Thursday, January 7, 2010

Risky Business: 10 Questions on Risk Management for the New Decade

For the last decade, risk governance and risk management have been on the ascendancy. Early in the decade, Enron and its ilk helped to propel a sense of urgency and crisis, driving the completion of the Enterprise Risk Management framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004). But the recent financial crisis, compounded by snowballing sustainability issues such as climate change and product toxicity, made it clear that risk management is a work in progress. Far more must be done to turn the patchwork of risk management approaches into viable public policy and corporate governance solutions.

From my perspective as counsel to investors who are typically concerned with both the financial and societal risks associated with their portfolio companies, here I will offer my perspective on 10 key questions on risk management likely to be answered over the next decade:

1. Will the major environmental and social risk disclosure loopholes be closed by the SEC and FASB?

Numerous organizations and investors have communicated to the Securities and Exchange Commission the need for clearer guidance on disclosure to investors of environmental and social risks, including climate risk, human rights, labor impacts, and other so-called ESG performance issues. See, for instance, communications to the SEC by the Investor Network on Climate Risk and the Social Investment Forum.

In addition, as we wrote last year in our report for the Investor Environmental Health Network, Bridging The Credibility Gap: Eight Corporate Liability Disclosure Loopholes That Regulators Must Close, the system of disclosure to investors regarding potential and pending corporate liabilities overseen by the SEC and the Financial Accounting Standards Board is seriously broken. It remains to be seen whether either agency will have the backbone needed to repair the flaws. Practically speaking, action by those agencies depends on whether the affected constituencies, especially investors, make their voices heard on these issues.

2. Will “sustainability risk” become an operative principle of corporate decision-making?

As demonstrated in the Chartered Accountants of Canada 2009 report on Sustainability, Risk and Opportunity, the word sustainability has at least two meanings: it can mean the ability of a business to continue to “sustain” itself financially, or it can mean essentially an environmental evaluation- whether a particular activity undermines or supports the needs of future generations living on our planet. The new term “sustainability risk” attempts to embody both concepts, but may in the end prove confusing. Other terms, such as “climate risk” or even “long-term risk” may prove clearer in framing disclosure and risk management discussions and policies.

3. Will compensation structures be linked to long-term views of risk and performance?

Compensation watchdogs, such as Nell Minow of The Corporate Library and Prof. Lucian Bebchuk of Harvard Law School, have asserted that as long as the corporate insiders who hold major quantities of stock can benefit by temporarily pumping up a firm’s short-term financial performance, incentives will be skewed towards short-term over longer-term performance and risk.

A resolution filed by Harrington Investments at Goldman Sachs for the 2010 shareholder meeting would require the top five executives to hold 75% of their future stock bonuses until three years after their retirement, effectively creating an incentive to maintain the long view.

4. Will board risk governance committees catch on?

Senator Charles Schumer’s “Shareholder Bill of Rights Act of 2009” would require all public companies to establish risk committees of their boards, to “be responsible for the establishment and evaluation of the risk management practices of the issuer.” Some expert observers and commentators regarding corporate governance assert that such a uniform requirement for board risk committees is ill-advised. They assert that risk management oversight is a core responsibility of the entire board, and not a role that can be delegated to a subgroup of board members through a committee.

Yet, there are so many issues involved in ensuring the integrity of a firm’s overall risk management framework, that the greater focus brought by a separate committee does seem appropriate, at least in reviewing the integrity of the risk management systems that are put in place, and identifying risk issues which should be given priority attention by the board in its entirety.

Shareholders concerned with risk governance at their portfolio companies have begun to follow the lead of the Schumer bill in resolutions filed for the upcoming season. For example, a resolution filed by Northstar Asset Management at Western Union requests that the company form a risk governance committee independent of the existing audit and finance committee. Similarly, a resolution filed at ConocoPhillips asks the company to disclose the board’s risk governance practices, and to explore whether a separate board risk governance committee is needed.

5. Will directors face liabilities for poor risk oversight?

So far, it is unclear whether boards of directors will be held liable for poor risk oversight. The recent Delaware Chancery Court decision in In Re Citigroup Inc. Shareholder Derivative Litigation, 964 A. 2d 106 (Del. Ch. Feb. 24, 2009)
(see good discussion here) demonstrates that the courts may be willing to grant a wide berth around board discretion in risk decision-making, based on the business judgment rule which protects board members from liability in exercising ordinary business judgment. Shareholders had filed a derivative action on behalf of Citigroup alleging that the company’s officers and directors had breached their fiduciary duties by, among other things, failing to monitor and manage the risks associated with subprime lending. The Court noted, “Oversight duties under Delaware law are not designed to subject directors, even expert directors, to personal liability for failure to predict the future and to properly evaluate business risk.”

Nevertheless, there are cracks in the wall that may eventually lead to board liability. For instance, in discussing the Securities and Exchange Commission’s recently established requirements for disclosure of risk management credentials of board members, Arthur C. Delibert of the law firm of K&L Gates LLP recently cautioned against too aggressively stating a board member’s qualifications to avoid expanding his or her liability.
…registrants should bear in mind that individuals with expertise in relevant areas may be subject to heightened standards of liability under federal and state securities laws. When the Commission in 2003 adopted the requirement that registrants disclose whether their audit committees include at least one “audit committee financial expert,” it also provided relief from some forms of potential liability to which such “experts” might otherwise be subject. The new disclosure requirements provide no such relief, despite comments from several organizations having raised concerns about such liability. Accordingly, registrants may wish to be circumspect in their descriptions of director qualifications, while honoring the requirement that disclosure be complete in all material respects.
The potential liability of board members for poor risk oversight remains a contested territory, and will no doubt be an interesting topic of litigation during the new decade.

