OECD : Risk Management Corporate Governance

This report reviews the corporate governance framework and practices relating to corporate risk management in 27 of the jurisdictions that participate in the OECD Corporate Governance Committee. Against the background of the OECD Principles of Corporate Governance, it describes how various jurisdictions have chosen to implement the Principles relating to risk management.

The report analyses the corporate governance framework and practices relating to corporate risk management, in the private sector and in state-owned enterprises (SOEs). It is based upon a general survey of participating jurisdictions, complemented by three country studies illustrative of different aspects of risk management and corporate governance (Norway, Singapore and Switzerland).

The review finds that, while risk-taking is a fundamental driving force in business and entrepreneurship, the cost of risk management failures is still often underestimated, both externally and internally, including the cost in terms of management time needed to rectify the situation. Corporate governance should therefore ensure that risks are understood, managed, and, when appropriate, communicated.

Following the financial crisis, many companies have started to pay more attention to risk management. This is, however, seldom reflected in changes to formal procedures, except in the financial sector and in companies that have suffered serious risk management failure in the recent past. It appears that most companies consider that risk management should remain the responsibility of line managers.

Responding to public and/or shareholder pressures, some company boards, especially in widely-held companies, have started to review their incentive structures, including through the reduction of potential incentives for excessive risk-taking, notably stock options for top executives. Listed company boards need to be provided with incentive structures that appropriately reward business success, as well as awareness and management of risk.

Existing risk governance standards for listed companies still focus largely on internal control and audit functions, and primarily financial risk, rather than on (ex ante) identification and comprehensive management of risk. Corporate governance standards should place sufficient emphasis on ex ante identification of risks. Attention should be paid to both financial and non-financial risks, and risk management should encompass both strategic and operational risks.

Currently, risk governance standards tend to be very high-level, limiting their practical usefulness, and/or focus largely on financial institutions. There is scope to make risk governance standards more operational, without narrowing their flexibility to apply them to different companies and situations. Experiences from the financial sector can be valuable, even if not necessarily transferable to the non-financial sector. Outsourcing- and supplier-related risks, for example, deserve attention in both the financial and the non financial sector.

It is not always clear that boards place sufficient emphasis on potentially “catastrophic” risks, even if these do not appear very likely to materialise. More guidance may be provided on managing the risks that deserve particular attention, such as risks that will potentially have large negative impacts on investors, stakeholders, taxpayers, or the environment. Boards should be aware of the shortcomings of risk management models that rely on questionable probability assumptions.

SOEs should follow similar risk governance practices as listed enterprises, but this is often not formalised in implementable regulation. Deviations from listed company standards should be duly motivated, and not just be the result of lack of applicability of corporate governance codes. Sometimes, SOEs are subject to separate risk management oversight through sectoral regulators, whole-of-government risk management systems, or government audit institutions. Risk oversight at sub-federal level SOEs tends to be less developed and more uneven than at the federal level.

SOE board practices differ, with some countries considering risk as an issue for the whole board, others tasking the board audit committee with the work, and still others establishing risk committees. As in the private sector, these choices are often affected by factors such as size and sectors the SOE is operating in. Whichever structure is selected, effective oversight needs to be assured. Some countries mandate external auditors to review risk governance in SOEs.

For SOEs a crucial balance needs to be struck between controlling risk through direct action from the ownership function and through delegation to the board of directors. Some countries curtail SOE risk taking through top-down rules on activities and liabilities, while others place a high degree of reliance on boards and board committees. The state should ensure that, as part of the nomination process, the boards of directors have sufficient expertise to understand the risks incurred by the SOE. Without intervening in the day-today management of SOEs, the relevant ownership function should use all the opportunities it has, both in formulating strategic directives, and in its regular ownership dialogues, to ensure that the SOEs have proper risk management frameworks in place.