How Boards of Directors Perceive Risk Management Information
Ballou, Brian, Heitger, Dan L., Stoel, Dale, Management Accounting Quarterly
As organizations struggle to compete in the emerging real-time global marketplace of the 21st Century, boards of directors for publicly traded companies face rising pressure to increase oversight in risk management. The Securities & Exchange Commission (SEC) recently expanded the requirements by calling for organizations to disclose the board's involvement in oversight for risk management. (1) In addition, multiple stock exchanges, including the New York Stock Exchange, added risk management governance requirements for boards of directors of listed companies. Such requirements and other mechanisms, including workshops and "colleges" for board members, have led boards to recognize the need to play a greater role in risk management. Auditors are also concerned. The KPMG Audit Committee Institute's 2010 Public Company Audit Committee Member Survey indicated that audit committee members' top concern was risk management, specifically the issues surrounding velocity of risk events and the link between strategy and risk. (2)
The increased need for the board to oversee enterprise risk management (ERM) raises the question of how to best perform this role. To help boards strengthen their involvement, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the National Association of Corporate Directors (NACD) released some white papers. COSO released Effective Enterprise Risk Oversight: The Role of the Board of Directors and Strengthening Enterprise Risk Management for Strategic Advantage, which provides four key areas where "senior management can work with its board of directors to enhance risk oversight and strategic value." (3) The report of the NACD Blue Ribbon Commission, Risk Governance: Balancing Risk and Reward, identifies 10 principles of effective risk oversight. They include general business-oriented principles (i.e., understanding the company's key drivers of success) and principles focused specifically on internal risk management practices (i.e., periodically assess the board's risk-oversight processes). (4)
RISK INFORMATION SURVEY AND RESPONDENTS
The NACD principles of effective oversight and COSO's key areas of board/management integration share many similarities and clearly focus on the need for communication and improved reporting on enterprise risks. As these white papers provide principles and guidance only, the question remains regarding how well board members, particularly those of publicly traded companies, believe their organizations are implementing the guidance from NACD and COSO as well as the quality of the risk information they are receiving.
To find out, we designed a survey to understand the current state of risk-reporting activities in such a way that results could be interpreted using the four key areas in COSO's Strengthening Enterprise Risk Management for Strategic Advantage and NACD's related principles. The results indicate how board members perceive the nature and extent of the risk management information that they receive from management.
Because prior research suggests that risk oversight is generally a function of the audit committee, we partnered with KPMG's Audit Committee Institute (ACI) to create and administer to its members a unique survey focused on risk information. The 125 respondents (all members of ACI) are current directors of publicly traded organizations and represent a wide set of business sizes and a variety of industries (see Table 1).
Our survey found wide disparity in the types and perceived quality of information regarding organizational risks. Key highlights include:
* Few organizations have developed risk-appetite statements successfully. These statements provide guidance on the types and levels of risk that an organization will undertake, and the statements provide a method to align stakeholder perspectives with internal management decisions.
* Boards have limited information about the actual ERM practices--either the board does not request the information, or the company has not or cannot share the information about activities related to risk identification, estimation, or prioritization. …