The Role of the Board of Directors in Enterprise Risk Management

The Role of the Board of Directors in Enterprise Risk Management

CAAM – 5th Annual Meeting and ConferenceJuly 13 – 15, 2011

Hyatt Regency, Trinidad and Tobago

Dr. Vindel L. KerrPresident and Managing Consultant

GovStrat Ltd.1 (876) 324-0606 |

[email protected]

mailto:[email protected]

Presentation Outline“The Role of the Board of Directors in Enterprise Risk

Management (ERM)”

------------------------------------------------------------------------------------- Introduction The Business Case for Board Involvement in ERMBoard Going Beyond Chief Risk Oversight to Providing

Chief Risk Insight A Suggested Model for More Prudent Board Insight in

ERM Implementation The Future of ERM and Board’s Role: Conclusions

2

Role of the Board in Enterprise Risk Management/Dr. Vindel L. KerrCAAM 5th Annual Meeting & Conference

Introduction

What is ERM?

The traditional role of the Board in general and in Risk Management in particular

Current and Emerging Role of the Board in ERM

3


Introduction (2)What is ERM?

A process of assessing risk across the entire enterprise including all functional areas and business units and is led by the Board of Directors, management and staff.

What is a risk? What are some key risks?

A RISK is every transaction done, every purchase made, every investment contemplated or effected. With every corporate opportunity there is an associated risk and vice versa.

4


Introduction (3)Broadly speaking, there are two categories of

risks:

1.) Traditional Regulated RisksLiquidityTransactionOperationalMarketCreditEconomic Capital

5


Introduction (4)2.) The Unconventional Risksa. Strategic Riskso HR: recruitment, compensation, safetyo Corporate Governance and Complianceo Strategic Planningo Business Continuity Planningo Succession Planningo Knowing your customers, clients,

neighbours, etc

6


Introduction (5)Unconventional Risk (contd.)

2. Reputation Risko Conduct of Corporate Fiduciarieso Role of SRI and CSR – environmental

planning, etco Product integrity and safetyo Health safety and wellness of employeeso Corporate philosophy and core values

mantra

7


8

From: The Conference Board, 2006. The Role of U.S. Corporate Boards in Enterprise Risk Management, chart 8, p. 21


Introduction (6)The traditional roles of the Board in general

and in Risk Management in particular

Provides Oversight to CEOs Hire and fire the CEOMonitor CEO and top management performancePerformance evaluation and compensation determinationRectify strategic decisions and new proposals

Approves Financial Obligations and Utilisation of Resources

9


Introduction (7)The traditional role of the Board in general

and in Risk Management in particular (2)

Report to shareholders at AGM – legal obligation for public listed companies

Oversight of Corporate Governance and compliance regime

Boundary Spanning

10


Introduction (8)

Current and Emerging Roles of the Board in ERM

The establishment of Risk (ERM) CommitteeThe appointment of a Chief Risk Officer (CRO)The putting in place of risk systems and infrastructureDetermination of the CFO direct report (s)—whether to

the Chairman of the Mainboard or Chairman of the ERM Committee of the Board

Ensures the CFO is given functional oversight responsibility for treasury, investment and new venture development

11


12

CEO

CFO

Note: The CFO currently has the major responsibility to report to the Board, but the CRO position is gaining in popularity

Board of DirectorsProvides oversight over strategy and ERM

processes developed by management

Risk Committee• Risk inventory • Dashboard• Reviews risk tolerance

Audit Committee• Internal control over financial

reporting• Financial risk management

Chief Risk Officer• Coordinates the design and implementation of ERM processes

Management’s Risk Committee• Develops risk philosophies and

policies• Includes: CFO, General Council, Corporate Secretary, Head of Strategy, General Auditor, Heads of Business Units, CROBusiness

UnitBusiness

UnitBusiness

Unit

Role of the Board in Enterprise Risk Management/Dr. Vindel L. Kerr/CAAM 5th Annual Meeting & Conference

From: The Conference Board, 2006. The Role of U.S. Corporate Boards in Enterprise Risk Management, exhibit 4, p. 28

