The One-Tier Board (IVOR nr. 85) 2012/3.5.4:3.5.4 Special aspects of enterprise risk management, standards of supervision and care

The One-Tier Board (IVOR nr. 85) 2012/3.5.4

3.5.4 Special aspects of enterprise risk management, standards of supervision and care

Deze functie is alleen te gebruiken als je bent ingelogd.Deze functie is alleen te gebruiken als je bent ingelogd.Deze functie is alleen te gebruiken als je bent ingelogd.

Overseeing risk management (also called enterprise risk management or ERM) is an increasingly important task for US boards. A Conference Board survey of 2006 showed that progress had been made in the development of ERM practices onder pressure of external stakeholders.1 A good many large and excellent corporations in the US have now developed exemplary enterprise risk management systems and important new ideas.

1. Understanding the critical link between strategy and risk and the necessity of continual dialogue

Every business model, business strategy and business decision involves risk. In business there is no reward without risk. Risk is not merely something that can be avoided, mitigated and minimalised; risk is integral to strategy, it should be weighed against the probability and the size of the reward; decisions should be made about the risk appetite. Boards should encourage management to pursue prudent risks in order to generate sustainable corporate performance and value.2 An increasing number of directors acknowledge they must oversee business risk as part of their strategy formulation.3 As Ralph Larson, director of GE and Xerox, has said: "... risk is embedded in every product or management decision".4 Although in the period immediately after the introduction of the SarbanesOxley Act, audit committees felt obliged to look at micro risks, directors now understand they must look at the big picture, the whole format.5

The board's overseeing of risk should be based on the assumption that the company's strategy and risk are appropriate. Essential for such balancing is the understanding and acceptance of the amount of risk the organization is willing to run or absorb. Its "risk appetite" should be based on foreseeable risks, shareholders' expectations, available capital, management skills, possible rewards and acceptable volatility.6 The concepts of risk appetite and risk tolerance are often confused. Appetite refers to the amount of risk that the enterprise is willing to accept, whereas tolerance refers to the degree of variance from the level of appetite that the enterprise is willing to accept.

Too often boards limit themselves in strategy matters to "review and concur". Real board engagement and assessment of risk require choices and alternatives. If the board is provided with several strategie alternatives, together with management's assessment of different scenarios of risk and return, it can provide more meaningful input. The board can also ask for further evidence of the assumptions. The strategy and risk dynamic is not an annual or semi-annual activity. It requires a dialogue at all board meetings and an ongoing effort by the board to evaluate shifting interaal and external factors.7

2. The role of the board and the standing committees in risk management

The NYSE rules8 impose some risk oversight responsibilities on the supervisor of risk on the audit committee. This may create confusion. It adds "not the sole body". Increasingly, it is understood that risk monitoring cannot be delegated to the audit committee. The unitary board has overall responsibility and should look at the broad picture. The other committees too have their specific roles in the supervision of risk; the Risk Committee should oversee the connection between all the risks in its coordinating role, the Nomination Committee should monitor the risk of making wrong appointments and the Compensation Committee should assess the risk of short-term bonuses, which could result in the wrong corporate culture.

It is important for the board to make clear and transparent divisions of responsibilities, of those who deal with risk management. An example of a structure at a bank could be:

๏€ญ

an annually updated list of staff involved in risk management;

๏€ญ

a chief risk officer who designs plans and systems that deal with risk interplay and who invites the board to comment if the bank develops new products that are not mentioned in its strategy and in risk paragraphs in the annual accounts;

๏€ญ

a clear assignment to the various board committees of specific kinds of risks;

๏€ญ

procedures to keep the board well-inforrned about different kinds of risks and their treatment.

3. Interplay of risks

Risks are not isolated, but interrelated. Problems often occur in groups, thereby making the sum of the risks much greater. In other words, the proverbial "perfect storm". Many little "yellow flags" can add up to a "red flag". The board, acting in its oversight role, is well positioned to consider the interplay of various risks.9

4. Underlying assumptions of strategic direction should be challenged

To be effective, independent directors should challenge CEOs and ask for evidence of assumptions of risk factors in company strategy.10

5. Realize that corporate culture may be the largest risk

More and more directors are realizing the importance of corporate culture and that it is necessary to cure the causes and not just the symptoms.11 The NACD suggests that directors ask themselves the following questions:

๏€ญ

What is the style of management? How do they get things done?

๏€ญ

Are open and candid communications encouraged?

๏€ญ

Does management use directors as sounding boards to test assumptions or as rubber stamps?

๏€ญ

Is there an effective process to facilitate information flow?

๏€ญ

Are incentive compensation targets realistic and focused on the longterm? What risks do the incentive structures pose to the enterprise?

