The new SEC Proxy Disclosure Enhancement Rules reaffirm the board’s responsibility for overseeing risk management. One consideration for boards in overseeing the risk management activity is to understand what risk management technology, if any, being used by management, and how they are using it.
I am a board member of a small organization. I have some personal experience and responsibility in this area. We pay attention to our governance requirements. A few months my board was presented with a risk management report. I suspect it is similar to what many boards receive.
Let’s start with an analogy. Suppose you were in charge of managing retail inventories across your company. The amount, nature and value of the inventory changes daily; but the right inventory management decisions, what to buy, when to buy it, where to stock, when to discount, is the essence of your business value model.
Suppose you had a system where once or twice each year, a team of people went out and counted and listed the inventories at a certain date and presented you with their results in a summarized form several months later. What you would see is a “tally” of the inventory. It’s changed by the time you see it. Inventory levels may be bigger or smaller, better or worse, but you, as an overseer would not necessarily know.
That is similar to how risks are presented to many boards. It is not risk oversight. It’s quite possible in this analogy that inventory management practices are in fact very good. But the inventory (or risk) tally sheet isn’t evidence of that and is probably not the oversight the SEC intended.
It’s not likely that risk management or risk oversight can be achieved without the use of technology.
A few months ago, in his now defunct blog on the IIA web site, my former colleague and partner listed 10 Top Risk and Assurance Software “Should Do” Requirements.
(http://www.theiia.org/blogs/leech/index.cfm/post/Top%2010%20Must%20Dos%20for%20Risk%20&%20Assurance%20Software%20Wish%20Lists)
I’ll excerpt just a few here to illustrate how they meet the requirements of 33-9089 and its oversight requirements. The text within quotation marks is from Leech’s blog.
- “The software should be capable of encouraging users to identify the full universe of assurance contexts”. The SEC has defined several specific contexts to assess in terms of compensation risk. Good risk management practices suggest a complete context description is a starting point for oversight.
- “The software should support the full range of risk management elements contained in global risk management guidance, particularly the recently issued ISO31000”. It would make no sense to buy a financial system that could not account for the full range of financial transactions facing a business. Risk management and related oversight have comprehensive information requirements.
- “The software should encourage and require that risks are identified by specialists and work units using a range of methods…” Boards in their oversight capacity need to know where the information came from and how it was created.
- “The software should be capable of capturing and integrating key performance indicator (KPI) information, including loss event data”. The board, in its oversight role must understand how risk drives performance generally. The SEC wants the connection between compensation and risk to be described.
My experience with risk management is that once begun in an organized and strategic way, cast amounts of information is produced. Collaboration among various elements of the company is essential. All of that and a good deal more falls within managements role in risk management. But without some underlying technology to support it, risk management will become unverifiable, unreliable and unsustainable. It’s the role of the board, in its oversight capacity, to assess those factors.
As always, questions and comments are welcome.
