Parveen P. Gupta and Tim Leech predict that oversight of “risk culture” will continue to rise in importance for boards in their article, The Next Frontier for Boards, Oversight of Risk Culture. The pair attribute large and “egregious” corporate governance failures on weak risk cultures and further identify cybersecurity and financial reporting issues as symptoms of “deficient” risk cultures.
The authors discuss how regulators and others have increasingly looked to corporate boards to improve their risk oversight. The article points to the Sarbanes-Oxley Act as an early step in the process, in that case focusing on audit committees and financial reporting. According to the authors, reforms precipitated by the financial crisis pushed regulators to the conclusion that “boards should be evaluated and put on the regulatory hot seat if they fail to take steps to oversee management’s risk culture, appetite, and tolerance.”
As a result, boards now face the challenge of determining “how to diagnose and oversee the company’s risk culture and what actions to take if it is found to be deficient.” To define a “sound” risk culture, the article cites a 2014 Financial Stability Board report:
A sound risk culture consistently supports appropriate risk awareness, behaviours and judgments about risk taking within a strong risk governance framework. A sound risk culture bolsters effective risk management, promotes sound risk taking, and ensures that emerging risks or risk taking activities beyond the institutions risk appetite are recognized, assessed, escalated and addressed in a timely manner.
The article cites several challenges for boards as they assess and implement a sound risk culture, including the lack of practical guidance available, an asymmetric information balance between the board and management regarding “real” risk appetite and tolerance, the lack of consolidated enterprise-wide risk reporting, and mistargeted regulatory requirements and biases that inappropriately hinder effective and progressive boards. To address these issues, the authors provide several recommendations. First, boards should request briefings from subject-matter experts to better understand the expectations of regulators and activist investors (among others) regarding risk culture. Additionally, boards may want to request a gap analysis to identify areas in which outside expectations may not match internal practices. The article argues that traditional approaches to enterprise risk management and internal audit are ineffective and as a result, the approach should shift to an “objective-centric” approach that focuses on “providing reports to the board on the effectiveness of the organization’s entire risk management/risk appetite framework.”
Gupta and Leech suggest that “[t]he punitive nature of the US legal system elevates litigation risk that can sometimes come with truly effective risk assessment processes and disclosures” and that regulators should offer a “safe harbor for companies and boards that, in good faith, implement risk appetite frameworks that report on the state of residual risk linked to key strategic and foundation objectives.” Lastly, the paper recommends that boards should hold management “accountable for building and maintaining effective risk appetite frameworks and providing the board with periodic consolidated reports on the company’s residual risk status.”