The institute will provide guidance on such topics as director evaluations, compensation, risk management, and shareholder relations. “Addressing the best way to conduct and search for new directors, increase diversity on your board, and what are appropiate director compensation levels, are among some of the difficult challenges many directors face,” adds Wallenstein. “It’s through an examination of these topical issues that [the Directors' Institute]…in small focused sections, in addition to larger group sessions, allow directors the opportunity to dig down deeply into topics and find out what their fellow directors are doing around the country.”

Adjusting to the corporate environment, the Directors’ Institute, taking place April 7-9, 2010, has added a panel called “Corporate Government Involvement and Corporate Governance,” as the government continues to monitor and regulate boardrooms across the country. “As Wall Street moves to K Street, our program is held at the Reagan building in the heart of Washington, D.C.,” notes Wallenstein. “Discuss the boardroom’s toughest challenges with fellow directors and experts in the financial services, accounting, and legal fields.”

The report determines that the average company suffered fraud-related losses of $8.8 million over the last three years, up a mere 7 percent from the $8.2 million reported last year. The companies surveyed were categorized into 10 industries: financial services; professional services; healthcare, pharmaceuticals, and biotechnology; technology, media, and telecommunications; natural resources; retail, wholesale, and distribution; consumer goods; travel, leisure, and transportation; and construction, engineering, and infrastructure. Of the companies surveyed, 46 percent had global annual revenues in excess of $1 billion.

The sectors currently most vulnerable to fraud are financial services, manufacturing, retail/wholesale/distribution, and construction/engineering/infrastructure, all identified as industries in which poor economic performance contributes to increased fraud. Financial services, in particular, has suffered of late, with an average company loss of $15.2 million over the last three years, up from $12.9 million last year, and almost twice the average loss across all sectors.

Those sectors that were doing the least to combat fraud were professional services, technology/media/telecommunications, and retail/wholesale/distribution.

The most pressing concerns, as recorded by survey respondents, were information theft (with 20.1 percent of respondents considering themselves highly vulnerable, corruption and bribery (13.9 percent), and theft of physical assets (13.5 percent).

Kroll, a subsidiary of Marsh & LcLennan Companies, publishes its Global Fraud Report annually. To read the full report, click here.

What’s changed for board directors in light of the financial crisis?
I’ve learned as much in the last two years as I have in the last 20. We should be required to write Counterparty and Risk on our agendas in bold, capital letters. Previously, the board discussed risk on an annual basis. And it was something managed by the compliance department. I sat on a board as all this began to unfold. When we stepped up our discussions with the risk management officer, we were surprised by the number of areas we would ask about and he would say, “That’s not under my purview.”

Is there a potential boards could get too risk averse?
We may have the equivalent of Depression babies in the boardroom. If we run our companies like the last two years were the norm, then definitely there’s going to be too much focus on risk. But certainly there wasn’t enough in the past.

How does a board get its arms around risk?
Old fashioned sensitivity analysis. The analysis that was usually presented to the board for a given transaction was one-dimensional or the sensitivities were tested in too narrow of a band and failed to take into account enough of the exogenous events in the real world. Part of this, of course, can be attributed to management selling their initiatives and part of it is just a process to which we fell victim. Once you properly illuminate the risks, then you can intelligently think about “go or no go,” mitigation, and offsetting actions.

Concentration intensifies risk. Should we all become more diversified?
Diversification can be a bit of a mirage. In the mortgage market, if you look at some of the hybrid instruments that we now call toxic—they took groups of BBB-rated credits, put them into structures with diversity of regions and industries and called them AAAs, but they were still just a bunch of BBBs. And when things hit the fan, unsurprisingly, they behaved like BBBs and collapsed. If you go back to some of the old-timers who did work in the banking industry back in the 1940s and 1950s, using basic risk-management concepts, they found effective ways of managing risk within otherwise homogenous product lines. Plainly, they were better at underwriting. They had no choice, because they couldn’t count on passing the risk off through some exotic securitization.

If you are going to be obsessive about market share does that lead to additional risk?
Obsessive pursuit of market share often relies on lower prices and increased subsidies. This is particularly true in mature or commoditized industries. We see this happening today in the wireless telecom sector and we saw it with the mortgage bull market. In these industries, the only way you materially increase market share is by taking more risk or accepting lower returns and it usually requires both. You hear “We’re better at servicing or we’re better at sourcing,” but at the end of the day, it’s a commodity. So anyone growing significantly faster than the pack is, by definition, taking more risk.

