Board Risk Oversight (PowerPoint, 5.2 MB)


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • It is possible to apply this template to exiting presentations. Have the latest presentation template open Click on the View tab and select Normal Delete all unwanted slides Click on the Insert tab from the menu bar and select Slides from Files Click on Browse . Navigate to the presentation you wish to update with the new template. Highlight the presentation and click Open Wait for the slides from the presentation to load and click on Insert All . Then click Close Check the inserted slides to ensure that the most appropriate master slide has been used on each slide To change the master applied to a slide select the slide you wish to apply a different master to then click on the Format tab from the menu bar and select Slide Design From the Used in This Presentation section choose the master you wish to apply to the slide and hover over it to reveal a drop-down arrow. Click on the arrow and select Apply to Selected Slides It is important to thoroughly check the presentation to ensure that no further formatting is needed.
  • Sources: CBK analysis of Factset 10.45A, accessed 3 April 2008; Audit Integrity, 3 April 2008.
  • Board Risk Oversight (PowerPoint, 5.2 MB)

    1. 1. RR Donnelley Fall 2008 SEC Hot Topics Seminar University of California, Irvine Board risk oversight
    2. 2. Agenda – Board risk oversight <ul><li>The legal foundation </li></ul><ul><li>Advising management and the board </li></ul><ul><li>Executing </li></ul><ul><li>Questions and answers </li></ul>
    3. 3. Disclaimer <ul><li>The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. </li></ul><ul><li>Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. </li></ul><ul><li>No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. </li></ul>
    4. 4. The legal foundation Shayne Kennedy Board risk oversight
    5. 5. The legal foundation for board risk oversight <ul><li>Director Fiduciary duties </li></ul><ul><ul><li>In re The Walt Disney Co. Derivative Litigation (2005) </li></ul></ul><ul><ul><li>In re Caremark International Inc. Derivative Litigation (1996) </li></ul></ul><ul><ul><li>Board has an obligation to “exercise good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations.” </li></ul></ul><ul><li>Federal and regulatory requirements </li></ul><ul><ul><li>Sarbanes Oxley Act of 2002 </li></ul></ul><ul><ul><li>“ A few of the commenter's urged us to adopt a considerably broader definition of internal control that would focus not only on internal control over financial reporting, but also on internal control objectives associated with enterprise risk management and corporate governance. While we agree these are important objectives . . . .” </li></ul></ul>
    6. 6. The legal foundation for board risk oversight <ul><li>Securities exchange listing standards </li></ul><ul><ul><li>NYSE </li></ul></ul><ul><ul><ul><li>“ The audit committee should discuss the listed company's major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken.” </li></ul></ul></ul><ul><ul><ul><li>Code of business conduct and ethics </li></ul></ul></ul><ul><li>Federal sentencing guidelines </li></ul>
    7. 7. TCB study: “Corporate directors may not be providing sufficiently robust risk oversight” <ul><li>Major study by The Conference Board (TCB) </li></ul><ul><li>Corporate directors could find themselves exposed to liability if they fail to keep pace with evolving best practices in Enterprise Risk Management” </li></ul><ul><ul><li>“ Since ERM processes have improved, many directors could be functioning with a false sense of security” </li></ul></ul><ul><li>“ Directors serving on multiple boards reported significant variations in the quality of the risk dialogue and fewer boards seem to have well established risk processes” </li></ul><ul><li>Banks and insurance companies out front on Enterprise Risk Management </li></ul><ul><li>“ The Audit Committee is the sole repository for “risk oversight” in 66% of companies; in 23% of companies this responsibility is shared with another committee” </li></ul><ul><li>“ The Role of U.S. Corporate Boards in Enterprise Risk Management” – </li></ul>Source: June 6, 2006 News Release by The Conference Board <ul><ul><li>` </li></ul></ul>
