asked to be aware of, and even knowledgeable about, a seemingly endless variety of concerns," notes EisnerAmper CEO Charly Weinstein. "[T]he director's plate is exceedingly full and a useful discussion might be had on whether concerns about risk should be centralized in its own committee."
While Dodd-Frank requires some boards to operate a risk committee, the new law (thanks to its nearly 400 new rules, less than 60 percent of which have been finalized by regulators) has motivated many boards to consider the merits of creating a risk committee. For example, this Harvard Law School post -- a collaboration between The Conference Board and Protiviti risk and finance experts -- offers guidance on how to evaluate the risk committee decision as well as the larger issue of the board's risk oversight responsibilities.
EisnerAmper's third annual study, "Concerns About Risks Confronting Boards," conducted in partnership with the National Association of Corporate Directors (NACD), also provides food for thought regarding the board's current risk oversight challenges, its risk-related concerns and risk information needs.
The survey, conducted October 2011 through February 2012, measures the opinions of 193 directors serving on the boards of publicly traded and private companies (two-thirds of respondents serve on audit committees).
The 16-page study indicates that reputation risk looms as a major worry among board members: 66 percent of respondents indicate that reputational risk is most important to them (besides financial risk) and ahead of all others. Regulatory compliance risk was not far behind with 59 percent of respondents citing it as their most important risk concern.
In terms of risk-management desires on the board, a risk-savvy chief executive is a priority: 63 percent of respondents indicate that they want a CEO with background in risk assessment.
Steve Kreit, an EisnerAmper partner, responded to several questions about the study's results and its impact on board-executive team communications around risk:
Business Finance: What exactly is reputational risk comprised of, and what are some examples of the impact of reputational risk on the financial well-being of a company?
Steve Kreit: Directors' views concerning reputational risk are coming together. What's emerging is a broader view of what it entails. It would be valuable to think about reputational risk as comprising operational and human elements as each has its own set of mitigation strategies. Directors can then more easily categorize them as including, on one hand, product liability, outsourced networks, privacy and data security and, on the other, fraud, customer relations and crisis management. The impact of reputational risk are very real, including costly regulatory and civil penalties, time consuming remediation, legal defenses and damaged public relations.
Would it help organizations (and CFOs) if CFOs were more involved in monitoring and mitigating non-financial risks? If so, can you give an example this involvement and speak to its benefits?
Kreit: Not surprisingly, slightly more than 70 percent of the directors responding felt their CFOs had a strong understanding, for instance, of the creation of financial models. However, what we saw as encouraging was that around 60 percent of the directors felt their CFOs had a strong understanding of the more non-financial elements found in broad-based risk assessments and of changes in tax compliance from new governmental regulations.
A new area where we see CFOs becoming more aware of non-financial risk is in their understanding of cyber security and aligning business goals to IT. As risks associated with cloud computing and mobile technology become more pervasive they emerge as risks that are likely to become part of the CFO's portfolio.
What role can internal audit (IA) and IT play in mitigating risk?
Kreit: We are not surprised that companies are looking more to IA to provide assurance. IA needs to be multi-faceted and have the resources (either internal or co-sourced to deliver the insights that boards are expecting and requiring. IA needs to be aligned with corporate objectives.
Almost 65 percent of board respondents propose both enhancing their staffs and increasing their internal audit coverage. Yet the lack of the right skill-set/subject-matter expertise to do certain audits coupled with poor risk assessment can lead to a stagnant IA plan which hinders the ability to focus IA attention on the most important/most risky topics. This inattention, in turn, affects the frequency at which IA invests time and resources looking at a topic. In many cases, mixing in outside resources can augment excellent in-house talent and become a positive step.