New York, NY, June 8, 2006--Corporate directors could find themselves exposed to liability if they fail to keep pace with evolving best practices in enterprise risk management (ERM), according to a major new study released today by The Conference Board in conjunction with McKinsey & Company and KPMG's Audit Committee Institute.
Since ERM processes have improved in some companies, many corporate directors could be functioning with a false sense of security, the study points out. New legal requirements are steadily suggesting that directors should ensure that their companies have a "robust" ERM program.
The report, authored by Carolyn Kay Brancato, Matteo Tonello, and Ellen Hexter of The Conference Board, is entitled The Role of the U.S. Corporate Board of Directors in Enterprise Risk Management. These findings are based on a comprehensive research effort on the topic that incorporated personal interviews with 30 board members, analysis of Fortune 100 board committee charters, and a broad survey of 127 board members. The report has not yet been released, but is forthcoming.
Dr. Brancato, director of The Conference Board governance center and Directors' Institute, said today: "Our research shows many directors believe they have a good handle on the risks their companies face. But since many directors tend to approach risk more on a case-by-case basis, they may not have adequately robust and systematic enterprise risk management processes in place."
The study shows that banking and financial services tend to have more developed ERM processes and may therefore set the standard by which other industries will be measured.
In addition to the CEO, the corporate executive most frequently cited by directors as responsible for informing the board on risk issues is the CFO (71% of companies). However, at a growing number of companies, a chief risk officer is cited as the person informing the board and appears to be an increasingly visible company executive (for instance, in 16.1% of financial companies, up from virtually none a few years ago).
Dr. Gunnar Pritsch, a partner of McKinsey & Company, who collaborated with The Conference Board on the study, said: "Things have definitely improved since we did a similar survey in 2002." Data in 2002 showed that 36% of directors did not believe that they had a full understanding of the major risks facing their companies. By 2006, that percentage decreased to 10.5%. However, he also said that "Boards still have a way to go. Directors serving on multiple boards reported significant variations in the quality of the risk dialogue and fewer boards seem to have well established risk processes."
Dr. Brancato reports: "There may indeed be a false sense of security among those directors reporting that they have a full understanding of the company's risks. When we asked directors personally, many said they approach risk on a case-by-case basis in connection with a specific strategic issue such as a merger or acquisition or the entrance into a new market. This may not constitute a sufficiently robust process to satisfy directors' fiduciary responsibilities."
The new research found significant differences in how directors understand risk and how their companies manage risk. Moreover, directors may have more of a top down understanding of risk. The Conference Board study finds: Although 89.5% of directors say they fully understand the risk implications of the current strategy,
Only 77.4% of directors say they fully understand the risk/return tradeoffs underlying the current strategy.
Only 73.4% of directors say their companies fully manage risk.
Only 59.3% of directors fully understand how business segments interact in the company's overall risk portfolio.
Only 54.0% have clearly defined risk tolerance levels.
Only 47.6% of boards rank key risks.
Only 42% have formal practices and policies in place to address reputational risk.
