CH3: Corporate Governance and Risk Management

Company law is concerned with addressing three main sets of principal/agent

problems. These arise out of the relationships between, first, the management and
the shareholders as a class; second, between majority shareholders and minority
shareholders; and, third, between the controllers of the company (whether
managers or majority shareholders) and non-shareholder stakeholders
Two major waves of corporate failures, first in the nonfinancial sector (2001–
2003) and then in the financial sector (2007–2009), both of which were attributed
in part to failures of corporate governance. As a result, corporate governance and
its relationship to risk oversight is a continuing concern around the world, and
especially in the United States and Europe.
Corporate governance covers a very wide range of topics, and risk management is
an integral part of the successful corporate governance of every organization. Most
countries in the world place corporate governance requirements on organizations.
The purpose of corporate governance is to facilitate accountability and
responsibility for efficient and effective performance and ethical behavior. It
should protect executives and employees in undertaking the work they are required
to do. Finally, it should ensure stakeholder confidence in the ability of the
organization to identify and achieve outcomes that its stakeholders value.
Corporate governance involves a set of relationships between a company’s
management, its board, its shareholders and other stakeholders. Corporate
governance also provides the structure through which the objectives of the
company are set, and the means of attaining those objectives and monitoring
performance are determined.
A basic definition of corporate governance is ‘the system by which organizations
are directed and controlled’. Corporate governance is therefore concerned with
systems, processes, controls, accountabilities and decision making at the highest
level and throughout an organization. Because corporate governance is concerned
with the way that senior management fulfil their responsibilities and authority,
there is a large component of risk management contained in the overall corporate
governance structure for every organization. Corporate governance is concerned
with the need for openness, integrity and accountability in decision making and
this is relevant to all organizations regardless of size or whether in the public or
private sector.
The Organization for Economic Cooperation and Development (OECD) is an
international organization helping governments tackle the economic, social and
governance challenges of a globalized economy. The OECD has established a set
of principles for corporate governance. These principles focus on the development
of an effective corporate governance framework that pays due regard to the rights
of stakeholders.
The principles require the equitable treatment of all stakeholders and an influential
role for stakeholders in corporate governance. Finally, the principles require
disclosure and transparency. All of these principles are delivered by the board of
the organization and the principles, therefore, make detailed reference to the
responsibilities of the board.
OECD principles of corporate governance
1. Effective corporate governance framework
Promote transparent and efficient markets, be consistent with the rule of law and
clearly articulate the division of responsibilities
2. Rights of shareholders
Protect and facilitate the exercise of the rights of shareholders
3. Equitable treatment of shareholders
Equitable treatment of all shareholders, including minority and foreign
shareholders
4. Role of stakeholders in corporate governance
Recognize the rights of stakeholders and encourage active co-operation in creating
wealth, jobs and sustainability
5. Disclosure and transparency
Timely and accurate disclosure is made on all material matters, including the
financial situation, performance, ownership, and governance
6. Responsibilities of the board
Strategic guidance of the company, effective monitoring of management by the
board and accountability of the board to the company and shareholders.
There are two main approaches to the enforcement of corporate governance
standards. Some countries treat corporate governance requirements as ‘comply or
explain’. In other words, the organization should comply with the requirements or
explain why it was not appropriate, necessary or feasible to comply. If appropriate,
an organization could explain that an alternative approach was taken to achieve the
same result. In these countries, the requirements may be regarded as one means of
achieving good practice, but equally effective alternative arrangements are also
acceptable. Other countries require full compliance with detailed requirements,
although limited alternatives for achieving compliance are sometimes included
within these requirements. In these countries detailed compliance is expected and
exceptions would not be acceptable.
Corporate governance requirements should be viewed as obligations placed on the
board of an organization. These requirements are placed on board members by
legislation and by various codes of practice. Often, these corporate governance
requirements are presented as detailed codes of practice. To start the process of
enhancing corporate governance standards, an organization may develop a code of
ethics for company directors, together with appropriate ‘delegation of authority’
documents. An annual statement of conflict of interest should be required from
directors and training should be provided for the board on corporate governance.
In particular, the board needs to be on the alert for any conflict that may arise
between the interests of management in boosting returns while assuming risks, and
the interests of the company’s longer-term stakeholders. (This kind of conflict of
interest is often referred to in the academic literature as an “agency risk.”).
For example, executives are rewarded with options that they can cash in if the
share price of the company rises above a certain level. Such an arrangement gives
management an incentive to push the share price up, but not necessarily in a
sustainable way.
For example, management might encourage business lines to earn short-term
rewards in exchange for assuming long-term risks. By the time the chickens come
home to roost, managers, including CEOs, may well have picked up their bonuses
or even changed jobs.
The tension between the interests of the CEO and the interests of longer term
stakeholders helps to explain why boards of directors need to maintain their
independence from executive teams, and why there is a global push to separate the
role of the CEO and the chairman of the board. This all explains why it is
becoming difficult to draw a line between corporate governance and risk
management, and we can see some clear effects of this an organizational level.

