The Conference Board Identifies Emerging Corporate Governance Practices in Enterprise Risk Management

NEW YORK, Feb. 15 /PRNewswire/ -- As the oversight role of the corporate board in Enterprise Risk Management (ERM) expands, companies feel the need to fill a knowledge gap on effective risk governance practices, according to a major new study released today by The Conference Board.

"The concept of correlating risk management and strategy in an enterprise-wide structure first appeared in the midst of merger frenzy in the late 1980s," says Dr. Matteo Tonello, a corporate governance expert at The Conference Board and author of the study. "At the time, many executives and strategists acknowledged that the enormous amount of risk undertaken through a series of corporate combinations was often not justified by a sound analysis of long-term prospects. In the 1990s, the debate continued and increasingly drew the attention of the business community, only to be obfuscated by the more exclusive focus on financial risks resulting from the scandals of the Enron era. A few years into the implementation of the Sarbanes-Oxley Act of 2002, corporations are now ready to leverage their experience with mandatory internal control procedures to establish a more comprehensive ERM infrastructure."

In response to the need for guidance in the design and implementation of ERM, The Conference Board instituted a case-study based Research Working Group on Enterprise Risk Management with select risk and governance officers. Emerging Governance Practices in Enterprise Risk Management presents an overview of this group's findings, including comments from participants and insights gleaned from five case studies of companies at the forefront of ERM. The report also provides a detailed "road map," with a discussion of the oversight role of the corporate board in each of the major stages of ERM development and execution.

An Integrated Approach to Governance and Risk Management

The group operates from the recognition that, after years of regulations focused on tackling fraudulent behaviors and raising compliance standards, a new era in corporate governance development has begun. Public companies have started to realize that poor governance can hurt market opinion, with a negative impact on the cost of capital and share price. For this reason, management and corporate boards need to proactively think about the specific governance issues their companies are facing and set up a process to anticipate and respond to major risks in this arena.

"As soon as business organizations abandon the traditional view of corporate governance as a regulatory burden," says Dr. Tonello, "they can begin to more easily understand its value as a fundamental risk management activity. That is why our research group reinforced the oversight role of the board and stressed the importance of integrating corporate governance practices with a company's Enterprise Risk Management program."

  The report points to the benefits of this integration, which:

  -- Reduces the inefficiencies inherent in the more traditional, segmented
     approach to risk management and promotes cost reductions through the
     development of synergies among business units and departments (both
     through the aggregation of risks for more accurate quantification and
     the adoption of coherent risk response strategies).

  -- Minimizes costly risk exposures, by allowing the company to identify
     interdependencies among risks that would remain unnoticed under the
     traditional risk management model.

  -- Provides -- through its emphasis on overall risk appetite -- a more
     objective basis for resource allocation, therefore improving capital
     efficiency and return on equity.

  -- Stabilizes earnings and reduces stock-price volatility. Empirical
     evidence, especially in the insurance industry, supports the use of
     hedging techniques to reduce unanticipated earnings fluctuations;
     further studies highlight the need to coordinate hedging activities
     among functional or business silos in order to optimize the benefits.

  -- Offers the tools to make more profitable, risk-adjusted investment
     decisions.

  -- Improves transparency to stakeholders, therefore reducing regulatory
     scrutiny, litigation expenses, costs of access to equity capital and
     the rate of return on incurred debt.

  Upside Risk and the Link with Strategy

Working Group participants agreed that risk is a two-fold phenomenon and distinguished between "downside risk" (composed of all the consequences of an event that may negatively affect a company's ability to achieve its strategic goals) and "upside risk" (represented by the potential benefits or the business opportunities that the company may derive from the same event). Obviously, the downside of risk should be mitigated, or avoided altogether. But it is also important for a company to have a system in place to identify the upside of risk and escalate it to the higher ranks in the organization, so that senior managers and the board become aware of it and embed it in their strategic decision-making process.

In other words, there are two aspects of risk management: a preventive, control-based aspect and a forward-looking, entrepreneurial aspect. While traditional risk management activities tend to focus on the preventive aspect, an ERM program should ensure the right balance between the two.