๏€ญ

Is there a commitment to competence throughout the organization?

๏€ญ

How does senior management demonstrate its commitment to an appropriate corporate culture?

๏€ญ

Are reputational issues for the corporation considered in strategic planning?

Formulating a proper corporate culture also requires transparency, not only between the board and management but also between the company and shareholders.

Disclosure should include which committees oversee which aspects of risk and how. The board should also disclose how it has assessed its risk appetite and tolerance level.12

6. It is vital that directors are well informed

Directors must have a sound understanding of the company's business. Continuing education for management is important. Directors must "kick the tyres" and visit business locations, including foreign offices. Directors must also find time to read extensively about the business, the competition, regulatory aspects and environmental issues.13

7. Questions, questions, questions

US literature on business contains plenty of pertinent questions that should be asked by directors. For a good example, see the list under 5 above of this sub-section on page 183.

8. Legal aspects of risk management

The Delaware Court of Chancery is developing its interpretation of the duties of care, loyalty and good faith that define director responsibility. In the area of risk management relevant cases are those that deal with supervision and oversight.

In general, the main points of these cases are that (1) the board has the authority to manage the business of the corporation, (2) the board has the duty of loyalty to put in place "due corporate information and reporting systems", (3) the board must react to obvious wamings or red flags, and (4) although all directors are basically equally liable there are examples of individual exculpation on the one hand and on the other hand the demand of a higher standard of care for insiders (i.e. managers and officers) than for outside independent directors.

According to Section 141(a) of the Delaware GCL, the business and affairs of the corporation are "managed by and under the direction of the board of directors". The law does not say "by the board of directors". This implies that the board has authority and leeway for arranging management and having the necessary systems set up for the gathering of information and reporting. It may delegate certain tasks, which implies that insiders have a higher standard of care than outsiders and that it may trust employees, provided the board keeps an eye on its agents and reacts to red flags.

Standards of supervision

Important cases relevant to this item are Bater v. Dresser,14 Graham, Care-mark, Stone v. Ritten Citigroup and A/G.15 These cases are described below, as well as onder liability in sub-section 3.7.3.1.

Bater v. Dresser (1920)

Coleman, the bookkeeper of a small bank in Cambridge, defrauded the bank. Semi-annual examinations had not revealed any wrong doing. A claim for damages was filed against the directors. The US Supreme Court made a distinction between Dresser, the president, and the other directors. As Dresser was at the bank for many hours every day and had received several hints and wamings, he was held liable. The other directors, who were outsiders and had been persuaded by the president and the semi-annual examinations that nothing was wrong, were held not to have been negligent. This case is important because it makes clear that the US courts distinguish between insider directors and outsider directors in liability cases.16

Graham (1963)

Graham, the plaintiff, alleged that the directors of Allis-Chalmers had knowledge of anti-trust price-fixing arrangements, although the corporation had agreed to a consent order 20 years earlier not to violate antitrust laws. Allis-Chalmers manufactured a variety of electrical equipment and had 31,000 employees, 24 plants and annual sales of $ 500 million. Its policy was to decentralise management and to have prices set by particular department managers. The 14-strong board, which consisted of 4 executive and 10 non-executive directors, met once a month and was supplied with financial and operating data. They made all decisions on general business policy. In this case some of the company's employees were suspended, interrogated and indicted. The board members were not. Graham wished to sue the board members for damages on the grounds that they knew of the anti-trust activities. The Chancellor and the Delaware Supreme Court ruled that the individual directors were not liable because they had not known of the activities. Some employees of Allis-Chalmers had violated the anti-trust laws and thus subjected the corporation to a loss. There was no duty upon the directors to install a corporate system of espionage if they had no reason to suspect wrongdoing. They were entitled to rely on the honesty and integrity of the employees. This was especially true given the large size of the organization. In short, there were no red flags. Directors are liable for mistakes of employees only if they have recklessly reposed confidence in an obviously untrustworthy employee.

The modem view is that directors should implement procedures and programmes to assist them in their monitoring role.17 Federal sentencing guidelines have provided for lesser sentences to corporations that have implemented compliance programmes.

