Delegating risk oversight to committees is not enough.
Following the 2008 financial crisis, Mary Schapiro, the former chairwoman of the Securities and Exchange Commission (SEC), said during testimony to the financial crisis inquiry commission that “the quality of a board's oversight of risk management – traditionally viewed as just a compliance cost – can make an enormous difference in our economy, and particularly in financial markets.”
The boards of banks were heavily criticised by investors and regulators for overseeing the incentive structures that allowed management teams to take big risks which eventually led to the crisis. Directors would counter that the requirements imposed on boards have increased tremendously over time (think the Sarbanes-Oxley Act of 2002) to the point where boards lack the necessary time, skills and information for effective risk oversight. Impeding information flow to the board is also commonplace; risk officers are not typically invited to board meetings and CEOs are arguably selective when sharing information with the board. This results in boards having an unclear picture of the risk situation and little involvement in steering it. A critical and contentious aspect is the assignment of responsibilities for risk oversight. While survey evidence suggests that most directors believe the entire board should be responsible for overseeing risk management, many firms delegate this responsibility to the audit committee.
In light of these limitations, the natural question is whether board risk oversight can make the difference Schapiro claimed? My research paper, “The Influence of Board of Directors’ Risk Oversight on Risk Management Maturity and Firm Risk-Taking”, with Christopher D. Ittner, a Professor of Accounting at Wharton, shows that board risk oversight matters a great deal.
Across survey data of 297 publicly traded firms headquartered in 28 countries, we found that the more involved a board is, the better. Greater risk oversight is associated with more mature risk management practices relating to risk identification and measurement, risk communication, accountability and risk culture. This, in turn, is associated with lower future risks, shown in the firms’ stock return volatility among other proxies.
Importantly, lower firm risk doesn’t come at the expense of performance, which one might expect if risk oversight curtails investments in risky but value generating investments. We found that firms with greater board risk oversight involvement and more sophisticated risk management practices enjoy better operating performance in the future.
Roles and responsibilities matter too
As with most things in management, clearly defined roles can make all the difference in the success of an initiative. We also studied this in the paper and found that the formal definition and location of board oversight roles and responsibilities leads to greater board risk oversight. Firms that fail to formally assign risk oversight roles have the lowest understanding of and involvement in risk oversight.
We observed the strongest effects when both the whole of the board and one of its committees are assigned oversight responsibilities. A dedicated risk committee alone is not significantly associated with the extent of actual board risk oversight involvement.
Overall, the findings demonstrate that although board directors are high-level stewards of a company with limited time, they can have a significant impact on the risk management processes of a firm. Committees are still important and should continue to play a role in risk oversight as long as the whole board is also involved. This improves communication and enables the organisation to draw on more expertise and resources to ensure more mature risk management practices. It could also be wise to facilitate communication between firms’ risk officers and the board in the absence of the CEO.
Incentive structures that presumably encouraged risk taking before the financial crisis can be fixed by holding employees accountable for the risks they take. If boards incentivise management to monitor and consider risks in their decision-making, they can instil a risk-conscious culture that preserves the organisation and actually contributes to its performance.
Thomas Keusch is an Assistant Professor of Accounting and Control at INSEAD.