6. Will Enterprise Risk Management protect investors and society, or merely insulate management and boards from potential liabilities?

Enterprise Risk Management involves determining how much uncertainty is acceptable within an organization, and then identifying a strategy consistent with that risk appetite. As an article published by the accounting firm of Grant Thornton recently noted, by adopting ERM,
a company gains the ability to align its risk “appetite” and tolerance with business strategy. As a result, management can better manage risk “opportunistically”–they can identify events that could have an adverse effect, determine whether the benefits outweigh the risks and develop an action plan to manage them. In other words, proper risk management allows organizations to examine and evaluate opportunities and create value by taking risks carefully.
It remains to be seen however whether the existence of ERM programs will result in better choices about risk, or principally provide an evidential baseline for asserting that officers and directors had not neglected their fiduciary duties to manage risk.

7. Will corporate risk managers apply the precautionary principle to potentially catastrophic risks to society?

In a dialogue at The Conference Board that I participated in during the summer of 2009, several board members of major corporations stated unequivocally that when it comes to sustainability and a company’s risks to society, the bottom line for them is simply whether the way the company handles an issue helps to maximize profitability. This approach is consistent with the COSO guidelines for Enterprise Risk Management, under which risk management means of choice among various strategies. Although a baseline of legal compliance may be inferred, taking other voluntary action to reduce risks to society posed by the firms activities is weighed against other approaches to the risk, including buying insurance or choosing to simply shoulder the risk.

In contrast to that view, some companies do appear to take the position that any potentially catastrophic risks to society posed by corporate activities are to be minimized or avoided, regardless of the potential returns or availability of insurance. For instance, forward-looking companies such as Dell, Samsung and Bristol-Myers Squibb which have adopted the Precautionary Principle, which would require them to minimize certain risks with potentially severe implications for society. Taking action to reduce the risks is the priority, and not coequal with other risk management options such as insurance.

The issue of risks to society has been amplified by recognition of systemic risks – errors repeated across companies and sectors – where only strong government oversight seems sufficient to the task of controlling the broader implications of many individual corporate risk decisions.

8. Will the attention to "Black Swan" risks -- those considered largely unpredictable -- lead to disempowerment, or action to avoid and plan for the worst consequences?

The financial crisis has brought a great deal of attention to the concept of the “Black Swan” event, the improbable event that defined calculation of probabilities. In a recent article in the Harvard Business Review, the author of the book The Black Swan: The Impact of the Highly Improbable cowrote an article in which the number one mistake made by executives in risk management is to fail to shift the focus from predicting when the severe incidents might happen to preparing for the eventualities.

There is a danger in the present environment that risk managers will be disempowered by the notion of risks that they cannot predict, and pay too little attention to reducing the potential consequences for the firm and society. For example, even though it is difficult to calculate the odds of health impacts, we already know enough about some nanotechnology hazards to public health to suggest that greater attention, prevention and disclosure is prudent.

9. Will Web 2.0 bring radical transparency to corporate risks?

Web 2.0 technologies such as Reframeit have already made it possible for corporate annual reports to be annotated by any member of the public. It is only a matter of time until such tools are applied in a manner that brings much more information into the hands of the investing public. Websites that emerged in 2009 like and are a promising vanguard of such an approach, and new requirements of the Securities and Exchange Commission for companies to uniformly encode their annual reports (in XBRL) may help to enable this trend.

10. Will shareholders use their growing powers to ensure transparency and accountability on risk?

In 2009, it became clear that shareholder rights are on the ascendancy. There is momentum for shareholders to win stronger rights to nominate and elect directors of their companies. In addition, the SEC restored the right to file shareholder resolutions seeking disclosure of hidden financial and sustainability risks. Already, dozens of resolutions have been filed for 2010 asserting those restored rights.

Nevertheless, it remains to be seen whether the broader community of all shareholders will effectively assert those rights to secure better risk management in the coming decade.

The author is a legal advisor to investors focused on financial and societal risks associated with portfolio company issues such as sustainability, public health, and human rights. He is counsel to the Investor Environmental Health Network as well as many of the funds and investors mentioned in this blog post.


Vijaya Sai Molakalapalli said...

Dear Sanford Lewis,
I'm very impressed with your blog and website.I'm happy to see that your posts are directing corporate world in ethical direction.Which is need of the hour..

I'm interested in your posts.Sir,I too have similar blog like yours World Of Finance.Sir,It will be a blessing for me if you can spare some of your precious time in suggesting me and World Of Finance.
my name:Vijaya Sai

Plumber lawrenceville said...

Thanks for ones marvelous posting! I seriously enjoyed reading it, you're a great author.I will be sure to bookmark your blog and definitely will come back in the foreseeable future. I want to encourage you continue your great job, have a nice day!

Unknown said...

It was great to read such informative post. Really appreciated for sharing this story . Thanks buddy.

Credit Insurance Australia

Insurance Brokers au

M Ahmed said...

Very informative, thanks for sharing detailed article.

VAT Risk Management
VAT Consultancy
VAT Registration
VAT Audits
VAT Consultants in UAE

Ahmed said...

Chartered accountants in UAE We offer services in Accounting, Taxation, VAT and Business Consultancy.
10 Year Residency Visas in UAE
VAT Implementation in Kuwait

Sophie Grace said...

I enjoy reading all of your article post. I like to
write a little comment to support you. To fidn top account on instagram, please coming site webstagram