This year's hurricane season has started and it promises to be another rough year. If you are a company director, is your company prepared for outside risks like hurricanes or terrorist attacks? What sorts of questions should you ask of management to fulfill your oversight obligations?
A report issued by The Conference Board over the summer indicates that outside directors may not be as informed about enterprise risk as they should be. The Conference Board study found that:
"Only 77.4% of directors say they fully understand the risk/return tradeoffs underlying the current strategy.
Only 73.4% of directors say their companies fully manage risk.
Only 59.3% of directors fully understand how business segments interact in the company's overall risk portfolio.
Only 54.0% have clearly defined risk tolerance levels.
Only 47.6% of boards rank key risks.
Only 42% have formal practices and policies in place to address reputational risk."
With Y2K, 9/11, various corporate scandals and the passage of SOX, companies have invested more time in enterprise risk management in the last few years. A thorough review of enterprise risk managment is a complement to the SOX 404 internal control review that companies in the U.S. have completed.
As an outside director, you should understand the business of the corporation well enough to have a general sense of the types of risks that the organization faces. Following are the types of questions you should be asking to fulfill your duties as a director:
1. Does the company appropriately assess risks and are the company's business strategies aligned with that risk? Risks can range from natural disasters, to terrorist threats to class action lawsuits. Risks are typically assessed based on likelihood of occurrence and significance of the risk if it does occur. Thus, a risk management plan might give a very light treatment to an unlikely and fairly insignificant risk, while significant resources would be directed toward preparation for likely and significant risks.
2. Has the company identified risks that it may face, assessed the likelihood of those risks and formulated a plan to deal with the risks and minimize potential losses? In other words, does the company have redundancy with respect to all key systems? Are there multiple trunk lines so that a shutdown of the main line does not interrupt the business? Is business interruption insurance in place if deemed necessary? What are the company's disaster response plans?
3. Is the company positioned to capitalize on risks where appropriate?
4. Does the board of directors require regular updates about risk assessments and the plans in place to address the risks identified?
The Committee of Sponsoring Organizations (COSO) has a good executive summary of the risk management process on its web site. And here is a lengthy report on enterprise risk management on Boardmember.com's web site.