True Risk Governance

The primary responsibility of the board is to ensure that it develops a clear
understanding of the bank’s business strategy and the fundamental risks and
rewards that this implies. The board also needs to make sure that risks are made
transparent to managers and to stakeholders through adequate internal and external
disclosure. The board is responsible for overseeing management and holding it
accountable. It must also contribute to the development of the overall strategic plan
for the firm, taking into consideration how any changes might affect business
opportunities and the strategy of the firm. This necessarily includes the extent and
types of risks that are acceptable for the firm—i.e., the board must characterize an
appropriate “risk appetite” for the firm. To fulfill its risk governance
responsibilities, the board must put in place an effective risk management program
that is consistent with these fundamental strategic and risk appetite choices. And it
must make sure that there are effective procedures in place for identifying,
assessing, and managing all types of risk.
An effective board will also establish strong ethical standards and work to ensure
that it understands the degree to which management follows them. The duty of the
board is not, however, to undertake risk management on a day-to-day basis, but to
make sure that all the mechanisms used to delegate and drive risk management
decisions are functioning properly. The recent financial crisis highlighted the need
to strengthen the role of the board in terms of setting up appropriate committees (as
listed below) with established terms of reference and membership of each of these
committees, which may be established as sub-committees of the board. Reports on
corporate governance standards, concerns and activities should be received at
every board meeting and these papers will often be presented by the company
secretary.
The committees help to translate the overall risk appetite of the bank, approved by
the board, into a set of limits that flow down through the bank’s executive officers
and business divisions. The main committees are:
• risk management committee;
• audit committee;
• disclosures committee;
• nominations committee;
• remuneration committee.
The audit Committee of the Board
The audit committee is responsible not only for the accuracy of the bank’s
financial and regulatory reporting, but also for ensuring that the bank complies
with minimum or best-practice standards in other key activities, such as regulatory,
legal, compliance, and risk management activities. Audit committee members are
now required to be financially literate so that they can carry out their duties. We
can think of auditing as providing independent verification for the board on
whether the bank is actually doing what it says it is doing. Although some of the
audit committee’s functions can sound quite close to risk management, it is this
key verification function that separates the audit committee’s work from the work
of other risk committees.
To function properly, an audit committee needs members with the right mix of
knowledge, judgment, independence, integrity, inquisitiveness, and commitment.
A nonexecutive director leads the audit committee, and most members are
nonexecutives. The audit committee also needs to establish an appropriate
interaction with management—independent but productive, and with all the
necessary lines of communication kept open. One approach is for the board to gain
the support of a specialist risk advisory director—that is, a member of the board
(not necessarily a voting member) who specializes in risk matters. An advisory
director works to improve the overall efficiency and effectiveness of the senior risk
committees and the audit committee, as well as the independence and quality of
risk oversight by the main board. A key goal of the advisory director would be an
ongoing examination of the interface between corporate governance and risk
management in terms of risk policies, methodologies, and infrastructure.
In terms of specific activities, the advisory director might:
  Participate in audit committee meetings to support members.
 Participate periodically in key risk committee meetings to provide
independent commentary on executive risk reporting.
 Meet regularly with key members of management.
 Observe the conduct of business.
 Provide a high-level educational perspective on the risk profiles
 Share insights on best-practice corporate governance and risk management.