There’s a fixation on compensation these days. What’s your take?
You know this is one area that has been a colossal failure on the part of boards. Can we all agree that you simply should not leave the determination of compensation to a process dominated by those being compensated? Reform has to start with a vigorous attitude by the compensation committee. Human nature is a constant; what changed over the years were the perverse incentives compensation committees allowed to creep into our system. We hear a lot of talk about short-termism these days, but it starts with executive compensation that is heavily weighted toward annual cash bonuses and equity incentives that essentially get reset once a year. It’s no wonder our financial sector became so amazingly creative and skillful at trading short-term cash for long-term tail risk while dressing it all up as growth. This is exactly how their incentives were set. For decades, Alfred Sloan enforced a system at General Motors where management received a nice base salary and then ten percent of the profits over a return of six percent. By the mid-1970s, the concept of requiring a return on investment before paying incentive compensation disappeared. It may sound simplistic, but both the financial crash and the demise of our auto industry were really all about perverse incentives.

What types of investment opportunities do you look for, companies you think have poor governance?
We invest in companies that we think are underperforming against their potential in terms of their stock price value. That usually means there is a problem in their operations or capital allocation or some fundamental area of performance. Poor governance, more specifically poor board dynamics, invariably accompanies that underperformance. We leave it to the academics to decide whether there’s a causal effect there.

How about some of the proposed regulatory changes for boards, things like proxy access?
That will be very powerful—less so for activist investors and more so for mainstream investors. It will spur a massive self-help movement in corporate boardrooms. If we weren’t already convinced that the model of the modern corporation is broken, if not bankrupt, then the events of the past few years had to tell us that, if not those from earlier in the decade when the most admired companies in the world collapsed before our eyes. As we struggle to think about how to improve our corporate governance regime, I can’t find a better answer than to foster more involvement from the owners.

Should CEOs and boards focus on the broadest possible group of stakeholders?
I think they should stay focused on the long-term investors. If they get confused or try to make it too complex or think that they’re serving multiple constituencies of their shareholder base, they will be led astray. What they really should focus on is the stock certificate. It’s a very simple contract. When the owners are confident in the future, then everything else falls in place.

How should directors view their role today, if any differently than before?
I think guidance is as much a part of their role as oversight and risk management. To the extent that you’re out there looking for directors, you do have to look for people who listen and are still willing to learn and willing to serve an apprenticeship regardless of their age. I was on a board where we were having a discussion about the spec we wanted for a new director search. The CEO said he would like to have a CEO on the board: “I could really benefit from that,” he said. And I said, “Gee, we’ve got four CEOs on this board already. You’ve just proposed an entire reorganization of the management structure. Did you consult any of them on what they thought about it?” He said, “No” and I said, “Let’s start using the CEOs we’ve got.” That’s sounds a little confrontational, but it was an issue that was in the boardroom and we were having a frank conversation. It’s interesting that almost by their nature, the “Type A’s” we hire for CEOs don’t readily reach out and seek advice, because they’re driven and they’re confident. So board members have to be willing to engage and give their views, at times confront, and make certain that management hears their input.

“It is now widely accepted that compensation structures in financial firms should be devised to avoid excessive incentives for risk-taking and that doing so requires tying executive compensation to long-term results and preventing cashing out of large amounts of compensation on the basis of short-term results,” writes Lucian Bebchuk,

What long-term “results” are we talking about though? We propose that risk-taking incentives could be improved by tying executives’ pay not only to the long-term payoffs of shareholders but also to those of preferred shareholders, bondholders and taxpayers insuring depositors.

In examining how executive compensation can affect risk-taking in financial firms, attention has focused on distortions that can arise from the ability of executives to cash out large amounts of compensation before the long-term consequences of risk-taking are realized. The importance of eliminating such distortions, which was first highlighted in a book, “Pay without Performance,” that one of us published with Jesse Fried five years ago, has become widely accepted in the aftermath of the financial crisis.

But there is another type of potential distortions that should be recognized. Bank executives’ payoffs have been insulated from the consequences that losses could impose on parties other than shareholders. This source of distortions is separate and distinct from the short-termism problem; and it would remain even if executives’ payoffs were fully aligned with those of long-term shareholders.

