Corporate directors could find themselves exposed to liability if they fail to keep pace with evolving best practices in enterprise risk management (ERM), according to a major new study released by The Conference Board in conjunction with McKinsey & Company and KPMG's Audit Committee Institute.
Since ERM processes have improved in some companies, many corporate directors could be functioning with a false sense of security, the study points out. New legal requirements are steadily suggesting that directors should ensure that their companies have a "robust" ERM program.
Dr. Brancato, Director of The Conference Board Governance Center and Directors' Institute, said: "Our research shows many directors believe they have a good handle on the risks their companies face. But since many directors approach risk more on a case-by-case basis, they may not have adequately robust and systematic enterprise risk management processes in place." The study shows that banking and financial services have more developed ERM processes and may therefore set the standard by which other industries will be measured.
Chief Risk Officers Gaining Clout
In addition to the CEO, the corporate executive most frequently cited by directors as responsible for informing the board on risk issues is the CFO (71 percent of companies). However, at a growing number of companies, a Chief Risk Officer is cited as the person informing the board and appears to be an increasingly visible company executive (for instance, in 16.1 percent of financial companies, up from virtually none a few years ago).
False Sense Of Security?
Dr. Gunnar Pritsch, a partner of McKinsey & Company, said, "Things have definitely improved since we did a similar survey in 2002." Data in 2002 showed that 36 percent of directors did not believe that they had a full understanding of the major risks facing their companies. By 2006, that percentage decreased to 10.5 percent. However, he also said that, "Boards still have a way to go. Directors serving on multiple boards reported significant variations in the quality of the risk dialogue and fewer boards seem to have well established risk processes."
The new research found significant differences in how directors understand risk and how their companies manage risk. Moreover, directors may have more of a top down understanding of risk. The Conference Board study finds: Although 89.5 percent of directors say they fully understand the risk implications of the current strategy,
* Only 77.4 percent of directors say they fully understand the risk/return tradeoffs underlying the current strategy
* Only 73.4 percent of directors say their companies fully manage risk. …