THE ERM ROAD MAP

The Conference Board Research Working Group examined five case studies of ERM implementation: Bristol-Myers Squibb Company, Capital One Financial Corporation, International Paper, MetLife, Inc., and Moody's Investors Service. Participants then reached a consensus on recommendations for corporate boards and senior executives who undertake the effort of integrating corporate governance and risk management. Among such recommendations, outlined in the report, a company should consider the following stages in the development and execution of the program:

  (1)  Appreciate the importance of ERM. Board members need to become
       knowledgeable about ERM and appreciate its strategic value. For this
       purpose, they need to be provided with adequate informational
       materials and, if necessary, they should retain advice from
       independent external experts.

  (2)  Assess gaps and vulnerability in existing risk management solutions.
       The corporate board should be persuaded by the business case for
       implementing ERM, which should rest on a detailed analysis of the
       limitations inherent in more traditional, risk management solutions
       (which tend to be disjointed and segmented).

  (3)  Set an underlying mission and program objectives. The ERM business
       case should be formulated as a concise and effective mission
       statement, articulated in the main program objectives and tied to the
       firm's strategic goals.

  (4)  Establish the ERM infrastructure and assign leadership. As part of
       this step, dedicated board members and senior executives should
       discuss corporate risk governance policies, draft (or revise)
       charters or other organizational documents to incorporate ERM
       functions, and assign the program leadership at the executive level.

  (5)  Compile a risk inventory. Risks facing the business should be
       identified, categorized and prioritized. Since the accuracy of the
       risk portfolio is a precondition to the success of the whole program,
       the board should oversee the process to take inventory of risk and
       become comfortable about its effectiveness and thoroughness.

  (6)  Select assessment techniques and define risk appetite and tolerance.
       The selection of appropriate risk measurements should be made based
       on the nature of each risk in the portfolio, the amount and depth of
       data required to apply the measure being considered, and the
       organizational capacity of the business unit in charge of responding
       to the risk event.

  (7)  Determine risk response strategies. Risk owners are accountable for
       the response to events assigned to their area of responsibility.
       Nonetheless, because of the comprehensive and cohesive nature of the
       ERM program, their response should no longer be disjointed from other
       divisions of the firm and should be taken according to a set of
       response criteria and guidelines (the "response strategy")
       predetermined as part of the designed procedures. A response strategy
       should be developed for each risk category in the portfolio.

  (8)  Develop effective internal communication and reporting protocols. An
       internal flow of information is essential to the success of ERM.
       Therefore, in designing the program, senior management should pay
       extra attention to establishing coherent communication and reporting
       practices. Board members, for their part, should analyze the quality
       of internal reporting lines and be persuaded that information on risk
       that is material for strategic purposes will be channeled upstream
       and brought to their attention.

  (9)  Monitor ERM implementation and execution. In an integrated risk
       management environment, any activity conducted to identify, assess
       and respond to risk should be monitored on an ongoing basis.
       Monitoring functions are embedded in the program and assigned to any
       organizational level so that they can be performed in the ordinary
       course of running a business. Large companies should avail themselves
       of dedicated evaluation teams and sophisticated flowcharts and
       diagrams to ensure the enterprise-wide ramification of the monitoring
       function.

  (10) Choose compensation policies and performance metrics to promote and
       track the pursuit of a risk-adjusted corporate strategy. The board
       should never let executive compensation issues influence the risk
       measure selection process. Although companies may decide to use
       qualitative and quantitative risk data as key performance indicators
       (KPIs) to encourage the enhancement of their business risk management
       program, corporate boards should ensure that KPIs are chosen only
       after completing the ERM process design.

  (11) Integrate ERM with existing operational systems (i.e., IT,
       accounting/budgeting/planning, internal control, regulatory
       compliance, etc.) According to the Research Working Group findings,
       revisiting performance metrics to tie them to a risk-adjusted
       strategy, and fully integrating ERM with existing operational systems
       represent the most advanced (and least implemented) stages in an ERM
       program.

  The Event Identification Process Takes Center Stage in Risk Governance

"From a corporate governance standpoint, the role of corporate directors in phases such as the compilation of the risk portfolio or the selection of adequate response strategies cannot be overstated," says Dr. Tonello.

Board members not only contribute their knowledge and expertise but also oversee the process adopted by senior managers to identify and prioritize risks. It should be understood that if a major risk is (accidentally or deliberately) excluded from the analysis, then the rest of the ERM program will suffer a major deficiency.

