Upload
mricky
View
1.946
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
RR Donnelley Fall 2008SEC Hot Topics SeminarUniversity of California, Irvine
Board risk oversight
April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 2September 10, 2008 Page 2
Agenda – Board risk oversight
► The legal foundation
► Advising management and the board
► Executing
► Questions and answers
April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 3September 10, 2008 Page 3
Disclaimer
► The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity.
► Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
► No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
The legal foundation Shayne Kennedy
Board risk oversight
April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 5September 10, 2008 Page 5
The legal foundation for board risk oversight
► Director Fiduciary duties
— In re The Walt Disney Co. Derivative Litigation (2005)
— In re Caremark International Inc. Derivative Litigation (1996)
— Board has an obligation to “exercise good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations.”
► Federal and regulatory requirements
— Sarbanes Oxley Act of 2002
— “A few of the commenter's urged us to adopt a considerably broader definition of internal control that would focus not only on internal control over financial reporting, but also on internal control objectives associated with enterprise risk management and corporate governance. While we agree these are important objectives . . . .”
April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 6September 10, 2008 Page 6
The legal foundation for board risk oversight
► Securities exchange listing standards
— NYSE
► “The audit committee should discuss the listed company's major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken.”
► Code of business conduct and ethics
► Federal sentencing guidelines
April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 7September 10, 2008 Page 7
TCB study: “Corporate directors may not be providing sufficiently robust risk oversight”
Source: June 6, 2006 News Release by The Conference Board
► Major study by The Conference Board (TCB)
► Corporate directors could find themselves exposed to liability if they fail to keep pace with
evolving best practices in Enterprise Risk Management”
— “Since ERM processes have improved, many directors could be functioning with a
false sense of security”
► “Directors serving on multiple boards reported significant variations in the quality of the risk
dialogue and fewer boards seem to have well established risk processes”
► Banks and insurance companies out front on Enterprise Risk Management
► “The Audit Committee is the sole repository for “risk oversight” in 66% of companies; in
23% of companies this responsibility is shared with another committee”
► “The Role of U.S. Corporate Boards in Enterprise Risk Management” –
www.conference-board.org
–`
Advising management
and the board John Ireland
Board risk oversight
April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 9September 10, 2008 Page 9
Management risk identification and reporting
► Company must regularly disclose the most significant factors that may adversely affect the issuer’s business, operations, industry, financial position, etc. - Item 503(c) Reg S-K
— Item 1A -company risk factors - must be company specific, not just generic/applicable to all businesses
► Management to set up company risk assessment/management framework (Board approves)
— Framework designed to identify/prioritize/mitigate/monitor and update/report enterprise risks
— Numerous possible frameworks and tools available to set up framework— Consider tying into SOX Disclosure Controls framework – SOX 302
— Execs create company risk management tone which embeds risk management in all business decisions
— Enterprise wide approach/no silo stove pipe approach— M&A/new major contracts/new geographies/markets/business lines = new risks
► Export controls and new regulations
— Framework can emphasize rewards of proactive Risk management approach
— Creates an open, informed continuous dialogue/creates consistency in the Enterprise — Can lead to competitive advantage, i.e. revenue
April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 10September 10, 2008 Page 10
Risk reporting and the board of directorsbottom up/top down
► Bottom up: Management reports to board— Types of reports
► Verbal – at quarterly meetings/regular strategy sessions/interim ad hoc basis.► Written – dashboards/heat maps/scoreboards
— Present data in concise plain English/graphics or financials terms – easily understandable
— Report legal and non-legal risk/present risks in context of the enterprise - no silo approach
— Reporting frequency
— Regular and consistent► Quarterly/annually/other► Consider more frequent reporting on selected issues, not one time info dump
► Top down: Board’s direct involvement in risk assessment/management— Board training:
► As to duties
— Board orientation/continuing board member education as part of corp governance► As to the company and its business
— Visits to company/review company publications
— Board interaction with executives:
► Facilitate regular meetings/interaction between board and management/customers/major vendors
Executing Bill Sacks
Board risk oversight
April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 12September 10, 2008 Page 12
Board risk oversight – Who oversees what risks?
