Risk Management: One Size Doesn't Fit All

That also emerges as the right answer as to how a board should manage risk. Directors attending a roundtable entitled "Risk Management and the Boardroom" found that no single committee structure should be universally adopted. At some companies, it makes sense for the risk function to report to the audit committee. Other companies find they need a committee other than the audit committee devoted to risk. And at least one, the giant municipal bond insurer MBIA, spreads the risk management function over three committees. One is the credit risk committee, because the insurer takes such huge positions in financial markets, said board member Debra Perry. "I think there is a great deal of benefit that comes from spreading the wealth, so to speak, in risk oversight," Perry said. At yet other companies, the entire board manages the risk function directly.

Each company and each industry also face different "baskets" of risk. It may make sense in one industry to identify and manage currency risks; but in another setting, that may not be necessary. Some companies may face regulatory or compliance risks, while for others the greater risk is technological change.

A final piece of the riddle is that different risks need to be managed differently. It may be adequate for management to make an annual presentation to the board on a particular risk; but for other baskets of risk, boards may find that they need much more elaborate "risk mitigation" systems that catalog risks and rank them on a quadrant of probability and potential impact. "I think there is a tremendous sense of consensus about this whole area," said Tom Plaskett, chairman of Novell and a director at RadioShack and Alcon Labs. "First, it's complicated and second, one size doesn't fit all."

The roundtable, held at the Union League Club in New York, was sponsored by Eisner LLP, a New York-based accounting and auditing firm, and Thomson Financial, which provides services to senior management and boards.

Risk management is high on the minds of board members these days partly because of intensified regulatory and financial market scrutiny, but also because of self-inflicted wounds such as those suffered at Enron and WorldCom and, most recently, at companies that backdated stock options. The legal climate also has aggravated the ever-present risk of suits. Natural disasters like Hurricane Katrina and the threat of terrorism round out the picture of an increasingly hazardous business world.

Directors these days are expected to grasp the essentials. "Probably not more than 10 years ago, the requirement for being a director was primarily knowing somebody in management or a significant shareholder," said Eisner's Neil Goldenberg. "But today, you are required to really understand the regulatory environment and the risks and rewards."

Here are other key issues debated at the roundtable:

How much information is enough and how much is too much? Before a meeting, management typically presents large "board books" to each director that are filled with huge amounts of information. Some directors said managements overwhelm them, either intentionally or simply because they haven't thought through the types of information that are really essential. "A lot of companies have taken the view that, 'We're going to give the directors everything,'" said David Meachin, a director of Lyondell Chemical, which has annual revenues of $20 billion. "But do we really need all this stuff? Shouldn't management be highlighting for us the things we should be looking at?"

Despite the flood of information— or perhaps because of it—many directors are still not getting what they need. "In our discussions with a lot of boards, the lack of relevant or timely or useful information still is a critical barrier to effective boards and also carries a lot of significant risk," said Greg Radner, Thomson Financial's senior vice president.