    8. 8. Advising management and the board John Ireland Board risk oversight
    9. 9. Management risk identification and reporting <ul><li>Company must regularly disclose the most significant factors that may adversely affect the issuer’s business, operations, industry, financial position, etc. - Item 503(c) Reg S-K </li></ul><ul><ul><li>Item 1A -company risk factors - must be company specific, not just generic/applicable to all businesses </li></ul></ul><ul><li>Management to set up company risk assessment/management framework (Board approves) </li></ul><ul><ul><li>Framework designed to identify/prioritize/mitigate/monitor and update/report enterprise risks </li></ul></ul><ul><ul><ul><ul><li>Numerous possible frameworks and tools available to set up framework </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Consider tying into SOX Disclosure Controls framework – SOX 302 </li></ul></ul></ul></ul><ul><ul><li>Execs create company risk management tone which embeds risk management in all business decisions </li></ul></ul><ul><ul><ul><ul><li>Enterprise wide approach/no silo stove pipe approach </li></ul></ul></ul></ul><ul><ul><ul><ul><li>M&A/new major contracts/new geographies/markets/business lines = new risks </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Export controls and new regulations </li></ul></ul></ul></ul></ul><ul><ul><li>Framework can emphasize rewards of proactive Risk management approach </li></ul></ul><ul><ul><ul><ul><li>Creates an open, informed continuous dialogue/creates consistency in the Enterprise </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Can lead to competitive advantage, i.e. revenue </li></ul></ul></ul></ul>
    10. 10. Risk reporting and the board of directors bottom up/top down <ul><li>Bottom up: Management reports to board </li></ul><ul><ul><li>Types of reports </li></ul></ul><ul><ul><ul><li>Verbal – at quarterly meetings/regular strategy sessions/interim ad hoc basis. </li></ul></ul></ul><ul><ul><ul><li>Written – dashboards/heat maps/scoreboards </li></ul></ul></ul><ul><ul><ul><ul><li>Present data in concise plain English/graphics or financials terms – easily understandable </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Report legal and non-legal risk/present risks in context of the enterprise - no silo approach </li></ul></ul></ul></ul><ul><ul><li>Reporting frequency </li></ul></ul><ul><ul><ul><ul><li>Regular and consistent </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Quarterly/annually/other </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Consider more frequent reporting on selected issues, not one time info dump </li></ul></ul></ul></ul></ul><ul><li>Top down: Board’s direct involvement in risk assessment/management </li></ul><ul><ul><li>Board training: </li></ul></ul><ul><ul><ul><li>As to duties </li></ul></ul></ul><ul><ul><ul><ul><li>Board orientation/continuing board member education as part of corp governance </li></ul></ul></ul></ul><ul><ul><ul><li>As to the company and its business </li></ul></ul></ul><ul><ul><ul><ul><li>Visits to company/review company publications </li></ul></ul></ul></ul><ul><ul><li>Board interaction with executives: </li></ul></ul><ul><ul><ul><li>Facilitate regular meetings/interaction between board and management/customers/major vendors </li></ul></ul></ul>
    11. 11. Executing Bill Sacks Board risk oversight
    12. 12. Board risk oversight – Who oversees what risks? All other risks Board/Board Committee Oversight responsibility until risk poses financial reporting implications Financial reporting risks Audit Committee Oversight responsibility Risk Risk Risk Risk
    13. 13. Overseeing the risk management process <ul><li>“ Efficiency and effectiveness”: </li></ul><ul><ul><li>Assessing the right level of the right risk management capabilities at the right place at the right time </li></ul></ul><ul><li>Five key elements to assess: </li></ul><ul><ul><li>Risk governance </li></ul></ul><ul><ul><li>Risk assessment and response </li></ul></ul><ul><ul><li>Risk quantification and aggregation </li></ul></ul><ul><ul><li>Risk monitoring and reporting </li></ul></ul><ul><ul><li>Risk mitigation optimization </li></ul></ul><ul><li>Assessment levels: </li></ul><ul><ul><li>Board / Board Committee (“risk oversight” self-assessment criteria) </li></ul></ul><ul><ul><li>Corporate (“entity-level”) </li></ul></ul><ul><ul><li>Strategic business unit(s) / business unit(s) / functional units </li></ul></ul><ul><li>Clear accountability for managing risk at its source </li></ul>
