Presentation is loading. Please wait.

Presentation is loading. Please wait.

Board Oversight of Risk Management

Published byNora Carson Modified over 7 years ago

Similar presentations

Presentation on theme: "Board Oversight of Risk Management"— Presentation transcript:

1 Board Oversight of Risk Management
Directors Duties with Respect to Risk Oversight By Kimberly Decker & Atul Malhotra

2 Directors Duties with Respect to Risk Oversight
Kimberly Decker Directors Duties with Respect to Risk Oversight

3 Fiduciary Duties, Generally
Directors stand in a fiduciary relationship to the corporation and owe two primary fiduciary duties to the corporation: Duty of Care Duty of Loyalty

4 Business Judgment Rule
Varies by state BUT, in general, the acts of the board, its committees and individual directors are presumed to be in the best interests of the corporation. It can only be overcome if the plaintiff can show that the directors breached fiduciary duty (i.e., duty of care and duty of loyalty) lack good faith or engage in self-dealing This is significant protection for directors’ acts Places burden of proof on the plaintiff to overcome the presumption

5 Duty of Oversight? The duty of care and the duty of loyalty are the two main fiduciary duties of directors Delaware (and other states) have created a Duty of Oversight”. Also called “Caremark” duties in Delaware Fits where attacking the duties of care and loyalty don’t provide relief. This is a corporate compliance related duty, as interpreted Failure of this duty opens up directors to personal liability

6 Duty of Oversight. Caremark: directors have an affirmative duty to establish and exercise oversight over some form of internal compliance activity. Requires a good faith attempt to establish a corporate information and reporting system Standard of Care is low - no “bad faith” Subsequent cases demonstrate Director liability for breach of the duty of oversight requires utter failure to implement any reporting system or controls or, if implemented, conscious failure to monitor

7 Duty of Oversight “Red flags” versus “yellow flags”; No oversight versus flawed oversight. Failure to meaningfully respond to a troubling, continuing pattern of noncompliance Knowing approval of a business strategy that specifically incorporates illegal actions Tolerance of operations that knowingly defy law “Utter failure” of the information reporting system Note the “knowledge” references

8 Duty of Oversight - Good News!
The standard of the care (no bad faith) is really low. “Possibly the most difficult theory in corporation law on which a plaintiff might hope to win a judgment”.

9 Duty of Oversight - Bad News!
Really only applies to shareholder derivative suits. May be other creative ways to use a different lawsuit platform to impose higher standards. Higher standards may be expected by federal and state regulators. Reputational harm to directors and the company even from a “win” (because again, bad faith is a low standard) Flawed or inattentive oversight may pass a Caremark claim challenge, but could also affect availability of D&O coverage and indemnification protection if there are breaches of common law duties of care and loyalty?

10 Where Does that Leave Us?
You are not likely to be successfully sued for breach of the Duty of Oversight…BUT There are lots of other reasons to raise the standard above “no bad faith” Duty of Oversight is different than the Business Judgment Rule Avoidance/conscious disregard vs. action (whether or not it was the “right” action)

11 Navigating the Duty of Oversight
Is there a compliance mechanism in place? Ability to appreciate the types of information and activity that might be a “red flag”. Regulatory climate for your company What IS the internal compliance program and how is it supposed to work? Can you identify patterns of conduct that may rise to the level of creating “actual knowledge” Whistle blower reports Letters to the board or audit committee Numerous and related civil claims Understanding the extent to which corporate ethics are embedded across all levels of employees

12 Directors Duties with Respect to Risk Oversight
Atul Malhotra Directors Duties with Respect to Risk Oversight

13 Legal Statement The views presented in this material and during the course of this presentation are those of Mr. Malhotra only and not necessarily those of his current employer, Fulton Financial Corporation, its officers or Directors, nor any prior employer or organization with which he is or has been affiliated. The information contained herein is of a general nature and based on authorities that are subject to change. A good faith effort has been made to attribute ownership for materials sourced from other publications and authors. This presentation does not constitute legal, corporate governance or risk management advice or service. Applicability of the information to specific situations should be determined through consultation with a professional adviser.

