UK Corporate Secretaries Suggest Revision of Combined Code to Make Risk Management a Board Duty

The UK corporate secretaries have recommended that the Combined Code, the UK’s corporate governance code, be amended to ensure that risk management is a collective board responsibility at the core of effective corporate governance. In a comment letter to the Financial Reporting Council, the Institute of Chartered Secretaries and Administrators said that setting risk management policy is a matter for the collective board and should not be delegated to a board committee. Even more, to ensure that risk management is given a higher profile by boards, the ICSA urged that the very definition of corporate governance in the Code be amended to provide that good governance should facilitate effective management that can deliver shareholder value within appropriate risk parameters established by the board. The ICSA also reaffirmed its commitment to a comply or explain model of corporate governance, specifically rejecting the prescriptive approach to corporate governance embodied in the Sarbanes-Oxley Act.

The financial crisis has shown that a company’s risk appetite must be considered a primary function of the full board. Thus, the Code should encourage the embedding of the consideration of risk within business objectives and strategy and the board should, after consultation with the company’s risk manager, be responsible for setting the risk parameters within which the company should operate.

While the oversight of risk management could be delegated to a board committee, the board should review risk on a regular basis, perhaps at least quarterly, and set out a clear policy that can be implemented by management on a day-to-day basis. Also, good governance requires disclosure of the risk policy and any delegated authorities for the oversight and management of risk within the parameters of that policy.

More specifically, the full board should categorize the types of risk which are acceptable for the company to bear in pursuit of its business objectives. Those which should not be tolerated, either at all or subject only to specified restrictions, should be identified. Upon becoming aware of any violations of the risk policy, executive management or the risk manager should report them to the relevant oversight committee chair, or company chair, who should arrange for a full report to be made to the board at its next meeting on the violation and any corrective action taken.

Further, the glass ceiling that often discourages or even stops risk managers from talking directly to the board has to be broken. The Code should encourage directors, particularly independent directors, to make visits within the business, which are not stage-managed, in order to facilitate interaction by the independent directors with the business managers below board level and to enable direct relationships to be fostered.

Management’s compliance with the board’s policy on risk, as distinct from internal control, should be subject to an annual review as part of any review by the audit committee or other appropriate board committee of the effectiveness of the company’s system of internal control.

The Code should also be amended to provide a greater link between reward policies and risk policies. As part of that effort, the remuneration committee should review all remuneration policies that could influence the firm’s risk profile. Models of performance-related pay that facilitate a culture of pursuing growth contrary to the board’s risk policy should be prohibited. The board should be required to state the effectiveness of the remuneration policy in achieving the appropriate balance between reward and risk and that the meeting of any targets would not in fact lead to a position where the risk appetite of the company has been exceeded.

The corporate secretaries group cautioned that the Code should in no way discourage risk taking per se, and perhaps should positively assert that fact. Rather, the extent of the material risks taken should be agreed by the board. At that point, the company secretary, internal audit, or the audit committee can set the framework for the review of the effectiveness of the internal control system, including the implementation of and compliance with the risk policy and report on it to the board or a board committee.