Company law is concerned with addressing three main sets of principal/agent
problems. These arise out of the relationships between, first, the management and the shareholders as a class; second, between majority shareholders and minority shareholders; and, third, between the controllers of the company (whether managers or majority shareholders) and non-shareholder stakeholders Two major waves of corporate failures, first in the nonfinancial sector (2001– 2003) and then in the financial sector (2007–2009), both of which were attributed in part to failures of corporate governance. As a result, corporate governance and its relationship to risk oversight is a continuing concern around the world, and especially in the United States and Europe. Corporate governance covers a very wide range of topics, and risk management is an integral part of the successful corporate governance of every organization. Most countries in the world place corporate governance requirements on organizations. The purpose of corporate governance is to facilitate accountability and responsibility for efficient and effective performance and ethical behavior. It should protect executives and employees in undertaking the work they are required to do. Finally, it should ensure stakeholder confidence in the ability of the organization to identify and achieve outcomes that its stakeholders value. Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. A basic definition of corporate governance is ‘the system by which organizations are directed and controlled’. Corporate governance is therefore concerned with systems, processes, controls, accountabilities and decision making at the highest level and throughout an organization. Because corporate governance is concerned with the way that senior management fulfil their responsibilities and authority, there is a large component of risk management contained in the overall corporate governance structure for every organization. Corporate governance is concerned with the need for openness, integrity and accountability in decision making and this is relevant to all organizations regardless of size or whether in the public or private sector. The Organization for Economic Cooperation and Development (OECD) is an international organization helping governments tackle the economic, social and governance challenges of a globalized economy. The OECD has established a set of principles for corporate governance. These principles focus on the development of an effective corporate governance framework that pays due regard to the rights of stakeholders. The principles require the equitable treatment of all stakeholders and an influential role for stakeholders in corporate governance. Finally, the principles require disclosure and transparency. All of these principles are delivered by the board of the organization and the principles, therefore, make detailed reference to the responsibilities of the board. OECD principles of corporate governance 1. Effective corporate governance framework Promote transparent and efficient markets, be consistent with the rule of law and clearly articulate the division of responsibilities 2. Rights of shareholders Protect and facilitate the exercise of the rights of shareholders 3. Equitable treatment of shareholders Equitable treatment of all shareholders, including minority and foreign shareholders 4. Role of stakeholders in corporate governance Recognize the rights of stakeholders and encourage active co-operation in creating wealth, jobs and sustainability 5. Disclosure and transparency Timely and accurate disclosure is made on all material matters, including the financial situation, performance, ownership, and governance 6. Responsibilities of the board Strategic guidance of the company, effective monitoring of management by the board and accountability of the board to the company and shareholders. There are two main approaches to the enforcement of corporate governance standards. Some countries treat corporate governance requirements as ‘comply or explain’. In other words, the organization should comply with the requirements or explain why it was not appropriate, necessary or feasible to comply. If appropriate, an organization could explain that an alternative approach was taken to achieve the same result. In these countries, the requirements may be regarded as one means of achieving good practice, but equally effective alternative arrangements are also acceptable. Other countries require full compliance with detailed requirements, although limited alternatives for achieving compliance are sometimes included within these requirements. In these countries detailed compliance is expected and exceptions would not be acceptable. Corporate governance requirements should be viewed as obligations placed on the board of an organization. These requirements are placed on board members by legislation and by various codes of practice. Often, these corporate governance requirements are presented as detailed codes of practice. To start the process of enhancing corporate governance standards, an organization may develop a code of ethics for company directors, together with appropriate ‘delegation of authority’ documents. An annual statement of conflict of interest should be required from directors and training should be provided for the board on corporate governance. In particular, the board needs to be on the alert for any conflict that may arise between the interests of management in boosting returns while assuming risks, and the interests of the company’s longer-term stakeholders. (This kind of conflict of interest is often referred to in the academic literature as an “agency risk.”). For example, executives are rewarded with options that they can cash in if the share price of the company rises above a certain level. Such an arrangement gives management an incentive to push the share price up, but not necessarily in a sustainable way. For example, management might encourage business lines to earn short-term rewards in exchange for assuming long-term risks. By the time the chickens come home to roost, managers, including CEOs, may well have picked up their bonuses or even changed jobs. The tension between the interests of the CEO and the interests of longer term stakeholders helps to explain why boards of directors need to maintain their independence from executive teams, and why there is a global push to separate the role of the CEO and the chairman of the board. This all explains why it is becoming difficult to draw a line between corporate governance and risk management, and we can see some clear effects of this an organizational level.
