No business is without some sort of risk and overcoming those risks is the key to achieving an acceptable return on investment of capital, technology and human resources. Higher levels of risk drive investors to expect greater risk-adjusted returns in exchanging for providing capital to the business. The risk profile for each company is different; however, commentators have suggested that the range of risks confronting an enterprise may appear within an extensive list that includes the following, in no particular order: financial markets disruption; credit; interest rate; capital; human resources; transactional; data protection and privacy; legal; enforcement actions by federal or state criminal authorities; Foreign Corrupt Practices Act; governmental investigations; regulatory and compliance requirements; cyberattacks; information technology; business continuity and disaster planning; operational; supply chain; financial disclosure; document retention policies and practices and disclosure (obstruction of justice or civil contempt); executive misconduct or negligence (personal and/or professional); brand; reputational; vendors; business partners; third party service providers; customers; and environmental.
The scope of the potential risks to a company above should illustrate why companies need a formalized approach to risk management, systems and programs that have come to be known as “enterprise risk management”, or “ERM”. ERM programs, which often include compliance aspects or are implemented in conjunction with a separate but related compliance program, have been mandated or highly recommended by federal and state laws and regulations, such as the Sarbanes-Oxley Act of 2002 and the Dodd-Frank Wall Street Reform and Consumer Protection Act; federal sentencing guidelines; listing standards required by national securities exchanges; credit agencies; directors’ and officers’ liability insurance carriers; and accounting and audit review standards. In many cases, companies are required, or strongly urged, to create a separate board-level risk management committee and appoint a chief risk officer, a position discussed further below. Apart from legal and regulatory requirements, companies have recognized that ERM can be deployed as an essential business management tool to assess and analyze business and activities on a risk-adjusted basis; engage in sound strategic planning and financial management which requires that all risks of every line of business and activity be assessed and balanced against profitability, and recognize and prepare for the interdependency of events.
The first step in creating an ERM program is conducting an enterprise-wide risk identification and assessment program, preferably undertaken by an independent third party and with the intent that the assessment process would be continuously updated on a regular basis. The goal of the risk assessment, which is discussed in more detail below, is to create a solid foundation for designing an ERM program that is aligned with the most material risks confronting the organization. Once the assessment has been completed the results should be reviewed by the board of directors and the senior management of the company and specialists should be assigned to develop a proposal for the ERM program. The proposal should be reviewed by the entire board and senior management and approval of the program should be accompanied by a commitment to provide the resources necessary for the program to be successful. At this point the ERM infrastructure should also be established starting with allocation of risk topics among committees of the board and continuing with the appointment of a chief risk officer and creation of an ERM committee that will include senior representatives from each of the main functional groups of the company and the company’s various business units.
While creation of a standalone committee at the board level to focus on risk management issues and initiatives is growing in popularity it is by no means a universally accepted approach. Each company must make its own decision and Deloitte has suggested that the follow factors and questions should be considered when deciding whether a risk committee at the board level is appropriate:
- The needs of the stakeholders: The board should assess the quality of the current risk governance and oversight structure, the risk environment, and the future needs of the organization to determine how best to meet the needs of all of the company’s stakeholders, not just investors.
- Alignment of risk governance with strategy: Having a risk-focused committee at the board level increases the likelihood that the board, management, and business units be aligned with their approach to risk and strategy, this promoting better risk governance and ensures that risk oversight is value-adding.
- Oversight of the risk management infrastructure: The decisions about the role of the board-level committee, if any, should be made in the context of larger questions regarding who will be in charge of the people, processes and resources of the risk management program. Assuming that a chief risk officer position will be created, it is important to be clear about reporting obligations for that position (e.g., to the risk committee, the entire board or the CEO).
- Scope of risk committee responsibilities: Before a board-level committee is formed decisions must be about the scope of its responsibilities. In some cases the committee may be responsible for overseeing all risks; however, the board may decide that certain risks should be primarily addressed by other committees (e.g., the audit committee should maintain oversight of risks associated with financial reporting) and that the purview of the risk committee should be limited.
- Communication among committees: Particularly when the scope of the responsibilities of the risk committee are to be limited as mentioned above, the board must clear define boundaries among all of the board committees and establish communication channels to be sure that activities do not overlap or that important risks “fall between the cracks”.
Further information on the topics discussed above can be found in G. Goldberg and M. McNamara, Effective Enterprise Risk Management and Crisis Management: Roles and Responsibilities of the Board and Management (August 20, 2012),
This article is adapted from material in Sustainability and Corporate Governance: A Handbook for Sustainable Entrepreneurs, which is prepared and distributed by the Sustainable Entrepreneurship Project and can be downloaded here.
Alan Gutterman is the Founding Director of the Sustainable Entrepreneurship Project, which engages in and promotes research, education and training activities relating to entrepreneurial ventures launched with the aspiration to create sustainable enterprises that achieve significant growth in scale and value creation through the development of innovative products or services which form the basis for a successful international business. Visit the Project’s Library of Resources for Sustainable Entrepreneurs to download handbooks, guides, articles and other materials relating to sustainable entrepreneurship and keep up with the Project’s activities by following Alan on LinkedIn, Twitter and Facebook.