The Business Case for Board Involvement in ERMThe key elements: Mounting Pressures for ERMEvolving Legal and Regulatory Developments

make it necessary for Boards to play a more active role in ERM Oversight

Increased and convincing Empirical supportMoving from Seeing Risk as a bad thing to

Exploiting its Opportunistic Nature (The Upside of ERM)

13


The Business Case for Board Involvement in ERM (2)

Pressures for ERMGlobalisation Increased Frequency of corporate misfeasance Corporate collapses and failures Greater and more intense scrutiny from regulators,

shareholders and the public at large Recent and emerging legislative and regulatory

frameworkSound ERM Oversight and Implementation are

already the norm in many corporations and a few governments and fast developing in many worldwide

14



Evolving Legal and Regulatory Developments make it prudent for Boards to pay keener and closer attention to ERM Caribbean

Companies Act –making Directors fiduciary role now more onerous than ever

Public Bodies Management & Accountability Act (Jamaica), State Enterprise Monitoring Manual (Trinidad) and Financial Institutions Act (TT & Jamaica, OECS)--fines and other penalties for breach of fiduciary duties

15


The Business Case for Board Involvement in ERM (4)Evolving Legal and Regulatory

Developments make it necessary for Boards to place a more active role in ERM Oversight USA

Patriot Act—requires financial institutions doing business with the USA to demonstrate knowledge of their customers

Sarbanes-Oxley Act –requires inter alia, the authentication of the Financial Statements by the CEO and CFO.

Business Judgment Rule – protects directors who act in good faith from liability

16


The Business Case for Board Involvement in ERM (6) Empirical support for the Business Case of Board

involvement in ERM

17

From: The Conference Board, 2006. The Role of U.S. Corporate Boards in Enterprise Risk Management, exhibit 3, p.15


The Business Case for Board Involvement in ERM (7)Empirical support for the Business Case of Board

involvement in ERM

18

From: The Conference Board, 2006. The Role of U.S. Corporate Boards in Enterprise Risk Management, chart 3, p.17


Moving from a Defensive Posture towards Risk to Exploiting its Opportunistic Nature (The Upside of ERM)Risk Management should be seen as a value creating

business strategy rather and caution/preventative action ERM is value creating, enhancing, protecting , preserving ERM can optimize corporate and individual performance ERM reinforces investor confidence

19


Board Going beyond Chief Risk Oversight to Providing Chief Risk Insight Some Practical Tips

Obtain ERM training, education and continuous development

Review Board compensation and committee structure and charters (TORs) against ERM mandate

Review competency of Board against risk oversight and insight mandate

Look at best-in-class peers for emerging practices in ERM oversight

Spend real time with management to be able to truly assess the core ERM issues

20


Some Practical Tips continuedVisit business units and meet with unit heads

periodically to discuss risk inventoryCreate a mechanism for the Board to be

constantly fed with cutting-edge new information on the success of ERM implementation, its processes and functionalities

Ensure management and staff receive appropriate training & continuous development in ERM knowledge and skills

21Board Going beyond Chief Risk Oversight to Providing Chief Risk Insight (2)


Some Practical Tips continuedPut in place a fully integrated ERM system and be

part of its implementation without being the “consultant” – leave this to the experts

Ensure a robust Board level ERM reporting system is in place

Develop and implement a process to assess and monitor performance of risk management processes

Board should discuss and understand the nature of reputation risk—an area of growing strategic importance in ERM and corporate governance

22Board Going beyond Chief Risk Oversight to Providing Chief Risk Insight (3)


A Suggested Model for More Prudent Board Insight in ERM Implementation

1. Appreciate the importance of ERM

Board members need to become knowledgeable about ERM to appreciate its strategic value

The Board needs to acquire the appropriate and adequate information, and if necessary retain advice from independent external experts

23


24

ERM Integrated Approach

1. AppreciateImportance

ERM

11. Integrate ERM with Existing

Systems, (i.e. IT, ..

