In this morning’s news, it was widely reported that newly appointed Securities and Exchange Commission Chairman Mary Schapiro plans to examine whether the boards of banks and other financial firms conducted effective oversight before the financial crisis. It was also reported that Ms. Schapiro is also considering asking boards to disclose more about directors’ backgrounds and skills, specifically, how much they know about managing risk. These developments serve to highlight, in this environment of massive impairment writedowns of asset values on companies’ balance sheets, that corporate boards of directors must be extra diligent to avoid charges that their oversight was also impaired.
Although the oversight of risk management by boards of directors likely has the protection of company charter provisions limiting directors’ liability and the “demanding test” of Delaware courts, which require “sustained or systematic failure of the board to exercise oversight—such as an utter failure to assure a reasonable information and reporting system exists,”* the current economic and political environment requires increased awareness of risk management issues. The dramatic downturn of the U.S. economy has placed nearly all businesses either in distress or at the very least in the position of significantly disappointing investors. These challenges, which are unprecedented in recent economic times, demand that businesses act prudently to carefully review and address their existing risk vulnerabilities and anticipate future risks. A proactive assessment and recognition of risk factors facing a business and its risk management practices will strengthen a business in these dire economic conditions. The time for any type of business as usual has passed, and companies and boards must now pay extraordinary attention to risk matters.
Listed below are ten issues companies and boards should address in regard to risk assessment in light of the current
- Emphasize a proper tone at the top. Especially during challenging business environments, the board must emphasize integrity and compliance throughout the company. The board must be particularly sensitive to fraud and misbehavior, as difficult times may cloud judgments of risk or encourage company employees to cut corners or push the envelope of acceptable conduct to meet business goals, or simply to keep their jobs. Companies should consider reviewing policies and procedures such as anonymous whistleblower procedures and ethical guidelines that are designed to encourage ethical and proper business behavior.
- Review and customize risk management processes and governance structures currently in place. Risk management processes and governance structures should be tailored to meet the needs of each particular company, but all processes and structures should identify material risks, provide strategies for responsiveness and communicate the risk to the company’s executives and board. Companies should routinely review risk management policies, modify them as necessary and even consider testing them periodically.
- Review whether the company and the board have adequate expertise to assess and manage the company’s risks. Both the board of directors and management should be comfortable that there is adequate expertise to identify, assess and manage the enterprise risk. Boards may wish to confirm that the company has the expertise necessary to manage current risks. They may also wish to review their own membership for adequate expertise and establish a board risk management committee which may engage outside consultants.
- Review executive compensation in regard to risk taking. Review executive compensation to eliminate incentives to take excessive risks. The compensation committee should be versed on risk management issues and consider modifications in response to the current economic times. Be prepared to answer questions regarding, and publicly explain, whether compensation incentivizes management to take undue risks.
- Reward risk management in executive performance reviews. Juxtaposed with eliminating incentives to take excessive risks, reward executives for proper risk management, effective compliance with the company’s risk management processes and promotion of appropriate risk management within the company.
- Make risk assessment a regular concern. Schedule regular discussions about risk assessment. Depending on the severity of the company’s difficulties, consider monthly or even weekly meetings to discuss the company’s risk management and the major risks facing the company. Make sure concerns regarding risk are at the correct place on the board agenda.
- Review whether adequate resources continue to be allocated to internal controls. While businesses are cutting operating expenses and budgets to right-size the business to current activity, boards should be mindful that budgets for departments that are responsible for monitoring compliance and internal controls are not being shrunk below the point at which they can perform their mandates.
- Review financial statement issues. Recognize the increased stress on executives and management to meet investor demands. Directors should consider challenging the historic assumptions and estimates used in the company’s accounting methods. It may be timely for additional oversight over matters that are the subject of management estimates and judgments, particularly to the extent they reflect assumptions based upon historic experience which may no longer be dependable assumptions. Simple examples of such items would be reserves for doubtful accounts, obsolete inventory and asset value impairments.
- The world is flat. Recognize the interdependency of customers, vendors and financial institutions worldwide. Companies are now dependent on the financial strength of worldwide partners to fulfill obligations and to purchase and sell goods. Companies and boards must be prepared to manage the risks and stresses related to our “flat” world as it is today.
- Ensure that D&O insurance and indemnification arrangements are current and adequate. In addition to overseeing risk management on behalf of the company, directors must ensure their personal protection in times of crisis. Review D&O insurance and indemnification arrangements to confirm appropriate protection against personal liability for director action on behalf of the company.
* In re Caremark International Inc. Derivative Litigation, 698 A.2d 959, 971 (Del. Ch. 1996). Also, in Stone v. Ritter, the Delaware Supreme Court reaffirmed Caremark by holding that the necessary requirements for director oversight liability include (a) an utter failure of directors to implement any reporting or information system or controls or (b) having implemented a system or controls, consciously failing to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention. 911 A.2d 362, 370 (Del. 2006).