"As they approach ERM from a governance perspective, board members should remain aware that certain business risks may represent personal opportunities for dishonest, ill-intentioned managers. In those cases, managers may have an interest in avoiding having those categories of potential events brought to the surface and addressed in a systematic and effective way," Tonello continues.

The board should consider becoming familiar with the event identification techniques chosen by senior executives (interviews, questionnaires and surveys, facilitated workshops, market analyses, industry benchmarks, geopolitical reports), understand their limitations, and be able to critically analyze their outcomes.

Similarly, the Research Working Group recommends that responses to risk events be taken according to a set of response criteria and guidelines (the "response strategy," which may consist of risk avoidance, mitigation or undertaking, according to the risk type). The board should ensure that the response strategy is the most appropriate to respond to a risk category and is supported by a cost-benefit analysis, including:

  -- A discussion of the time horizons regarding both the impact of the risk
     event and the implementation of the response.

  -- An assessment of the resources the firm would need to deploy to
     implement a specific response, including the ability to access external
     capital to finance the response.

  -- The consistency of the response with long-term business objectives.

The new report is a complement to The Role of U.S. Corporate Boards of Directors in Enterprise Risk Management, a June 2006 report from The Conference Board that illustrates findings from survey-based research on how board members perceive their risk oversight role.

Through these and other research projects on risk governance, The Conference Board Governance Center continues to address the multi-faceted issue of stock market short-termism according to the recommendations made by delegates to the Corporate/Investor Summit held in London in July 2005. In the view of delegates to that summit, "Widespread adoption of an [ERM] framework should be encouraged as an effective process to assess and respond to strategic and operating risk, not only to bring clarity to the long-term strategic direction a business should take, but also to clearly communicate such long-term strategy to the market" (see Tonello, Revisiting Stock Market Short-Termism, The Conference Board Corporate/Investor Series, R-1386-06-RR).

About The Conference Board

The Conference Board, not-for-profit and non-partisan, is the world's leading research and business membership network. It produces the Consumer Confidence Index, the Leading Economic Indicators for the U.S. and eight other nations, the Help-Wanted Print and Online Job Indexes, and major studies on productivity trends. The Conference Board also produces authoritative studies and reports on corporate governance, executive compensation, corporate citizenship, diversity and best practices on a wide range of human resources activities. Its conference and council programs bring together senior executives from around the world.

The Conference Board Governance Center brings together a distinguished group of senior corporate executives from leading world-class companies and influential institutional investors in a non-adversarial setting. In small groups of prominent senior executives, all discussions are confidential, enabling a free-flowing exchange of ideas and effective networking.

About the Research Working Group on Enterprise Risk Management

Emerging Corporate Governance Practices in Enterprise Risk Management reports on the discussion of the ERM Working Group instituted by The Conference Board Governance Center in September 2005. Members of the Working Group met in New York City on September 15 and November 2, 2005, and on January 10, 2006.

Dr. Carolyn K. Brancato is Senior Fellow and Director Emeritus of The Conference Board Governance Center. Ellen S. Hexter, C.F.A. served as Program Chair for the September 15, 2005 and the January 10, 2006 meetings, while Dr. Matteo Tonello was Program Chair at the November 2, 2005 meeting.

  Working Group members:

  Chester Paul Beach, Jr.
  Associate General Counsel
  United Technologies Corporation

  Mark S. Beasley
  Professor, Department of Accounting
  Director, Enterprise Risk Management Initiative
  College of Management
  North Carolina State University

  Caryn Bocchino
  Senior Manager
  KPMG's Audit Committee Institute

  John T. Bostelman
  Partner
  Sullivan and Cromwell LLP

  Carolyn K. Brancato
  Senior Fellow and Director Emeritus
  Governance Center
  The Conference Board, Inc.

  Thomas Brier
  Deputy Director for Corporate Governance
  Pennsylvania State Employees' Retirement System

  Laura L. Brooks
  Vice President, Risk Management
  and Chief Risk Officer
  Public Service Enterprise Group

  Carlton J. Charles
  Head of Enterprise Risk
  Management
  International Paper Company

  Karen Clapsaddle
  Director, Compliance Programs
  and Global Ethics
  Lockheed Martin Corporation

  George S. Dallas
  Managing Director and Global
  Practice Leader
  Governance Services
  Standard & Poor's

  Scott Davenport
  Vice President, Enterprise Risk
  Management
  Capital One Financial Corporation

  Nancy A. DeRiso
  VP & Director of Internal Audit
  Selective Insurance Group

  Robert G. Eccles
  President
  Advisory Capital Partners, Inc.

