Boards of directors are now thoroughly immersed in enterprise risk management, so much so that separate risk oversight board committees are fast becoming common practice. (See this Doug’s Note.) Boards and management continue, however, to work out the logistics of their respective roles and how best to coordinate their risk-related efforts.
Certainly careful board/management coordination is necessary to ensure that ERM is handled efficiently and effectively. However, this recent article from Protiviti suggests that proper board oversight also requires that it preserve some distance from management by utilizing the old board concept of executive sessions.
Why executive sessions?
It is critical to effective risk management that all significant enterprise-wide risks be identified and properly assessed. The company must also establish, as a matter of policy, its “appetite” for each risk component and for the company as a whole. It is essential that the board have the opportunity to discuss such matters outside the purview, and the potentially disproportionate influence, of senior management.
The new COSO 2013 Internal Control—Integrated Framework emphasizes proper risk management as a key to effective internal control and highlights independent director risk oversight as a key component of that process. COSO 2013 notes that the board must establish a “control environment” that effectively manages the risk of “management override,” by which it means any management actions that might supersede the company’s established controls or standards of conduct. It specifically mentions executive sessions as an important tool in that effort.
It is important that the board have the opportunity to discuss potentially sensitive risk-related issues outside of management’s presence. Regularly scheduled executive sessions of the board or the relevant board committee (with risk management on the agenda) provide an efficient and effective mechanism for doing so.
How should executive sessions be used?
As with most things governance related, there is no single best practice for conducting executive sessions. The same questions must be addressed in the context of enterprise risk as with any other use of executive sessions:
- How often should they be held? (NYSE and NASDAQ require that the board meet “regularly” in executive session.)
- When should they be held?
- Who should lead them?
- Other than the non-management directors, who should attend (for example, attorneys, consultants, etc.)?
- Should there be an agenda?
- What is the proper scope of minutes of the meetings?
- How much should be communicated to management after the meetings and by whom?
The answers will vary depending on each company’s culture and the board’s regular patterns of behavior. Nevertheless, it is useful to consider appropriate modifications to established practices to employ executive sessions as a supplemental tool for enhancing enterprise risk management.