14 The risk management imperative – why do we need to do it?
According to the World Economic Forum, the volume and velocity of threats to enterprise value is growing exponentially. Identifying, assessing, prioritizing, managing and monitoring these threats in a structured and disciplined manner is the practice of risk management. Key concept: Enterprise Risk Management: a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of an entity’s objectives.1 Enterprise Risk Management Systemic operational inefficiency Data breach/ cybersecurity incident Regulatory / Legal actions Social media brand disruption / trolling / activist consumer groups Compliance violations Marketplace disruption / strategic misalignment High performer / key leader turnover Supply chain disruption / counterparty concentration risk 1 – Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management – Integrated Framework (2004).

15 How is risk management accomplished?
To get started the entity must establish risk accountabilities. It starts at the top and must cascade throughout the organization. Day-to-day management activities are informed by the organization’s risk appetite and influenced by the risk culture, even if these are not formally established, understood or managed. Key concept: Risk Appetite: is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.1 1. Assign Roles and Responsibilities Board of Directors / Board Committees C-Suite Legal Entity Division Business Unit Product, Service, Process Policies, Organizational Structure, Objective Setting and Incentives Risk culture Risk appetite Risk management system First line of defense Frontline units, business units, or functions that create risk Second line of defense Independent risk management, loan review, compliance officer, chief credit officer Third line of defense Internal audit, including independent assurance Office of the Comptroller of the Currency Risk Governance Framework, Comptroller Safety and Soundness Handbook , Corporate and Risk Governance, July 2016 2. Establish a Framework 3. Implement & Report Identify Risks Assess Quantify Mitigate Monitor Transfer 1 – COSO Research Paper – ERM – Understanding and Communicating Risk Appetite (2012)

16 What is a risk appetite statement?
It is widely understood that entities will need to take some risk in order to achieve their stated goals – the key is to understand how much risk the entity is willing and able to accept? A risk appetite statement is a formal board approved statement of how much risk the entity is willing to accept. At minimum it includes the following key elements: Link to the entity’s mission, vision, strategy and objectives (i.e. tied to the value creation activities of the entity) Define the entity’s view of risk and any broad categories that it uses to measure risk Stated precisely enough to be able to be communicated across the organization and effectively monitored Contains both quantitative and qualitative measures of risk to facilitate both objective monitoring and subjective identification of emerging risks (i.e. known knowns, known unknowns and unknown unknowns) Describe risks that exist at an individual level and in the aggregate as well, hence require measurement and monitoring to provide such perspective Define the actions to be taken when risk measures are outside of the established tolerances defined in the risk appetite statement. Expected Enterprise Value Risk Level Optimal Risk-Taking – Where is the Entity’s Appetite? Insufficient Risk-Taking Optimal Risk-Taking Excessive Risk-Taking Is this normal? Too good to be true? Should we be doing this?

17 A bit about frameworks There are several risk management frameworks available to choose from and some specialized by domain of risk as well. An effective risk management program will adopt a framework that meets the needs of the organization.

18 Making it all work together
1. Define and Organize Risks Strategic Risk Alignment Risk Execution Risk Implication Risk Reputational Risk Financial Risk Financial Reporting Risk (ICFR/ SOX) Tax Position Risk Balance Sheet / Asset Liability Management Risk Credit Risk Investment Risk Market / Price Risk Liquidity /Cash Flow Risk Operational Risk People Risk Process Execution Risk Information Technology Risk Cyber-Security Risk Physical Security Risk Model Risk Business Continuity Risk Fraud Risk Vendor Risk Compliance Risk Legal Risk Regulatory Risk Tax Compliance Risk 1 2 3 4 5 Ensure management has created an enterprise-wide taxonomy of risks that considers all risks applicable to the entity’s activities Ensure management has organized the risks in a manner that allow the entity to “roll-up” risk information in a meaningful and actionable way Ensure management is able to “drill- down” where appropriate Ensure the risk inventory stays current and is complete – has management purchased the list or adopted an industry accepted inventory? 6 7