2. Assess Gaps

& Vulnerability

9. Monitor ERM Implementation

& execution

8. Dev. Internal Communication

& Reporting Protocols

7. Define risk response

Strategies

3. Set Underlying

Mission

4. Established Infrastructure

& AssignLeadership

5. Compile Inventory

6. Select AssessmentTechniques

& define risk appetite

10. Tract pursuit of

Risk Adjusted Strategy

Role of the Board in Enterprise Risk Management/Dr. Vindel L. Kerr/CAAM 5th Annual Meeting & Conference

2. Assess gaps and vulnerability in the existing risk management solutions

The board should be persuaded by the business case for implementing ERM, which should rest on a detailed analysis of the limitations inherent in more traditional, risk management solutions

25


3. Set an underlying mission and program objectives

The ERM Business case should be formulated as a concise and effective mission statement, articulated in the main program objectives and tied to the firm’s strategic goals

4. Established the ERM infrastructure and assign

Leadership

Board members and senior executives should create a Charter of ERM functions and ensure its full development

26


5. Compile a Risk Inventory

Identified, categorized and prioritized risks facing the company. Accuracy of the risk portfolio is critical to its success thus the board should oversee the process to take inventory of risk and become comfortable about its effectiveness and thoroughness

27


6. Select assessment techniques and define risk appetite and tolerance

The selection of appropriate risk measurements should be made based on the nature of each risk in the portfolio, the amount and depth of the data required to apply the measure being considered, and the organisational capacity of the business unit in charge of responding to the event.

28


7. Determine risk response strategies

Risk owners are accountable for the response to events assigned to their area of responsibility

Nonetheless, because of the need to have a comprehensive and cohesive ERM program, their response should no longer be disjointed from other divisions.

29


8. Develop effective internal communication and reporting protocols

Internal flow of information is important to the success of ERM

Board members need to analyse the quality of internal reporting practices, internal reporting lines and be persuaded that information on risk is material for strategic reasons

30


9. Monitor ERM implementation

Should be done on an ongoing basis –any activity to identify, assess and respond to an event

Usually embedded in the program design and at any organisational level so that they can be performed in the ordinary course of running the business

Large companies should avail themselves to dedicated evaluation teams and sophisticated flowcharts and diagrams to ensure the enterprise-wide ramification of the monitoring function

31


10. Choose compensation policies and performance

metrics to promote and track the pursuit of a risk-

adjusted corporate strategy

According to the Research Group, the board should never let executive compensation issues influence the risk measure selection process. While qualitative and quantitative data might be used as key performance indicators (KPIs) to encourage the enhancement of their business risk management program, corporate boards should ensure that KPIs are chosen only after completing the ERM process design.

32


11. Integrate ERM with existing operational systems

IT, budgeting, planning, internal control, regulatory compliance, etc. According to The Research Group findings, revisiting performance metrics to tie them to a risk-adjusted strategy, and fully integrating ERM with existing operational systems represent the most advanced (and least implemented) stages in an ERM program.

33


The Future of ERM and Board’s Role: Conclusions

Caribbean Governments will adopt a government-wide ERM program with Ministries of Finance leading the way

Each Government Ministry will end up with a Chief Risk Offer

ERM will assist governments to better align resources with strategy

ERM when adopted will reduce fraud and theft of Government assets

34


The Future of ERM & Board’s Role: Conclusions (2)Changes at Board Level: Increased Pressure on forming Risk Focused Committees

and Higher Level of Collaboration Risk Management and Corporate Governance

Committee Audit Committee Board will be required and challenged to assess the

tolerance for risk as well as need guidanceIncreased Demand for External, Technical Risk Expertise

Demand Influenced by Oversight Groups e.g., Public Company Accounting and Oversight Board

(PCAOB)

35


The Future of ERM & Board’s Role: Conclusions (3)External Influences:

Ratings Agencies will rate Enterprises on the Quality of their Risk Management

Regulators will Continue to be challengedContinuing dramatic and sizeable firm failures Stakeholders will expect, demand, and see more disclosures

Equity Analysts, Institutional Investors, and Shareholders Specific, Quantitative Disclosure (e.g., VaR, Stress Tests,

Back-testing) For the Business Risk, Reputation Risk and Strategic Risk

Domains

36


Documents

The Role of the Board of Directors in Enterprise Risk Management