Aligning Corporate Governance with Enterprise Risk Management: Melding Enterprise Risk Management with Governance Means Directors, Senior Management, Internal and External Auditors, and Risk Owners Must Work Interdependently
Sobel, Paul J., Reding, Kurt F., Management Accounting Quarterly
Corporate scandals and diminished confidence in financial reporting among investors and creditors have renewed corporate governance as a top-of-mind priority for boards of directors, management, auditors, and stakeholders. At the same time, the number of companies trying to manage risk across the entire enterprise is rising sharply. So, we ask, how can enterprise risk management (ERM) be integrated effectively with corporate governance?
RISK, ERM, AND GOVERNANCE
To begin, business risks, of course, are uncertainties that can impinge on a company's ability to achieve its objectives and can result in many interdependent outcomes--some negative, some positive. Moreover, risks are a function of severity and likelihood; they may or may not manifest themselves. If they do, a variety of exposures is possible.
Business risks relate to business objectives because risk taking is a prerequisite to success--without risk, there is no reward. Accordingly, some risks must be exploited to take advantage of strategic opportunities. Conversely, risks that threaten success must be mitigated. These risks include threats of problems occurring, such as misappropriation of assets, or opportunities not occurring, such as a failure to achieve strategic goals.
Meanwhile, ERM--a structured and disciplined approach to help management understand and manage uncertainties--encompasses all business risks using an integrated and holistic approach. A report from the Institute of Internal Auditors (IIA) captures the essence of ERM: "The goal of ERM is to create, protect, and enhance shareholder value by managing the uncertainties surrounding the achievement of the organization's objectives." (1) The professional literature indicates that ERM is relatively well understood, especially by the companies striving to implement it.
Finally, corporate governance is a process a board carries out to provide direction, authority, and oversight of management for the company's stakeholders. (2) Unfortunately, directors, management, internal and external auditors, and risk managers do not understand corporate governance well--especially from a day-today perspective. They sometimes consider it a nebulous topic: It "means different things to different people." (3) Moreover, while the board of directors is the owner of the governance process, day-to-day guidance and oversight by the board clearly is not feasible; the board must rely on other parties--executives, managers, and auditors--to help it fulfill its governance responsibilities. But practical, how-to guidance for executives, managers, and auditors who are involved in corporate governance on a day-to-day basis is sparse.
AN ERM AND GOVERNANCE FRAMEWORK
Our ERM and governance framework, as illustrated in Figure 1, consists of four components: corporate stakeholders, the governance "umbrella" provided by the board of directors, risk management, and assurance. The arrows within and between the four components represent the various channels of ERM and corporate governance communications.
[FIGURE 1 OMITTED]
Who Should Be Responsible for What?
Boards of directors, senior management, internal auditors, and external auditors are "the cornerstones of the foundation on which effective corporate governance must be built," according to a position paper from the IIA. (4) Our conceptual framework also includes "risk owners." These are the people in a corporation who are responsible and accountable for managing specific risks, such as the chief legal officer, who is responsible for a company's legal risk. Only senior management and risk owners should be directly responsible for risk management. In Table 1 we delineate the primary risk management roles people in each group have as part of a company's governance.
Board of Directors. The board of directors is not directly responsible for risk management--that is management's job. …