19 Making it all work together
2. Establish Ownership & Accountability Board of Directors Provide oversight and establish risk governance through policy Set the tone for risk culture Approve risk appetite statement and risk framework Monitor risks through established regular updates Provide independent, informed credible challenge of management’s assumptions, biases and opinions of risk Receive assurance of risk management effectiveness from internal audit CEO & Executive Management Team Set strategy and organization objectives Monitor risks associated with strategy Provide oversight and monitoring of enterprise-wide risks 1 CFO & Accounting / Finance Team Responsible for financial risk management and related compliance risk management Acts as a corporate control function for financial risks, advising and supporting business line financial decisions 2 7 CCO & Corporate Compliance Team Provides oversight and monitoring of business unit and product compliance Provides regulatory compliance subject matter expertise and coordinates input from other specialists (e.g. Legal Counsel) 4 General Counsel Manages and monitors legal risk Provides expertise in regulatory compliance matters where necessary 5 Business Unit / Division Leaders Owns the risks applicable to their business unit Responsible for risk mitigation and control decisions of all risks applicable to their business Subject matter expertise provided by specialists (e.g. CRO/ CAE, CHRO, CIO, CISO, CCO, Corporate Security etc.) Specific risks may also be owned by specialists as well (e.g. People Risk owned by CHRO, Cyber-Security Risk owned by CISO). 3 6

20 Making it all work together
3. Implement Programs Risk assessments should be conducted periodically to ensure applicable risks are identified and measured timely. Risk assessments will likely be done on specific categories of risk and assessment criteria will include monetary and non-monetary considerations as well as qualitative factors Assessed risks should be quantified through measurable metrics, also known as Key Risk Indicators (KRIs) using a standardized scale. The scale should align to the risk appetite statement for easy reporting Formalized internal control programs, including periodic testing and monitoring for effectiveness mitigate inherent risks Insurance, asset securitizations, receivable factoring and similar tactics may be used to transfer some remaining risks Remaining risks are then monitored and reported upon periodically. The level of reporting depends upon the risk and the recipient’s responsibility. Boards should typically receive summary level actionable intelligence along with management’s action plans where necessary

21 Key Questions to Consider
A Board perspective Key Takeaways Key Questions to Consider Understand the entity’s risk philosophy and concur with the entity’s risk appetite. Know the extent to which management has established effective enterprise risk management of the organization. Review the entity’s portfolio of risk and consider it against the entity’s risk appetite. Be apprised of the most significant risks and whether management is responding appropriately. Does the Board have the right expertise to provide risk management oversight? A diverse and experienced set of independent directors can offer great value in a risk management context. Diverse experiences lend themselves to challenge the status quo Consideration should be given to subject matter specialists among the independent directors (e.g. financial expert on audit committees pursuant to SEC rules implementing SOX §407, cybersecurity expertise on Boards with such risk exposure) Is the Board structured to provide sufficient time for risk management oversight? An audit committee of the board traditionally provides some risk management oversight. However large and complex entities should consider whether the audit committee is able to provide sufficient oversight to non-financial risks (other committees such as compensation, nominating / governance etc. also provide specific risk oversight) Larger organizations are now opting for a specialized committee to focus on risk management more broadly, while allowing traditional Board committees to focus on specific risks. Many regulatory bodies around the world have demanded a risk committee of the board be established to provide sufficient oversight of risk management (e.g. Reg YY implementing the enhanced prudential standards of the Dodd-Frank Act) Is the Board holding management accountable for achieving its stated strategic objectives? Consideration should be given to long term enterprise value. Foregoing longer term value for short term gain often results in catastrophic destruction of capital and value The Board should regularly challenge management’s assumptions, biases and opinions of risk inherent within its business operations and strategic decisions Is the Board sufficiently independent? Is the Board using external experts and the independent Internal Audit function to gain assurance over the risk management practices and information?