Equity-based awards, coupled with the capital structure of banks, tie executives’ compensation to a highly levered bet on the value of banks’ assets. Bank executives expect to share in any gains that might flow to common shareholders, but they are insulated from losses that the realization of risks could impose on preferred shareholders, bondholders, depositors or the government as a guarantor of deposits. This gives executives incentives to give insufficient weight to the possibility of large losses and therefore provides them with incentives to take excessive risks.

How could pay arrangements be redesigned to address this distortion? To the extent that executive pay is tied to the value of specified securities, such pay could be tied to a broader basket of securities, not only common shares. Rather than tying executive pay to a specified percentage of the value of the common shares of the bank holding company, compensation could be tied to a specified percentage of the aggregate value of the common shares, the preferred shares and all the outstanding bonds issued by either the bank holding company or the bank. Because such a compensation structure would expose executives to a broader fraction of the negative consequences of risks taken, it will reduce their incentives to take excessive risks.

Indeed, even the above structure would not lead bank executives to internalize fully the adverse consequences that risk-taking might have for the interests of the government as guarantor of deposits. To do so, it would be necessary to broaden further the set of positions to whose aggregate value executive payoffs are tied. One could consider, for example, schemes in which executive payoffs are tied not to a given percentage of the aggregate value of the bank’s common shares, preferred shares and bonds at a specified point in time, but rather to this aggregate value minus any payments made by the government to the bank’s depositors, as well as other payments made by the government in support of the bank, during the period ending at the specified time.

Alternatively, one could consider tying executive payoffs to the aggregate value of the bank’s common shares, preferred shares, and bonds at the specified time minus the expected value of future government payments as proxied by the product of (i) the implied probability of default inferred from the price of credit default swaps at the specified time, and (ii) the value of the bank’s deposits at that time.

Even if such schemes are not used, however, tying executive pay to the aggregate value of common shares, preferred shares and bonds will already produce a significant improvement in incentives compared with existing arrangements.

Similarly, to the extent that executives receive bonus compensation that is tied to specified accounting measures, it could instead be tied to broader measures. For example, the bonus compensation of some bank executives has been based on accounting measures that are of interest primarily to common shareholders, such as return on equity or earning per common share. It would be worthwhile to consider basing bonus compensation instead on broader measures like earnings before any payments are made to bondholders.

Recognizing this problem highlights the limits of corporate governance reforms for fixing the design eliminating excessive risk-taking incentives in banks. Concerns about excessive risk-taking have led legislators and regulators, both in the United States and abroad, to adopt or propose various corporate governance measures, such as say-on-pay votes, aimed at improving pay-setting processes and better aligning pay arrangements with the interest of banks’ shareholders.

Although such measures can discourage some inefficient risk-taking that is undesirable from bank shareholders’ perspectives, they cannot be relied on to eliminate the incentives for excessive risk-taking that arise from moral hazard: The common shareholders in financial firms do not have an incentive to induce executives to take into account the losses that risks can impose on preferred shareholders, bondholders, depositors, taxpayers underwriting governmental guarantees of deposits and the economy. This moral hazard problem is at the heart of the extensive body of banking regulations that we have. Consequently, regulatory encouragement or even intervention may be needed to eliminate all excessive risk-taking incentives.

Be that as it may, any attempt to eliminate excessive incentives for risk-taking requires a full understanding of the sources of such incentives. Such understanding requires focusing not only on the length of executives’ horizons but also on the definition of long-term results to which executives’ interests should be tied.

Lucian Bebchuk is professor of law, economics and finance and director of the corporate governance program at Harvard Law School, and Holger Spamann is co-executive director and fellow of this program.

Deloitte’s guide is broken down into six sections:

1. Define the board’s risk oversight role

2. Foster a Risk Intelligent culture

3. Help management incorporate Risk Intelligence
into strategy

4. Help define the risk appetite

5. Execute the Risk Intelligent governance process

6. Benchmark and evaluate the governance process

Allocating risk management resources in a cost-effective manner; assisting in shaping the organization’s response to regulatory issues; employing risk management for competitive advantage; and driving long-term growth while preserving assets, are integral to a board’’s risk intelligence process.

Click here to read the full report.

