Enterprise risk management, or ERM, continues to be a “hot topic” in the legal press, in CLE programs, in webinars and certainly in Compliance Week. Like a dog with a bone, the securities law and corporate governance communities are gnawing away, until the last ounce of marrow is sucked free and digested.
Why the flurry? Probably because the actual application of the theory to ongoing corporate governance is not clear. Indeed, I taught a webinar on risk management last month, attended by board members, compliance officers and securities professionals from both the United States and Canada, and the recurring theme was stop telling me about SEC disclosure requirements and start telling me what I should be doing on the ground.
In my January column, I outlined the changing definition of risk as it relates both to board governance and securities law reporting. The change is broad, fundamental and vital to keep in mind: Risk used to be defined in terms of financial, operational, fraud and regulatory matters, and monitoring risk was always vested in the audit committee (the New York Stock Exchange Rules specifically require that vesting).
After the economic meltdown, risk is now understood to lurk in every part of a company’s operation, including strategic risk, market risk, technological risk, and the proverbial “what keeps the chairman up at night” kind of risk.
We also have learned that the SEC, in its new disclosure regime for the current proxy season, seeks extensive discussion of the relationship between compensation and risk, as well as a formal addressing of the board’s perception as to how that board discharges its obligation of risk management.
In the trenches
The professionals who deal with the implementation of risk programs in the trenches have descended upon the task with the same kind of vengeance once reserved for tackling SOX 404.
There are now flow charts, matrices, gap analyses and all sorts of semi-standardized reports that are designed to alert management to the nature of risk, the quantification of risk, and the relative likelihood of risk arising from a single event or from (as it is thought to be more likely) the occurrence of several risks at the same time.
These implementers, typically consultants or accounting firms, always include in their implementation program a reminder of the importance of “complying with regulatory oversight” and “making sure that the compliance program is driven by the tone at the top.” The “top” means the board of directors and C-level management. But, as a practical matter, what is it that the board is supposed to be doing here?
Below I will explore the proper posture of the board of directors with respect to ERM, which, as it turns out, is not only related to SEC requirements; much board obligation is controlled by state laws relating to corporate governance, or compliance with New York Stock Exchange Rules (of course approved at some point by the commission), and (through the back door) the general “risk factor” disclosure requirements under the ’33 Act and the ’34 Act.
The general duty of a board of directors, with respect to any significant corporate operation, is to monitor — that is, to make sure that management causes the company at an operational level to execute properly.
This duty of oversight, we are taught by Delaware corporate law and, in particular, the 1996 opinion in Caremark, is integral to the discharge of the board’s duty of care.
If the board pays reasonable attention, even if corporate performance is faulty, the members of the board will have no liability for breach of fiduciary duty because of the business judgment rule that protects good-faith decisions at a board level.
Last year, in the much discussed Lyondell case, plaintiffs argued that the failure of the board of directors to properly monitor constituted a breach of the duty of loyalty to the company.
This seeming quibble as to which duty was breached (care vs. loyalty) actually carried great importance, because the business judgment rule does not insulate directors from liability if they have been disloyal (as opposed to having simply failed to exercise due care).
After a scare at the lower court level, on appeal the general principle was reiterated: Absent bad faith or what really amounts to gross and overt purposeful neglect, the function of a board in monitoring operations falls under the duty of care and directors are thus protected by the business judgment rule even if things don’t work out very well.
This is the state of play also with respect to boards and ERM: boards monitor, management executes and boards adhere to the tired but wise rubric: “noses in, hands off.”
Much ado about ERM
So what specifically should today’s board of directors be doing about ERM?
A decision has to be reached as to how the board’s responsibility to manage risk is to be organized. This decision will be reflected in the new proxy disclosures relative to the board’s sense of its own role. Will the audit committee continue to be the driver, or will the audit committee simply be part of the methodology? (Remember, under the New York Stock Exchange Rules, even if the audit committee parcels out ERM functions, it still retains as a committee a direct supervisory role.)
Will the board establish a standing “risk committee?” Sen. Charles Schumer’s pending governance bill in Congress requires reporting companies to do so; as of March 1, however, only 48 out of the Russell 1000 companies had taken this step.
What if any committee will have separate responsibility for the broader aspects of the definition of risk — technology risk, health and safety, strategic, world economy, etc? About the only easy answer here has to do with comp; the new SEC proxy disclosures clearly place the burden on the compensation committee to exhaustively examine, and report upon, the relationship of compensation and risk.
The governance committee promptly should review the charters for the board as a whole and for each of the committees, so as to document responsibility and reporting chains for ERM. The dual effect of this action is that people will know what to do so things don’t slip between the cracks, and documentation of the attentiveness of the board to ERM will be apparent.
Whichever committees have ERM responsibility should work on a standing agenda so that, with such periodicity as they believe is warranted for their particular company, risk (and changes in risk profile) will be considered. Directors should monitor the inputs.
Since the traditional narrow “financial” definition of risk no longer applies, the board should ask questions such as whether all operating units, geographies and functions have been included in the gathering of risk data and its evaluation.
In addition to internal investigation and discussion, have we considered reports of outside securities analysts, the news and media, industry data?
Have we made sure that those risks we have disclosed in our ’33 Act and ’34 Act filings (risk factors), as updated for material changes in any 10Q’s, have been specifically considered? It is awkward not to have made sure that those risks that management and counsel have chosen to highlight in public SEC disclosure have nonetheless not been factored into the risks that are actually being addressed.
Directors should make sure that the various strands of data are appropriately reported to whichever committee or person(s) within the company may be assigned the job of reaching a conclusion as to the nature and magnitude of risk. This is sometimes referred to, at the operational level, as making sure that the “silos” are mixed.
Information may come from one subsidiary, one division, one product line, one committee that in and of itself may not seem significant, but combined with information coming from another direction may add up to a risk of substance.
It is not necessary for the board to determine the method for mixing the silos, only to ask the question and receive a satisfactory report from management that the mixing has been addressed.
The board should establish the key metrics with which it is concerned. All risks should be translated into a statement as to the probability and magnitude that the risk presents, expressed in metrics that the board (together with management) thinks are key.
Many consultants focus on risk to enterprise value. I have always thought that impact on earnings and cash flow together were key, and that enterprise value was a derivative of these measures.
Impact on cash is always critical and to be monitored, and impact on earnings per share permeates market value and fundamental enterprise value both. The board should be receiving a report expressed in the “currencies” that it finds to be most meaningful and important for that company; presumably this decision will be reflected in the proxy disclosures.
Lastly, the board must ask: Is management performance sufficiently attuned to each of these major risks, and, if not, how will the “gap” of attentiveness be closed?
The basic conundrum
A company’s strategy reflects its risk appetite. The existence of risk in and of itself is neither evil, nor avoidable. Everyone knows the reciprocal of risk: reward. From the board standpoint, the obligation to monitor means that risk appetites are established, risks are evaluated, and assurances sought from management that risks have been appropriately identified and calibrated against the strategic appetite.
Thus, when management and the board complete the proxy statement, including discussion of risk in terms of compensation and in terms of the board involvement, that proxy statement will reflect an appropriate governance infrastructure sitting on top of effective implementation by consultants, accountants, external and internal auditors.
That leaves just one hanging question: Will Congress, with our society’s present broad swing of the pendulum in favor of increased government involvement in corporate regulation, further charge the SEC with additional ERM-specific regulatory roles?
Stephen M. Honig is a partner in the Boston office of Duane Morris.