Deloitte has just released a research paper “CFO Insights: Board relations: Have risk disclosure practices improved?” covering the risk disclosure practices of top 200 companies listed in S&P. The research is in continuation of 2010 study. Securities and Exchange Commission (SEC) had issued instructions in Feb 2010 that companies must disclose the role of their board in risk oversight. The graph below depicts the results of the research.
To me the table indicates that US companies have focused on formation of risk management committees at board level. However, there is still a long way to go in respect of boards seriously considering risks. Reason for making this statement is that just 45% of the companies reported alignment of risk oversight with corporate strategy. Moreover, just 11% of the companies report involvement of boards in monitoring risk appetite of the organization. Lastly, just 8% disclose involvement of board in formation of corporate culture. This indicates boards are still giving lip service to risk management and haven’t got down to the details of managing risks.
The paper gives four key recommendations for risk oversight committees. I tend to agree with the recommendations, however in my view this is more of a Chief Risk Officer’s job and not Chief Financial Officer.
• Revisit risk governance and oversight practices periodically to ensure they not only keep pace with, but actually anticipate, the risks your organization and your industry face.
• Keep development of the risk governance and management infrastructure on the leadership agenda and be sure that its development is funded appropriately.
• Monitor risk-related disclosures in the proxy statements of peers, competitors, and market leaders—and of customers and suppliers—and use their practices as benchmarks or goals.
• Ensure that your disclosures and other stakeholder communications tell the full story of your risk oversight and management efforts.
Risk oversight committees play a crucial role in managing risks of the organization. Therefore, keep the members abreast about various risks facing the organization. Risk oversight committees fail at doing their job effectively when they do not receive accurate information timely. The tone at the top established by risk oversight committee in respect to risk management will percolate downwards in the organization. Hence, inform and empower them, when required.