While regulators and investors deserve to be reassured, I grow concerned that loud, public cries to better manage risk, will effectively diminish our capacity to take risks.  Ironically, this potential pendulum-swing of reaction becomes a new risk in and of itself.  An overly conservative approach will tamp down innovation and growth.  Too much board time focused on risk will draw directors’ attention away from other issues more important to long-term value creation.  And perhaps most importantly, if directors slip into an operational risk management role, it will undermine the CEO’s authority to lead his or her company.  Put simply, with reward requires risk and the oversight for those risk profiles must be reasonable. Corporate leaders have to get this balance right.

It’s time to move beyond risk modeling, which clearly has its place.  To get this right, we need a practical process that will add insight and quality judgment to the mathematical models.  As with all results-focused processes, it must be built on specific expectations, clear roles and responsibilities, and accountability.

There’s no one-size-fits-all approach, but here’s my take on the major components.

Define your tolerance for risk and how you’ll gauge it. The board establishes risk parameters and defines a dashboard of metrics that demonstrate adherence to the policy.  Directors must understand all of the material risks to the corporation and they need it all in one report so oversight quality is clear.  At a minimum, the view should include reputational risk, operational risk, and human capital risk.  This type of report will enable appropriate discussions on risk / reward correlation with a sharp focus on mitigating risk.

Put the CEO in charge. Performing within the parameters of the risk policy needs an owner and in my view, that should be the CEO.   There is a role for a Chief Risk Officer going forward, but without clear ownership, there is no accountability.  The CEO owns this issue.

Hire a Chief Risk Officer. The CRO reports to the CEO, but the board should have a role in selecting this person and ensuring this role’s incentives are in line with its primary responsibility which is to identify significant threats to long-term growth and value creation.

Connect the risk officer to the board, but not in a way that weakens the CEO. By creating a separate reporting link for the Chief Risk Officer to the board, you strengthen his or her internal position and make it easier for the CRO to get needed data and insight.  But nothing should be put in place to weaken the CEO’s authority.  Some will say that a CRO should report directly to the board to “keep the CEO honest.”   For me, if you don’t trust the CEO, that is a separate issue.  Discuss replacing the CEO with other directors.  If you find you’re alone in your assessment, resign from the board.  Your own reputational risk is too great.

Establish a risk committee. Many are calling for board-level risk committees, but I believe this is a senior management committee.  The CEO chairs this committee which reviews risk data, makes recommendations to the board on the most effective ways to balance the potential risk and reward of specific strategies, and provides the requested dashboard data.  Working with this Committee, the CRO defines ERM program objectives, assessment framework, and a common “risk” language for the organization.  The board will define the risk profile, but determining how to execute risk management initiatives within the organization is the Risk Committee’s job.

Ensure the full Board is engaged in this discussion. All directors should receive and evaluate this data.  If this conversation gets delegated to a board-level committee, director accountability will be diminished.  Effective enterprise management is a vital and shared responsibility.  It’s too tempting for directors to think it’s “handled” if it’s taken up by a board committee.  This is a full board issue.

Hold the CEO accountable. Unjustified variance from the risk parameters must have consequences.  At a minimum, the compensation committee should imbed adherence to the risk policy into the CEO’s compensation structure.   If a CEO cannot get results within reasonable risk parameters, then it’s the board’s responsibility to replace him or her.

In the end, moving forward requires risk.  Every time we get in a car, there’s risk.  But we mitigate risk by having a clear destination, getting input if we need it, reading the dashboard data, and making judgments.  That enables us to move forward with confidence.   A clear process, with the right roles, will focus corporations on what shareholders truly care about — long-term value creation.  It would be a mistake for us as corporate leaders to participate in a discussion about throwing away the keys to the car.

Stuart R. Levine, the founder, chairman and CEO of Stuart Levine & Associates, is a director of Broadridge Financial Solutions, and chairman of the governance and nominating committee and lead director for D’Addario & Company.

In the meantime, we can learn a great deal from the ideas and practices being put to good use now. In our work with audit committees and directors around the country, I’m hearing emerging themes that strike me as being nearly universal in their application. And I believe that, taken as a whole, this powerful combination of insights can help every board get a better handle on risk.