True Risk Governance
The primary responsibility of the board is to ensure that it develops a clear understanding of the bank’s business strategy and the fundamental risks and rewards that this implies. The board also needs to make sure that risks are made transparent to managers and to stakeholders through adequate internal and external disclosure. The board is responsible for overseeing management and holding it accountable. It must also contribute to the development of the overall strategic plan for the firm, taking into consideration how any changes might affect business opportunities and the strategy of the firm. This necessarily includes the extent and types of risks that are acceptable for the firm—i.e., the board must characterize an appropriate “risk appetite” for the firm. To fulfill its risk governance responsibilities, the board must put in place an effective risk management program that is consistent with these fundamental strategic and risk appetite choices. And it must make sure that there are effective procedures in place for identifying, assessing, and managing all types of risk. An effective board will also establish strong ethical standards and work to ensure that it understands the degree to which management follows them. The duty of the board is not, however, to undertake risk management on a day-to-day basis, but to make sure that all the mechanisms used to delegate and drive risk management decisions are functioning properly. The recent financial crisis highlighted the need to strengthen the role of the board in terms of setting up appropriate committees (as listed below) with established terms of reference and membership of each of these committees, which may be established as sub-committees of the board. Reports on corporate governance standards, concerns and activities should be received at every board meeting and these papers will often be presented by the company secretary. The committees help to translate the overall risk appetite of the bank, approved by the board, into a set of limits that flow down through the bank’s executive officers and business divisions. The main committees are: • risk management committee; • audit committee; • disclosures committee; • nominations committee; • remuneration committee. The audit Committee of the Board The audit committee is responsible not only for the accuracy of the bank’s financial and regulatory reporting, but also for ensuring that the bank complies with minimum or best-practice standards in other key activities, such as regulatory, legal, compliance, and risk management activities. Audit committee members are now required to be financially literate so that they can carry out their duties. We can think of auditing as providing independent verification for the board on whether the bank is actually doing what it says it is doing. Although some of the audit committee’s functions can sound quite close to risk management, it is this key verification function that separates the audit committee’s work from the work of other risk committees. To function properly, an audit committee needs members with the right mix of knowledge, judgment, independence, integrity, inquisitiveness, and commitment. A nonexecutive director leads the audit committee, and most members are nonexecutives. The audit committee also needs to establish an appropriate interaction with management—independent but productive, and with all the necessary lines of communication kept open. One approach is for the board to gain the support of a specialist risk advisory director—that is, a member of the board (not necessarily a voting member) who specializes in risk matters. An advisory director works to improve the overall efficiency and effectiveness of the senior risk committees and the audit committee, as well as the independence and quality of risk oversight by the main board. A key goal of the advisory director would be an ongoing examination of the interface between corporate governance and risk management in terms of risk policies, methodologies, and infrastructure. In terms of specific activities, the advisory director might: Participate in audit committee meetings to support members. Participate periodically in key risk committee meetings to provide independent commentary on executive risk reporting. Meet regularly with key members of management. Observe the conduct of business. Provide a high-level educational perspective on the risk profiles Share insights on best-practice corporate governance and risk management.
Risk Management Committee of the Board:
The risk management committee of the board is responsible for independently reviewing the identification, measurement, monitoring, and controlling of credit, market, and liquidity risks, including the adequacy of policy guidelines and systems. If the committee identifies any issues concerning operational risk, it typically refers these to the audit committee for review. Compensation Committee of the Board One of the main lessons of the 2007–2009 financial crisis was that compensation schemes in financial institutions encouraged disproportionate risk-taking with insufficient regard to long term risks. Over the previous two decades, bankers and traders had increasingly been rewarded with bonuses tied to short-term profits or to business volume, incentivizing them to front-load fees and income and back-load the risks. Also, the compensation schemes were structured like a call option in that compensation increased with the upside, but there were no real penalties in the case of losses. Securities authorities now require public companies to set up a special board compensation committee to determine the compensation of top executives. It is now widely recognized that incentive compensation should be aligned with the long-term interests of shareholders and other stakeholders, and with risk-adjusted return on capital. We’ve described the basic structures and mechanisms for risk governance at the board level. How do these structures and mechanisms work together to make sure that the day- to-day activities are conform to the board-agreed general risk appetite and the limits set by the board and management committees?
How to put roles and responsibilities in practice???
Re-empower risk officers in particularly in financial institutions:
CROs should report directly to the chief executive officer (CEO) and have a seat on the risk management committee of the board. The CRO should engage directly, on a regular basis, with the risk committee of the board. The CRO should also report regularly to the full board to review risk issues and exposures. The CRO should be independent of line business management and have a strong enough voice to make a meaningful impact on decisions. The CRO must evaluate all new financial products to verify that the expected return is consistent with the risks undertaken, and that the risks are consistent with the business strategy of the institution. The recent financial crisis highlighted the need to strengthen the role of the board in terms of:
Board members need to be educated on risk issues and be given the
means to explore and determine the risk appetite of the organization. Board members of the risk committee need some technical sophistication with regard to the key risk disciplines as well as solid business experience so that they can build clear perspectives on risk issues. The risk committee of the board should remain separate from the audit committee, as different skills are required for each fiduciary responsibility. Corporate Governance for a bank Corporate governance and risk management activities within a financial organization are strictly governed and regulated. Most financial organizations, including banks, produce their own internal corporate governance guidelines. Typically, these guidelines will cover director qualifications, director responsibilities and the responsibilities and delegated authority of board committees. The guidelines should also consider arrangements for the annual performance evaluation of the board and the arrangements for senior management succession. The corporate governance structure will normally be a set of governing principles for the conduct of the board of directors. These governing principles will include information for board members on dealing with conflicts of interest, confidentiality and compliance with laws, rules and regulations. A major part of ensuring adequate corporate governance for a financial institution will be adequate training and induction for board members. Typically, the orientation programme for new members of the board will include details of: • the legal and regulatory framework; • risk management; • capital management and group accounting; • human resources and compensation; • audit committee, internal audit and external audit; • communication, including branding. The global financial crisis has resulted in banks and other financial institutions reviewing their own corporate governance standards. The review in the box below provides an overview of a large national bank and sets out criticisms of that bank in relation to failures of corporate governance.