22 Red flags for independent directors
“There is too much risk with that idea” “There is no risk with this strategy” “We can’t possibly measure or assess that risk” Strategy discussions do not include a conversation about risk Risk management decides which strategies to pursue “We’ve never seen that happen” Risk management dashboards are all green Risk Management = A Compliance or Audit Activity Reputational risk is not a consideration “The sky is the limit”

23 Some additional resources
In addition to industry specific trade groups and subject matter specialists I have found the following organizations provide leading insights and often publish practical and easy to understand perspectives on various risk management topics.

24 Q & A

25 Speaker Bio Atul Malhotra, CRMA, CRISC, CISSP, CISA
Fulton Financial Corporation - SVP, Managing Director of Enterprise Risk Management Mr. Malhotra is a seasoned risk management executive with over 15 years of corporate governance, risk management and regulatory strategy experience. In his current role, at a diversified mid-size bank holding company in the US mid-Atlantic region, Mr. Malhotra is responsible for oversight and delivery of the organization’s enterprise risk management program. The program includes a multi-disciplinary approach to risk identification, assessment, monitoring and reporting across all domains of risk inherent in the business. In the past Mr. Malhotra served as a regulatory and risk strategy consultant for various publicly traded companies including large systemically important financial institutions with operations in the US and elsewhere. Mr. Malhotra has considerable operational and related technology risk management and benchmarking experience. Mr. Malhotra’s prior experience ranges from serving as an auditor charged with the implementation of risk and control assessments and attestation programs to satisfy the Sarbanes-Oxley Act of 2002 to the development and implementation of early warning measures and operational resiliency protocols to demonstrate readiness of a large bank “living will.” Mr. Malhotra has extensive experience with helping companies implement pragmatic solutions to their most complex risk management problems. Mr. Malhotra has been a member of the Deloitte Financial Services Industry Fellowship program. He currently serves as a Director for the Philadelphia Chapter of ISACA and was previously on the executive committee of the chapter’s Board of Directors. He is also an active member of the FEI, RMA, GARP, the IIA, ISC2 and various ABA risk management working groups.

Download ppt "Board Oversight of Risk Management"

Similar presentations

Corporate Governance Chapter 2.

Corporate Governance Chapter 2.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
CHAPTER 16 Auditing and corporate governance. Contents  Corporate governance  Independent directors  Chairman of the board and chief executive officer.

CHAPTER 16 Auditing and corporate governance. Contents  Corporate governance  Independent directors  Chairman of the board and chief executive officer.
2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.

CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.
Corporate Ethics Compliance *

Corporate Ethics Compliance *
The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.

The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.
Information Technology Audit

Information Technology Audit
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
WHERE WE ARE 22 member associations in 20 countries Over 4300 individual members who are responsible for risk management and/or insurance in their organisations.

WHERE WE ARE 22 member associations in 20 countries Over 4300 individual members who are responsible for risk management and/or insurance in their organisations.
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.

D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
Global Risk Management Solutions Risk Management and the Board of Director: Moving Beyond Concepts to Execution Anton VAN WYK Partner, Global Risk Management.

Global Risk Management Solutions Risk Management and the Board of Director: Moving Beyond Concepts to Execution Anton VAN WYK Partner, Global Risk Management.
IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253
Audit objectives, Planning The Audit

Audit objectives, Planning The Audit
CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.

CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.
Enterprise Risk Management Expectations Outpacing Capabilities and The Audit Committee’s Role July 30, 2013 Presented by: Suzette E. Ramsden (B.Sc., CISA,

Enterprise Risk Management Expectations Outpacing Capabilities and The Audit Committee’s Role July 30, 2013 Presented by: Suzette E. Ramsden (B.Sc., CISA,
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.

McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.

Similar presentations

Ads by Google