![Sample our Economics, Finance,Business & Industry journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5931/TOC-Subject-Sample-2021-Economics-Finance-Business-Industry.jpg"})
Abstract
Financial and securities regulators around the world are increasingly concluding that deficient board oversight of risk management processes generally, and risk culture in particular, has been a recurring root cause of major corporate governance failures. This article overviews the evolution of these new board risk oversight expectations, outlines handicaps boards face meeting these expectations, and proposes specific steps boards that want to meet the new expectations can take. Handicaps boards face of particular note include, ironically, traditional point-in-time internal audit processes and ERM programs built around an annual update of the company’s “risk register” that is seen as a compliance exercise not a way to integrate risk management in to core business processes, particularly strategic planning. An absence of tangible and practical guidance how boards should actually assess and oversee their company’s risk culture compounds the problem. Recommendations proposed by the authors focus on the significant changes many companies must make to ensure their boards are equipped with the information necessary to oversee management’s “risk appetite/tolerance” and the organization’s risk culture.
Notes
1. See Jon Talotta, Michelle Kisloff, and Christopher Pickens, “Data Breaches Hit the Board Room: How to Address Claims Against Directors and Officers” 23 January 2015 (http://www.hldataprotection.com/2015/01/articles/cybersecurity-data-breaches/data-breaches-hit-the-board-room/).
2. Talotta, Kisloff, and Pickens, “Data Breaches Hit the Board Room.”
3. United States Senate Report 107–70, “Report Prepared by the Permanent Subcommittee on Investigations of the Committee on Governmental Affairs,” 8 July 2002, 107th Congress, 2d Session (http://www.gpo.gov/fdsys/pkg/CPRT-107SPRT80393/pdf/CPRT-107SPRT80393.pdf).
4. Financial Stability Board, “Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture,” 7 April 2014, p. 1 (http://www.financialstabilityboard.org/wp-content/uploads/140407.pdf?page_moved=1).
5. Financial Reporting Council, “Guidance on Risk Management, Internal Control and Related Financial and Business Reporting.” September 2014 (https://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/Guidance-on-Risk-Management,-Internal-Control-and.pdf).
6. Financial Reporting Council, “Developments in Corporate Governance and Stewardship 2014,” January 2015, p. 23 (www.frc.org.uk/Our-Work/Publications/Corporate-Governance/Developments-in-Corporate-Governance-and-Stewardsh.pdf).
7. 2015 Global Audit Committee Survey, KPMG’s Audit Committee Institute (http://www.audit-committee-institute.be/dbfetch/52616e646f6d495677657b7b3a3cd8e673d6626bead407d0/2015-global-audit-committee-survey.pdf).
8. Institute of International Finance, “Reform in the Financial Services Industry: Strengthening Practices for a More Stable System.” December 2009, p. AIII.2 (www.iif.com/file/7071/download?token=w6PvaJA3).
9. See, for example, “Principles for an Effective Risk Appetite Framework,” Consultative Document, 17 July 2013 (http://www.financialstabilityboard.org/wp-content/uploads/r_130717.pdf).
10. Financial Stability Board, “Guidance on Supervisory Interaction with Financial Institutions on Risk Culture,” p. 1.
11. Responses to the FSB exposure draft on assessing risk culture can be found at http://www.financialstabilityboard.org/2014/02/c_140206/.
12. See Risk Oversight response letter to FSB dated 14 January 2014 (http://www.financialstabilityboard.org/wp-content/uploads/c_140206u.pdf).
13. Financial Stability Board, “Guidance on Supervisory Interaction with Financial Institutions on Risk Culture,” p. 1.
14. Financial Stability Board, “Guidance on Supervisory Interaction with Financial Institutions on Risk Culture.”
15. Financial Reporting Council, “Guidance on Risk Management, Internal Control and Related Financial and Business Reporting,” p. 21.
16. “A Few Things Directors Should Know About the SEC,” SEC Chair Mary Jo White to the Stanford University Rock Center for Corporate Governance Twentieth Annual Stanford Directors’ College, 23 June 2014 (http://www.sec.gov/News/Speech/Detail/Speech/1370542148863#.VQs7KxCZhqY).
