Boards and Risk Management in the 2020s

[Rahul Ghosh, May 2021]

With the pandemic raging, it is tempting to forget 2020 as the year of lockdowns, deaths, and disruption to economic life. However few years down the line, it could also be looked back at as the year when pressure was raised worldwide towards board responsibility on risk management. Why? The year 2020 saw several regulatory directions and actions on risk management. To be fair, several years of build-up in this area seemed to reach climactic phases. It has been a while since financial regulators and supervisors have mandated board risk committees, providing detailed prescriptions for those mandates.

The matters reached another level altogether last year when US authorities fined several financial firms for specific deficiencies in risk management and laid out defined task-sheets for their boards to adhere to and report compliance. Some particulars are interesting for their level of details. For instance, chiding for the dropped ball on assuring enterprise-wide risk management (ERM), failure to provide independence to risk management teams, and calling out the fuzzy lines maintained persistently in risk-management-related roles and responsibilities. This also seemed much like the observations made across the Atlantic just a few years ago, relating to firm-wide cultures of placing low importance to risk management. A common theme of regulatory observations has also been that the risk appetite statements (RAS) framed by boards remained just filed papers in the cabinet. No! It wasn’t just about the executives anymore. What has been pointed out is that boards should have got done the needful.

From the board members’ perspective, the onus is daunting, to say the least. Even if an individual board member sits on specific board committees such as audit or in some cases, risk, attending 4 or 6 meetings a year is unlikely to be enough on its own -- for instance, it would be no match to the inside view that the company’s executives have. To ask the right questions and to attain a level of assurance that could provide comfort, additional efforts (lots) and some assistance will need to be invested. And yet, the pressure bar is rising. Measuring firms and their managements on the parameter of ‘Risk Management’ had for long remained largely limited to the world of financial firms. That has changed. Now it applies to the non-financial firms as well.

The US norms mandate boards of firms to govern by assessing risks and through policies on risk management. The focus however is largely on financial risks faced by companies – meaning risk emanating from foreign currency rate, commodity price, interest rate, liquidity or credit risk. But the European mandate extends to non-financial risks as well – meaning ERM components consisting the likes of climate, pandemic, technology, operational risk and so on. While Europe does not take the route of regulator-prescribed-norms, its measures taken in 2020 adopt a somewhat indirect handle by empowering the shareholder to measure up the boards for ensuring risk management. Whether its ramifications would be wider, is not quite clear yet. Some speculation can still be made in these early days. A large shareholder of a Switzerland (not EU member though) based bank indicated that it intended to take board members to task. The shareholder reportedly made public its intention to vote against re-nomination of a specific board member, citing failure of the member to deal effectively on matters concerning risk management. The member referred to in this case, headed the Bank’s risk management committee. From a board member perspective, after all it might still be better with the US regulation (or India’s for that matter) where the ‘Risk Management’ responsibility cast upon boards, is driven, and assessed by the regulators.