All other risks Board/Board Committee Oversight responsibility
until risk poses financial reporting implications
Financial reporting risksAudit Committee Oversight responsibility
RiskRisk
Risk
Risk
April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 13September 10, 2008 Page 13
Overseeing the risk management process
► “Efficiency and effectiveness”:
— Assessing the right level of the right risk management capabilities at the right place at the right time
► Five key elements to assess:
— Risk governance
— Risk assessment and response
— Risk quantification and aggregation
— Risk monitoring and reporting
— Risk mitigation optimization
► Assessment levels:
— Board / Board Committee (“risk oversight” self-assessment criteria)
— Corporate (“entity-level”)
— Strategic business unit(s) / business unit(s) / functional units
► Clear accountability for managing risk at its source
April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 14September 10, 2008 Page 14
Several questions for the Board…
Strategy
Are we taking the
right risks?
► “Portfolio view” - Do we know
the significant risks we are
taking?
► How are the risks we take
aligned with our business
objectives, growth strategies,
and performance goals?
► Do the risks we take help us
achieve competitive
advantage?
► How are the risks we take
related to activities that create
stakeholder value?
► Do we have timely, relevant
information about our KBRs
to make better, more
informed strategic choices ?
Risk appetite
Are we taking the
right amount of risk?
► Are we achieving a return that is
consistent with our overall risk
profile?
► Does our culture promote or
discourage the right level of “on-
strategy” risk taking behaviours and
activities? Performance incentives?
► Do we have a defined, well
communicated and understood
organizational risk appetite?
Tolerance?
► Is our risk appetite quantified both in
the aggregate and per event
occurrence?
► Is our actual risk profile consistent
with our risk appetite?
► Is our capital sufficient to support
our risk profile?
Capabilities
Are we effectively
managing our risks?
► Do we have a common risk
language?
► Is our risk management process
“uniform”, aligned with our strategic
decision-making process and key
performance measures?
► Risk governance – Is there clarity
of empowerment, boundaries/limits
and accountabilities?
► Do we have the right levels of the
right capabilities (P,P,T) for each
KBR?
► Is our risk management process
effectively monitored across the
entire enterprise?
► Is our uniform risk management
process cost efficient? Effective?
April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 15September 10, 2008 Page 15
Role of internal audit in ERM
Giving assurance on the risk management process
Giving assurance that risks are correctly evaluated
Evaluating risk management processes
Evaluating the reporting of key risks
Reviewing the management of key risks
Facilitating identification & evaluation of risks
Coaching managem
ent in responding to risks
Coordinating of ERM activities
Consolidated reporting on risks
Mai
ntai
ning
& d
evel
opin
g th
e ER
M f
ram
ewor
kCh
ampi
onin
g es
tabl
ishm
ent o
f ERM
Deve
loping
ERM
stra
tegy
for b
oard
app
rova
lSe
tting t
he ris
k app
etite
Impo
sing r
isk m
anag
emen
t proc
esse
s
Management assurance on ris
ks
Making decisions on risk responses
Implementing risk response on management’s behalf
Accountability for risk management
Core internal audit roles in regard to ERM
Legitimate internal audit roles with safeguards
Roles internal audit should not undertake
Source: IIA UK and Ireland
April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 16September 10, 2008 Page 16
Example ERM and board risk oversight publications
Risk Oversight: Board Lessons for Turbulent Times
The Conference Board
www.conference-board.org
National Association of
Corporate Directors
www.nacdonline.org
Emerging Governance Practices In Enterprise Risk Management
Ernst & Young LLP
www.ey.com
Managing Risk Across the Enterprise
Enterprise-Wide Risk Management
The Role of U.S. Corporate Boards In Enterprise Risk Management
Committee of Sponsoring
Organizations of the Treadway
Commission (COSO)
www.coso.org
Enterprise Risk Management – Integrated Framework
Financial Times Management
Briefings
www.pearsoned.co.uk
Strategic Business Risk 2008 – The Top 10 Risk for Business
April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 17September 10, 2008 Page 17
Bill SacksErnst & Young Advisory Services Partner
Email: [email protected]
Tel: +1 310 955 7453
The information contained herein “Board Risk Oversight” is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
Questions and answers….
John D. IrelandGeneral Counsel/Senior Vice-PresidentEpicor Software CorporationEmail: [email protected]: +1 949 585 4225
Shayne KennedyLatham & Watkins LLP
Email: [email protected]
Tel: +1 714 755 8181