If you are interested in the process of board oversight over corporate risk management, here is a link to a short paper that you must read from the National Association of Corporate Directors, Link for NACD Advisory Council on Risk Oversight, Summary of Second Meeting, Click Here for Paper.
First, let me sincerely compliment the NACD for discussing this topic and making portions of the discussions available for reading and comment. Whether you agree or disagree with portions of the paper and the discussions therein, making the paper available demonstrates an effort at leadership which I believe is often lacking at professional organizations.
I read the paper, of course. And I have comments. Overall, I find it amazing and difficult to comprehend that risk management discussions and process and apparently board oversight of risk or uncertainty management has not progressed more than the paper indicates.
I agree with the NACD’s original position that oversight of risk management (I prefer uncertainty management, but whatever) is the responsibility of the entire board and not of a committee. That being said, limited delegation to a committee in conjunction with reporting to the entire board and with entire board oversight can be a good way to go. But why delegate to the audit committee? Audit and risk are not the same. And isn’t the audit committee already sufficiently busy? Of course it isn’t wrong to delegate initial risk and uncertainty oversight to the audit committee which then reports to the board for the entire board’s consideration, but during its meetings does the audit committee wear one hat for audit during part of its meeting and then change to its risk management oversight hat? Why not appoint a separate risk management committee that is composed of the board members who are best qualified for that task?
If the board members are concerned about their lack of information about risk management and that there are gaps, have the CRO and CAE coordinate their efforts and both report to the board.
The NACD’s paper doesn’t propose best or better practices. But that isn’t the purpose of paper. Frankly I am surprised that the NACD would allow such an open discussion paper to go out under its name, but again, I am very complimentary of the NACD for being willing to do so.
I might have additional comments that will follow in other posts. For example, as I have previously written, I dislike the nature of the current discussions that suggest quantifying acceptable risk appetite and risk tolerance. And I also disagree with any suggestion that a company adopt only one risk appetite or one risk tolerance - obviously different risks and different projects call for different evaluations.
On a related note, recently additional regulations were proposed or enacted for off shore oil and gas drilling risk management and related oversight – the regulations require employee and contractor training, that a supervisory employee over risk management be designated, that a supervisory employee have authority to immediately take action including shutting a system down in appropriate circumstances, for auditing of the processes, for evaluation of risk management and if necessary reporting 24/7 including by all levels of employees and contractors, and for the option of anonymous reporting. Sounds like a good development.
Dave Tate, Esq. (San Francisco)