  Miles Everson
  Partner
  PricewaterhouseCoopers LLP

  Craig Faris
  Director
  Mercer Oliver Wyman

  John M. Farrell
  Partner
  KPMG's Audit Committee Institute

  Donna Fletcher
  Associate Professor of Finance, Director of Risk Management Program
  Hughey Center for Financial Services
  Bentley College

  William Foote
  Enterprise Risk Services Director
  Deloitte & Touche LLP

  Rick Funston
  National Practice Leader, Governance and Risk Oversight
  Deloitte & Touche LLP

  Herve Geny
  Senior Vice President
  Moody's Corporation

  Sylvia Gentzsch
  Manager
  Governance and Risk Oversight
  Deloitte & Touche LLP

  Thomas Graham
  Senior Staff, Strategy & Planning Group,
  Corporate Internal Audit
  Lockheed Martin Corporation

  Todd Greenwald
  Head of Operational Risk
  TIAA-CREF

  Kent Harvey
  Senior Vice President, CFO
  and Treasurer
  PG&E Corporation

  Eric Henry
  Executive Director
  Pennsylvania State Employees' Retirement System

  Ellen Hexter
  Senior Advisor on Integrated Risk Management
  The Conference Board, Inc.

  Gary L. Lavey
  Vice President, Global Risk Management
  Cinergy Corporation

  Robin F. Lenna
  Senior Vice President and Chief Risk
  Officer
  MetLife, Inc.

  Janice Lingwood
  Director, UK Value Reporting
  PricewaterhouseCoopers LLP

  Steven Oster
  Director, Enterprise Risk Strategy
  Public Service Enterprise Group

  Kenneth Pavlick
  Internal Audit Manager
  Selective Insurance Group

  Amy Pawlicki
  Director - Business Reporting, Assurance & Advisory Services and XBRL
  American Institute of CPAs Inc.

  John Phelps
  Director of Risk Management
  BlueCross BlueShield of Florida

  Michael Privitera
  Vice President, Public Affairs
  Standard & Poor's

  Mary Jane Raymond
  Chief Risk Officer
  Dun & Bradstreet Corporation

  Scott A. Reed
  Partner
  KPMG's Audit Committee Institute

  Prodyot Samanta
  Director, Enterprise Risk Management
  Standard & Poor's

  Michele N. Schumacher
  Vice President, Corporate Secretary and Corporate Governance Officer
  Selective Insurance Group

  Laurie F. Smaldone
  Vice President, Strategy and Issues Management
  Bristol-Myers Squibb Company

  Matteo Tonello
  Senior Research Associate
  Governance Center
  The Conference Board, Inc.

  Janice Wilkins
  VP & Director of Internal Audit
  Intel Corporation

  Charles Windeknecht
  Director, Internal Audit
  Moody's Corporation


  About the Author

Matteo Tonello, LL.M, Ph.D., is Senior Research Associate at The Conference Board Governance Center. A qualified attorney in New York and Italy, he practiced corporate law at Davis Polk & Wardwell from 1998 to 2004.

Recently, Dr. Tonello advised the Italian Commission of Study on Corporate Transparency about the effects of the Sarbanes-Oxley Act on foreign private issuers, and contributed to the drafting of the two final reports by the Commission. A new securities law enacted by the Italian Parliament in December 2005 was largely based on the Commission's findings and related recommendations. Dr. Tonello is the author of two books in Italian, on international convergence of corporate governance standards and on the corporate veil piercing doctrine. For The Conference Board, he authored a report on stock market short-termism, a study of corporate governance best practices in family-controlled corporations, and the new edition of The Conference Board's Corporate Governance Handbook. Developments in Best Practices, Compliance, and Legal Standards (2007). In addition, he co-directed a research project in collaboration with McKinsey&Company and KPMG's Audit Committee Institute on the role of corporate boards of directors in Enterprise Risk Management.

Dr. Tonello received a Master of Laws degree from Harvard Law School and a J.D. from the University of Bologna. He also earned a Ph.D. in Law from the St. Anna Graduate School of the University of Pisa (Italy) and was a Visiting Scholar at Yale Law School in 1997.