    14. 14. Several questions for the Board… <ul><li>Strategy </li></ul><ul><li>Are we taking the </li></ul><ul><li>right risks? </li></ul><ul><li>“ Portfolio view” - Do we know the significant risks we are taking? </li></ul><ul><li>How are the risks we take aligned with our business objectives, growth strategies, and performance goals? </li></ul><ul><li>Do the risks we take help us achieve competitive advantage? </li></ul><ul><li>How are the risks we take related to activities that create stakeholder value? </li></ul><ul><li>Do we have timely, relevant information about our KBRs to make better, more informed strategic choices ? </li></ul><ul><li>Risk appetite </li></ul><ul><li>Are we taking the </li></ul><ul><li>right amount of risk ? </li></ul><ul><li>Are we achieving a return that is consistent with our overall risk profile? </li></ul><ul><li>Does our culture promote or discourage the right level of “on-strategy” risk taking behaviours and activities? Performance incentives? </li></ul><ul><li>Do we have a defined, well communicated and understood organizational risk appetite? Tolerance? </li></ul><ul><li>Is our risk appetite quantified both in the aggregate and per event occurrence? </li></ul><ul><li>Is our actual risk profile consistent with our risk appetite? </li></ul><ul><li>Is our capital sufficient to support our risk profile? </li></ul><ul><li>Capabilities </li></ul><ul><li>Are we effectively </li></ul><ul><li>managing our risks? </li></ul><ul><li>Do we have a common risk language? </li></ul><ul><li>Is our risk management process “uniform”, aligned with our strategic decision-making process and key performance measures? </li></ul><ul><li>Risk governance – Is there clarity of empowerment, boundaries/limits and accountabilities? </li></ul><ul><li>Do we have the right levels of the right capabilities (P,P,T) for each KBR? </li></ul><ul><li>Is our risk management process effectively monitored across the entire enterprise? </li></ul><ul><li>Is our uniform risk management process cost efficient? Effective? </li></ul>
    15. 15. Role of internal audit in ERM Core internal audit roles in regard to ERM Legitimate internal audit roles with safeguards Roles internal audit should not undertake Source: IIA UK and Ireland Giving assurance on the risk management process Giving assurance that risks are correctly evaluated Evaluating risk management processes Evaluating the reporting of key risks Reviewing the management of key risks Facilitating identification & evaluation of risks Coaching management in responding to risks Coordinating of ERM activities Consolidated reporting on risks Maintaining & developing the ERM framework Championing establishment of ERM Developing ERM strategy for board approval Setting the risk appetite Imposing risk management processes Management assurance on risks Making decisions on risk responses Implementing risk response on management’s behalf Accountability for risk management
    16. 16. Example ERM and board risk oversight publications Risk Oversight: Board Lessons for Turbulent Times The Conference Board National Association of Corporate Directors www.nacdonline .org Emerging Governance Practices In Enterprise Risk Management Ernst & Young LLP Managing Risk Across the Enterprise Enterprise-Wide Risk Management The Role of U.S. Corporate Boards In Enterprise Risk Management Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management – Integrated Framework Financial Times Management Briefings www.pearsoned Strategic Business Risk 2008 – The Top 10 Risk for Business
    17. 17. Questions and answers…. Bill Sacks Ernst & Young Advisory Services Partner Email: Tel: +1 310 955 7453 The information contained herein “Board Risk Oversight” is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. John D. Ireland General Counsel/Senior Vice-President Epicor Software Corporation Email: Tel: +1 949 585 4225 Shayne Kennedy Latham & Watkins LLP Email: Tel: +1 714 755 8181