Caremark (1994)

This case recognized the trend and interpreted the Graham standard more narrowly. The directors of Caremark Int. Inc. were successful in their motion to dismiss the case against them. The plaintiffs had claimed that Caremark directors should have known that officers and employees of Caremark were involved in violations of the federal Anti-Referral Payments Law. That law prohibits health care providers from paying any sum of money to induce referral of Medicare or Medicaid patients. The Court held that "It is important to be reasonably informed that the board exercises good faith (under loyal) judgment that the corporation's information and reporting system is adequate to assure the board has appropriate information in a timely manner as a matter of ordinary operations. However, directors cannot be required to possess detailed information about all aspects of the enterprise. Only a sustained or systematic failure of the board to exercise oversight, such as an utter failure to attempt to assure a reasonable information and reporting system, will establish the lack of good faith (under the duty of loyalty) as a necessary condition for liability". Boards have the duty (a) to institute a system of supervision and (b) to record and monitor that the system functions, but do not have the duty to possess detailed information about the activities of all employees. Some form of monitoring system must therefore be in place.

Stone v. Ritter (2006)

Stone was shareholder in AmSouth. In 2004 AmSouth Bank paid $40 million in fines and $10 million in civil penalties arising from violations of anti-money laundering regulations, alleged to be the largest ever of its kind. KPMG confirmed that AmSouth had a longstanding compliance programme. There were many AmSouth employees involved: BSA officer, BSA/ AML Compliance Department, Corporate Security Department and Suspicions Activity Oversight Committee. The BSA officer trained the board of directors annually. The board at various times enacted written policies, e.g. a board-wide policy directing all AmSouth employees to immediately report suspicious transactions. The claim that directors are liable for employees' failures is "possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment" [...] "Only a sustained or systematic failure of the board to exercise oversight [...] will establish the lack of good faith (under the duty of loyalty) that is a necessary condition to liability." "In the absence of red flags, good faith in the context of oversight must be measured by the directors' actions to assure a reasonable information and reporting system exists," as noted in the Caremark decision. The Chancery Court and the Supreme Court dismissed the case. The directors are therefore only liable for failure to implement a reporting system or, if there is a system, for consciously failing to monitor the system.

AIG (February 2009)

A motion by AIG directors Maurice R. (Hank) Greenberg and Smith to dismiss the complaint filed by the plaintiffs was not accepted by Vice-Chancellor Strine in a 108-page opinion. In this case a litigation committee of independent directors had been appointed. This committee had decided to institute the litigation initiated by plaintiffs against Greenberg and Smith and the "inner circle".

AIG had invested hundreds of millions in offshore subsidiaries and then entered into worthless reinsurance contracts with them. Also, AIG invested in buying up for itself elderly people's existing insurance policies while telling the public it was issuing new insurance policies. Greenberg and his inner circle inspired and oversaw a business strategy premised in substantial part on the use of improper accounting and other techniques designed to make AIG appear more prosperous than it in fact was. Each of the inner circle had been awarded an enormous amount of stock by Greenberg; they had supervisory authority over AIG's investments and served on AIG's finance and executive committees. In some of the wrongdoings Matthews, one of Greenberg's top managers, was kept in the dank by Greenberg and his inner circle. Here Greenberg and Smith and the "inner circle" were likely to be liable because they had acted in this way without informing the other directors. The motion to dismiss was not accepted and the case will go on to trial.

Citigroup (September 2009)

Citigroup suffered huge losses because of direct and indirect investments in subprime markets. These investments turned out very poorly. However, risk management systems were in place and there was an audit and risk management committee that had the duty to assist the board in monitoring the risk analysis. This committee met about 11 times a year. The Chancery Court considered that the board knew of the deterioration of the subprime market and of the possibility of further deterioration. The plaintiffs in this shareholder derivative suit did not even specify how the monitoring system was inadequate. The Court held that the "red flags" mentioned by the plaintiffs were only general market circumstances and therefore more a sign of poor decision making than of acting in breach of fiduciary duties. The plaintiffs were denied the right to start litigation and the motion to dismiss was accepted. Again, if there are risk management systems in place and there were no specific red flags, the directors are not liable.

While courts continue to adhere to the Caremark case, the possibility of demanding higher standards of care for directors of financial institutions could be extended to all corporations. Specialised committees, use of expert consultants, tutorials and expanded director education will go a long way to enable boards to meet even a strengthened duty of oversight obligations.18

There are many developments in this area. The NYSE requires risk assessment and management policies.19 The SEC endorses self-regulatory frameworks, that is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management โ€” Integrated Framework of September 2004.20 The framework is a regulation of systems that is followed by the corporation. The COSO Framework is also used in the Netherlands. Amendments to the Securities Exchange Act 1934 require risk factor disclosure in annual and quarterly reports.21 As mentioned above, a federal sentencing guideline provides for more lenient treatment of corporate crimes if the organization had established a well-functioning and qualifying compliance programme.22 Certain industries โ€” especially banks and insurance companies are adopting leading "best practices". Rating agencies are becoming more attuned to companies' systems of enterprise risk management systems.

Deze functie is alleen te gebruiken als je bent ingelogd.