First, be clear about the board’s oversight objectives.
Before considering how the board should oversee the organization’s risk-management activities, it is helpful to consider the goals and objectives of this oversight effort. What should the board seek to accomplish in its risk oversight role? Clearly, the board needs to satisfy itself that:

• Management has a system in place to manage risk, and the system is appropriate given the company’s business model and strategy.
• The risk appetite inherent in the business model is appropriate.
• The “risk culture” of the organization is based on the principle that management of risk is essential to the successful execution of the company’s strategy.
• The risk-management system operates to inform the board of the major risks facing the company.

Work with management to understand and agree on the types of risk information the board requires.
A number of directors express concern that the quality of the information they receive about risk—and the company’s changing risk profile—sometimes hinders their oversight efforts. As one director said, “I’m not sure that we have a clear picture from management as to what the top five or ten risks to the business are.”

Some boards are setting aside time to work with management to define their information needs. For example, they are asking: What level of risk is inherent in the company’s strategy? What information does the board require about the top risks facing the business? What should be measured and how? What are management’s core risk assumptions? They are also rethinking the format of the information. Visualization, through graphs and heat maps, can be particularly helpful in testing key risk assumptions and considering the impact of various worst-case scenarios.

Business leaders today must understand that we’ve reached an inflection point for corporate governance, and that effective oversight requires the exercise of healthy skepticism.

Make sure the culture encourages directors to question, challenge, and test management.
Effective oversight requires that directors understand and rigorously test management’s core risk assumptions and assessments; yet some directors say this more dynamic interaction is too adversarial for their boardroom. Business leaders today must understand that we’ve reached an inflection point for corporate governance, and that effective oversight requires the exercise of healthy skepticism. Used appropriately, it’s an important tool for discovering facts, integrating disparate pieces of information, and understanding the company’s risk profile.

Bring the right people into the board’s conversations about risk.
Understanding the implications of the risk information that the board receives—and challenging management’s core risk assumptions when appropriate—requires a rigorous conversation about risk with the people who are knowledgeable about the risks facing the company.  Invite the CEO, CFO, chief risk officer (CRO), general counsel, auditors, and business unit leaders responsible for managing the risks—and perhaps the business leaders responsible for IT and human resources as well. And get input from third parties to test and validate management’s core risk assumptions and perceptions.

Focus on the tone at the top, culture, and incentives.
While a robust risk-management process is essential, it’s not enough; directors today are particularly sensitive to the risks that may be posed by the organization’s tone at the top, culture, and incentive structure. These “Capital R” risks, if unattended, may pose the greatest risk of all.

Enlist the chief risk officer to support the board.
We’re seeing more companies naming CROs or the equivalent role to provide senior-level leadership and support for risk management and, in particular, to manage the company’s risk-management processes.
The CRO probably doesn’t “own” specific risks; rather, the role typically is to manage the process and to monitor the upstream reporting processes for risk. The CRO monitors the risks that line and staff managers are dealing with and ensures that relevant information is communicated throughout the organization. Given these responsibilities, the CRO is in a unique position to support the board in its oversight of risk, particularly in helping to define the types of risk information the board should receive and improving the quality of that information.

Ensure that the risk oversight responsibilities of the full board and its various committees are clear.
How the board delegates responsibility for risk oversight among the full board and its various standing committees is a question that continues to generate much debate. While I see companies taking various approaches, there appears to be a growing trend for the full board to have oversight responsibility for the company’s “top risks”—those that threaten the company’s strategy, business model, or existence.

The various standing committees tend to have oversight responsibility for the specific risks inherent within their areas of oversight. For example, the audit committee has responsibility to oversee financial reporting risks.

Other boards (of banks, for example) have formed risk committees; and some, it seems, rely on the audit committee to oversee “risk.” Boards are taking different approaches, but I believe a key question for every board is whether any single committee—such as the audit committee, or even the full board—has the time, resources, and expertise to effectively oversee the full range of risks that the company faces.

Also, consider delegating  oversight of the organization’s risk-management system—including management’s pro-cesses for identifying, assessing, mitigating, and communicating about risks—to a standing committee of the board.

The effectiveness of all of these approaches hinges, of course, on directors having a solid understanding of the company and its business and industry. Directors must also stay abreast of the issues and developments affecting the company.

Indeed, the ability—and willingness—of directors to ask that second and third follow-up question about a risk, or about the risk-management process, is a vital sign of how healthy the board’s risk conversations are—and how firm a handle it has on risk oversight.

Henry R. Keizer is global head of audit, KPMG International, and U.S. vice chair–audit, KPMG LLP.