Chapter 14 Appendix C: Enterprise Risk Management: Ask the Board

The recent wave of business scandals and threatening world events has fostered a greater awareness of the importance of risk management as a component of corporate governance. In 2004, the so-called Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a comprehensive report titled “Enterprise Risk Management—Integrated Framework” to provide companies with a roadmap for identifying risks, avoiding pitfalls, and taking advantage of opportunities to grow firm value.

COSO defines enterprise risk management (ERM) as

a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.PricewaterhouseCoopers (2004). Principles-Based Framework for Managements and Boards to Comprehensively Manage Risks to Objectives (released by COSO, available at http://www.coso.org).

So defined, ERM assists in

Whereas traditional risk-management approaches are focused on protecting tangible assets shown on a company’s balance sheet and related contractual rights and obligations, the scope and application of ERM are much broader. ERM’s focus is enterprise-wide, and on enhancing as well as protecting the tangible and intangible assets that define a company’s business model. This widening of the scope of risk management reflects the fact that—with market capitalizations often significantly higher than historical balance-sheet values—the extension of risk management to intangible assets is critical. Just as future events can affect the value of tangible physical and financial assets, they can also affect the value of key intangible assets, such as a company’s reputation with suppliers, innovation record, or its brands.

ERM explicitly recognizes that risk may originate inside or outside the organization. For example, environmental risk originates outside the organization and can impair the viability of a particular business model. Process risk factors tend to be internal in origin and affect the ability of the firm to execute its stated mission. Information for decision-making risk threatens value creation because of its impact on the timeliness, quality, reliability, and comprehensiveness the information used to make key decisions.

Because risks do not always fall clearly into one category, the ERM philosophy encourages companies to develop a comprehensive risk-management plan in which the approaches to the various components of risk interact with and influence one another. In particular, ERM looks at eight sets of issues:

Although the management of a company is ultimately responsible for a company’s risk management, the board must understand the risks facing the company and oversee the risk-management process. Board committees should incorporate risk management into their regular responsibilities. A company’s governance committee can ensure that the company is prepared to deal with risks and crises by evaluating the individual capabilities of the directors, nominating directors with crisis-management experience, and considering the time each director and nominee has to devote to the company. The governance committee should also work with management to establish an orientation program for new directors and succession plans for key executive officers.

While some companies prefer to involve the board as a whole in the risk-management process, corporate governance guidelines and charters of audit committees may delegate this responsibility to the audit committee. Alternatively, a company may appoint a risk-management officer, form a risk-management committee, or assign responsibility to a finance or compliance committee of the board. The responsible committee or group should meet regularly with the company’s internal auditor, the chief financial officer, the general counsel, and the head of compliance and individual business units to discuss specific risks and assess the effectiveness of the company’s risk-management systems.

Board committees should also incorporate risk management into their regular responsibilities. A company’s governance committee can ensure that the company is prepared to deal with risks and crises by evaluating the individual capabilities of the directors, nominating directors with crisis management experience, and considering the time each director and nominee has to devote to the company. The governance committee should also work with management to establish an orientation program for new directors and succession plans for key executive officers.