The last couple of years, and especially the financial crisis, focused corporate leaders mightily on the importance of enterprise risk management and the shortcomings of their ERM efforts. Now that focus has risen to the board level, with companies and regulators alike considering whether there should be specially designated committees of directors whose task is monitoring risk.
"There certainly is a trend here," says Gerry Dixon, global and Americas risk leader at Ernst & Young. "Every client we have is at least having a discussion about whether to establish a separate risk committee on their board."
"Boards of directors are more and more focused on risk these days," agrees Laura Taylor, global practice leader for ERM at Aon. In general, boards' audit committees oversee risk, but Taylor sees a trend toward setting up special risk committees.
That trend could pick up considerably if Sen. Charles Schumer (D-N.Y.) gets his way. Schumer, a member of the Senate Banking Committee, has introduced a "Shareholder Bill of Rights" that would require public companies to designate a risk committee composed of independent directors. The Securities and Exchange Commission, while not specifically calling for risk committees, is proposing a requirement that proxy statements disclose the risk experience of all board members. And in October, the Risk and Insurance Management Society called for the creation of risk committees.
"There's this discussion going on," says Mark Beasley, professor of enterprise risk management at North Carolina State University. At present, he says, two-thirds of companies assign responsibility for monitoring risk management to the board audit committee--no surprise since this has been the New York Stock Exchange's mandate for listed firms since 2004.
Relying on audit committees could be a less than adequate approach, notes Aon's Taylor. "Risk is not all about accounting and reporting issues, after all."
Having a separate risk committee would "help focus a board on risk issues, and on developing a better risk culture," Taylor says. But mandating such committees might not be the best idea, she says. "A mandate could lead to a one-size-fits-all approach" Taylor says. Some board members might shuck off responsibility onto the risk committee and ignore the issue themselves, she says. Taylor suggests that in some cases, giving the full board responsibility for ERM might make more sense.
Risk committee or no risk committee, one thing is clear. Dixon says 96% of companies surveyed by E&Y "admitted that they could improve their risk management activities, processes and functioning."