In the wake of the GFC a push to make risk management performance-based, compulsory, and backed by the full force and sanction of the law is well and truly under way.
Results are out on what is believed to be the first professional debate in the world in the wake of the global financial crisis on whether risk management should be mandated.
The Australian Risk Policy Institute (ARPI) convened a public debate among eminent Australians at the University of Canberra - moderated by high-profile international lawyer Bernard Collaery - with Admiral Chris Barrie AC (retired), Pat Barrett AO, Professor John Braithwaite and Tom McDonald advancing the case for mandating risk management, and Mark Love, John Scott, Rex Deighton-Smith and Miles Pearson advancing the case against regulation.
Announcing the outcome of the debate, ARPI president Tony Charge said: "Risk management needs to be regulated not by mandatory methods, guidelines and practices based on the existing Australian or draft international standards but by performance-based principles with the force and sanction of law.
"This means that governments and industry leaders must apply a set of risk policy principles to ensure that businesses and governments exercise their 'duty of care' to regain and maintain the trust of society in corporate and government decision-making. The global financial crisis was probably avoidable through better, risk-informed decision-making and must not be allowed to recur."
The institute proposes the following risk policy principles to be the subject of a uniform global approach:
- Risk (impacts that might happen) must be part of corporate and government decisionmaking; Boards, leaders and executives must be required by law to take into account risk management;
- Personal legal sanctions must apply to board, leader and executive negligence in failing to consider risks;
- Disclosure of material risks to a business or government to become a legal obligation; Regulatory authorities to have investigative, naming and prosecutorial powers; and
- Boards, leaders and executives to be responsible for promoting a demonstrable culture of risk management through sound "enterprise" or "integrated" risk management practices visibly operating across organisations.
According to ARPI, if this is done "risk" becomes an automatic and informed component of decision-making for global benefit, "compliance" becomes real-time assurance that due processes are operating, and "audit" becomes a management tool of continuous improvement rather than a "shock and discovery" process after the horse has bolted.
"Governments, leaders and executives around the world have tried for decades to make risk management work - but it has remained discretionary and hasn't worked," Charge said.
"Now is the time to take a strategic and positive approach to improve global decision-making, trust and accountability, in the least interventionist way possible. This way, businesses, governments and the public all win and global trust can be rebuilt."
Mandated risk committees
Meanwhile, the US-based Risk and Insurance Management Society (RIMS) has just announced its strong support for the creation of mandated "risk committees" for publicly traded companies.
The formation of such committees represents the direct involvement of an organisation's board of directors in the oversight of the risk management process, and is part of an overall strategy to reduce the likelihood of a future financial crisis.
RIMS has called on Congress to incorporate the concept into its ongoing effort to craft legislation addressing the corporate governance lapses and business practices that played a major role in the recent market turmoil, arguing that "the current system-wide failure to embrace appropriate risk management practices was a major contributor to the financial crisis".
“Governments, leaders and executives around the world have tried for decades to make risk management work – but it has remained discretionary and hasn’t worked”
RIMS's position is that the risk committee concept, applied to financial and non-financial institutions alike, would help ensure that all institutions of a specified size engage in the effective management of risk across their respective organisations. While it does not endorse any particular standard or practice, according to Pete Fahrenthold - vice chair of the Enterprise Risk Management Committee at RIMS and managing director for risk management at Continental Airlines - there are international standards that can be used as the basis for an effective ERM program for a variety of organisations.
Under the RIMS proposal, many small businesses would be exempt from these requirements.
Legislation, including the risk committee proposal, was introduced earlier this year as part of a larger effort by senior Banking Committee member Senator Charles Schumer to make corporations more responsible to their shareholders.
The bill, entitled "Shareholder Bill of Rights", would require all publicly traded companies to establish risk committees comprised entirely of independent directors who would be responsible for establishing and evaluating risk management practices.
"We are working with Senator Schumer's office to modify his proposal to make compliance less onerous and more flexible," Fahrenthold said. "We support an exemption for smaller organisations, and a modification that would allow the number of independent directors on the risk committee to be determined on a sliding scale based on the size of the organisation or the extent to which the organisation's operations might pose more risk to the financial system as a whole.
"We also believe that the function of the risk committee could be incorporated into an already existing audit committee without compromising the integrity of the oversight process. As for the requisite risk management standards, we believe that the recently developed International Standards Organization (ISO) 31000 provides a solid framework without being too prescriptive."
Notably, RIMS asserts that it is essential to include all companies of a certain size under the umbrella requirement for risk committees, rather than focusing exclusively on financial institutions.
It maintains that a broad application of the risk committee concept would ensure that most large organisations have appropriate risk management oversight, thereby protecting their shareholders as well as the pension plans and qualified retirement plans that invest in the debt and equity securities issued by these organisations. It claims this new requirement will close what would otherwise be a gaping hole in the financial system's risk management practices.
In June, the Securities Exchange Commission (SEC) also weighed in on the debate with proposed rules that would require publicly traded companies to disclose the extent of board level participation in the risk oversight process, and the implementation of risk management practices.
According to Fahrenthold, RIMS supports the proposal, but insists it should go further by requiring additional disclosures, including the qualifications of board members charged with the oversight of risk.