Risk Management Committee of the Board:

The risk management committee of the board is responsible for independently
reviewing the identification, measurement, monitoring, and controlling of credit,
market, and liquidity risks, including the adequacy of policy guidelines and
systems. If the committee identifies any issues concerning operational risk, it
typically refers these to the audit committee for review.
Compensation Committee of the Board
One of the main lessons of the 2007–2009 financial crisis was that compensation
schemes in financial institutions encouraged disproportionate risk-taking with
insufficient regard to long term risks. Over the previous two decades, bankers and
traders had increasingly been rewarded with bonuses tied to short-term profits or to
business volume, incentivizing them to front-load fees and income and back-load
the risks. Also, the compensation schemes were structured like a call option in that
compensation increased with the upside, but there were no real penalties in the
case of losses. Securities authorities now require public companies to set up a
special board compensation committee to determine the compensation of top
executives.
It is now widely recognized that incentive compensation should be aligned with the
long-term interests of shareholders and other stakeholders, and with risk-adjusted
return on capital.
We’ve described the basic structures and mechanisms for risk governance at the
board level.
How do these structures and mechanisms work together to make sure that the day-
to-day activities are conform to the board-agreed general risk appetite and the
limits set by the board and management committees?

How to put roles and responsibilities in practice???

Re-empower risk officers in particularly in financial institutions:

 CROs should report directly to the chief executive officer (CEO) and have a
seat on the risk management committee of the board.
 The CRO should engage directly, on a regular basis, with the risk committee
of the board. The CRO should also report regularly to the full board to
review risk issues and exposures.
 The CRO should be independent of line business management and have a
strong enough voice to make a meaningful impact on decisions.
  The CRO must evaluate all new financial products to verify that the
expected return is consistent with the risks undertaken, and that the risks are
consistent with the business strategy of the institution.
The recent financial crisis highlighted the need to strengthen the
role of the board in terms of:

 Board members need to be educated on risk issues and be given the

means to explore and determine the risk appetite of the organization.
 Board members of the risk committee need some technical sophistication
with regard to the key risk disciplines as well as solid business experience so
that they can build clear perspectives on risk issues.
 The risk committee of the board should remain separate from the audit
committee, as different skills are required for each fiduciary responsibility.
Corporate Governance for a bank
Corporate governance and risk management activities within a financial
organization are strictly governed and regulated. Most financial organizations,
including banks, produce their own internal corporate governance guidelines.
Typically, these guidelines will cover director qualifications, director
responsibilities and the responsibilities and delegated authority of board
committees. The guidelines should also consider arrangements for the annual
performance evaluation of the board and the arrangements for senior management
succession.
The corporate governance structure will normally be a set of governing principles
for the conduct of the board of directors. These governing principles will include
information for board members on dealing with conflicts of interest, confidentiality
and compliance with laws, rules and regulations. A major part of ensuring
adequate corporate governance for a financial institution will be adequate training
and induction for board members. Typically, the orientation programme for new
members of the board will include details of:
• the legal and regulatory framework;
• risk management;
• capital management and group accounting;
• human resources and compensation;
• audit committee, internal audit and external audit;
• communication, including branding.
The global financial crisis has resulted in banks and other financial institutions
reviewing their own corporate governance standards. The review in the box below
provides an overview of a large national bank and sets out criticisms of that bank
in relation to failures of corporate governance.