Risk Governance and Governance Risk

Boards of directors have emerged from years of regulation on corporate governance with a renewed and empowered role. They are more independent, rely on more diverse expertise, and have better-defined legal standards to help them carry out their fiduciary duties. The 2007 proxy season underscored the importance of what happens in the boardroom: Shareholders now expect board members, not regulators, to be the driving force of corporate governance. The need to live up to that expectation will have a profound impact on the way companies view risk, and most especially, governance risk.

To better understand this point, we first need to establish exactly what is meant today by the concept of corporate governance. Traditionally, the term “corporate governance” meant a system of checks and balances instituted by the board to ensure that the company’s business strategy was designed to enhance shareholder value and not for the benefit of insiders. Influential empirical research is beginning to show, however, that shareholder value can also be generated by pursuing certain social and environmental goals; and that embedding corporate citizenship policies in the business strategy may be as effective a means of fostering good governance as encouraging ethical, non-fraudulent behavior.

By now, public companies are fully aware that poor corporate governance—intended in this broader context—can negatively affect market opinion, with a decidedly adverse impact on the company’s reputation, cost of capital, and share price. For this reason, leading board directors are starting to think proactively about the governance issues their companies are facing and what they should do to ensure that their organizations are capable of anticipating and responding to major risks in this arena.

A Knowledge Gap

Experts have long advocated the need to integrate risk-management activities across the business. Enterprise Risk Management, or ERM, was formulated by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and other self-regulatory bodies as an actionable tool to obtain a top-down, holistic view of business risk. The risk of governance failures should not, by any means, be left out of this picture: in fact, it should take center stage in the risk-management integration effort. As soon as businesses abandon the traditional view of corporate governance as a regulatory nuisance, they can begin to more easily understand its value as a key risk-management activity. Corporate boards, for their part, are beginning to be acutely aware of this connotation of governance as a measurable business risk and, as part of their governance responsibilities, are becoming more involved in comprehensive risk-management oversight.

Since the fall of 2005, The Conference Board Governance Center has set as its main objective the study and research of the interrelation between corporate governance and risk management. We administered a survey of directors from a variety of industries and found that board members tend to have a false sense of security about their company’s ability to address risk issues and, for the most part, are still uncertain of their role in the risk-management integration process.

We therefore instituted a research working group of leading companies and risk experts to examine in detail five case studies of ERM implementation (Bristol-Myers Squibb, Capital One, International Paper, MetLife, and Moody’s Investors Service). Our goal was to reach a consensus on recommendations for corporate boards that seek to extend their governance functions to the risk-management process. What emerged are the following stages in the development and execution of the ERM program:

• Appreciate the importance of ERM. Board members need to become knowledgeable about ERM and appreciate its value as an instrument to address, among other areas, the risk of governance shortcomings. For this purpose, they should request adequate information and documentation from management and, if necessary, they should retain independent experts.

• Assess gaps and vulnerability in existing risk management solutions. Once the corporate board is convinced of the business case for implementing ERM, the decision to invest in a comprehensive program should be based on a detailed analysis of the risk-management solutions that the company already has in place, as well as a candid assessment of its limitations. Examples of weaknesses that could be addressed by ERM include the lack of risk policies and guidelines, an approach to risk events that is reactive and not anticipatory, and the lack of coordination of the responses to risk events by different risk owners in the organization.