A Risk Management Culture

Risk management continues to be a hot topic among both corporate directors and management. For starters, risk management has been in the focus of the SEC, which in late 2009 issued final rules that, among other activities, “require companies to describe the board’s role in the oversight of risk.”

In addition, the economic tailspin of the last few years has highlighted the range of risks — including financial, regulatory, reputational, credit and IT — to which companies are vulnerable.

Many companies increasingly view risk management as more than a compliance exercise, and instead integral to a company’s culture, new research from Deloitte indicates. The study, “Risk Intelligent Proxy Disclosures 2011: Have risk-oversight practices improved?” found that almost all — 90% — of companies disclosed that the entire board of directors is responsible for risk. Moreover, in 89% of companies, risk oversight was handled by a range of board committees, rather than being the sole responsibility of the audit committee. “Companies are progressing in their risk management thinking,” says Maureen Errity, firm director and a specialist in governance with Deloitte LLP.

Errity and her colleagues launched the survey in 2010 with a desire to know whether companies were embedding risk management within their culture, so that everyone from board members to front-line employees played a role in identifying, assessing and managing risk. Risk management should be a process which flows both from the executive suite, as well as rank-and-file employees, Errity says.

To determine this, Deloitte reviewed risk governance and oversight practices at the board level, as disclosed in proxy statements led by the S&P 200. The review was from the perspective of an investor or other stakeholder, with the goal of evaluating the companies’ risk governance and oversight practices.

In general, companies risk management practices, as disclosed in the proxy statements, improved modestly between 2010 and 2011. For instance, in 2011, 88 percent of companies indicated that board committees other than the audit committee were involved in risk oversight, up from 82% in 2010. Similarly, in 2011, 45% of disclosures indicated that the company’s risk management was aligned with its strategy; the number was 39% in 2010.

Of course, this isn’t to suggest that no work is left to be done. As the number above indicates, fewer than half of companies have disclosed how risk is aligned with strategy. This is an area in which companies can gain a great deal of value from their risk management practices, Errity says. As the study notes, “This is a foundational element in the Risk Intelligent Enterprise. When corporate leaders consider the alignment between risk-related practices and their strategies for value creation, they are practicing risk intelligence.”

Moreover, companies need to examine not only the risk to a strategy they’re considering, but the risks of the strategy itself, according to the study. Board leadership that’s engaged in risk oversight can provide an objective view of both types of risk.

While the study provides a number of benchmarks that companies can use to gain an idea of the actions their peers are taking, they won’t find a one-size-fits-all risk management solution, Errity notes. “Every organization has to look at its structure and industry to see what will work.”