17. See NACD BoardVision: Asymmetric Information Risk, National Association of Corporate Directors, 28 March 2013 (https://www.nacdonline.org/Resources/BoardVisionEpisode.cfm?ItemNumber=6668).
18. Mark Beasley, Bruce Branson, and Bonnie Hancock, “2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities,” February 2015, p. 3 (http://erm.ncsu.edu/az/erm/i/chan/library/AICPA_ERM_Research_Study_2015.pdf).
19. See Tim J. Leech, “Reinventing Internal Audit,” Internal Auditor, April 2015 for more details.
20. See Tim Leech, “The High Cost of ERM Herd Mentality: Why Traditional Approaches Have Failed,” white paper, March 2012 (http://riskoversightsolutions.com/wp-content/uploads/2011/03/Risk_Oversight-The_High_Cost_of_ERM_Herd_Mentality_March_2012_Final.pdf).
21. See Leech, “Reinventing Internal Audit.”
22. See Leech, “Reinventing Internal Audit.”
23. See Leech, “Reinventing Internal Audit.”
24. International Standard on Auditing (UK and Ireland) 700: The independent auditor`s report on financial statements, Financial Reporting Council, June 2013, paragraph 22, p. 8.
25. SEC Final Rule, Proxy Disclosure Enhancements, effective 28 February 2010 (https://www.sec.gov/rules/final/2009/33-9089.pdf).
26. See Leech, “Reinventing Internal Audit.”
27. Financial Stability Board, Principles for an Effective Risk Appetite Framework, 18 November 2013 (http://www.financialstabilityboard.org/wp-content/uploads/r_131118.pdf?page_moved=1).
28. See Parveen P. Gupta and Tim J. Leech, “Risk Oversight: Evolving Expectations for Boards,” The Conference Board, Director Notes, DNV6N1, January 2014, p. 7.
29. Financial Stability Board, Principles for an Effective Risk Appetite Framework, 18 November 2013, p. 9.
Additional information
Notes on contributors
Parveen P. Gupta
Parveen P. Gupta is the Clayton Distinguished professor of accounting and the department chair at the College of Business and Economics at Lehigh University in Bethlehem, Pennsylvania. He is a recognized expert in Sarbanes-Oxley, internal control, risk management, financial reporting quality, and corporate governance. He has published numerous research papers and monographs in these areas. He is the recipient of many awards in teaching and research. During 2006–2007, he served as an academic accounting fellow in the SEC Division of Corporation Finance, where he worked closely with the division’s chief accountant and participated actively on Sarbanes-Oxley-related projects involving issuing Commission’s Guidance on Management’s Report on Internal Control under Sarbanes-Oxley Act Section 404 and Public Company Accounting Standard Board’s Auditing Standard No. 5 on Auditing Internal Control. He and his team members were recognized for their work in this area with the “Law and Policy” award. His advisory experience is in the related areas and includes working with U.S.-based manufacturing, financial services, energy industry clients, and Big Four public accounting firms. He is a frequent speaker at academic and professional conferences both at a national and international level. He is often quoted in the media. He can be reached at [email protected]
Tim Leech
Tim J. Leech is managing director at RiskOversight Solutions Inc. headquartered in Oakville, Ontario, Canada. He is recognized globally as a thought leader, innovator, and provocateur in the risk and assurance fields. He has provided ERM training and consulting services and technology to public and private sector organizations in Canada, the United States, the United Kingdom, Europe, Australia, South America, Africa, the Middle East, and Asia. Tim and his daughter Lauren coauthored a 2011 paper published in the International Journal of Disclosure and Governance titled, “Preventing the Next Wave of Unreliable Financial Reporting: Why Congress Should Amend Section 404 of the Sarbanes-Oxley Act.” For The Conference Board, he authored, “Board Oversight of Management’s Risk Appetite and Tolerance” and co-authored “Risk Oversight: Evolving Expectations for Boards.” Tim’s most recent article, “Reinventing Internal Audit” published by the IIA in the April issue of Internal Auditor, has received global recognition and accolades. He lives in Oakville, Ontario, with Elaine, his wife for over 39 eventful years and has two daughters, Lauren and Morgan, and, most recently his first granddaughter. He can be reached at [email protected]