Report: Disclosures on ERM Lacking
The financial crisis has put risk-management practices under the microscope, but public company disclosures related to the subject apparently still have a long way to go.
That’s according to governance research and rating firm GovernanceMetrics International, which found that standardized disclosure of company-wide risk management is lacking.
Of 4,162 global companies covered by GMI, only one-third provide comprehensive disclosure on their enterprise risk management policies in the annual report or other publicly available sources. Far fewer (8.4 percent) disclose they have implemented a nationally or internationally recognized risk-management charter or standard such as COSO’s Integrated Framework for Enterprise Risk Management, according to GMI.
Risk committees of the board are even less common and are sector-specific, according to GMI. Just over one-quarter of companies (27.6 percent) disclose having a combined audit and risk committee, while roughly 6 percent of companies covered by GMI disclose a stand-alone board level risk committee or sub-committee. Those were most often found among banks (35.1 percent), life Insurers (21.3 percent), and Non-life Insurers (17.6 percent).
Only 1 percent of the companies tracked by GMI have at least one non-executive board member who has general expertise in risk management. Meanwhile, of 1,659 new board members tracked by GMI so far in 2009, 1.4 percent have risk-management expertise, with the banking sector leading the way. Of 227 new board members tracked by GMI at banks so far in 2009, 3.5 percent had risk-management expertise. GMI also noted that the Australia - New Zealand region disclosed the widest use of stand-alone board level risk committee or sub-committees, at 12.1 percent versus 5.9 percent worldwide.
Howard Sherman, GMI President and CEO, noted that “there clearly is a need for increased transparency concerning companies’ overall approach to risk management.”
Given that ratings agencies such as Standard & Poor’s and Moody’s have begun factoring risk-management practices into their credit ratings, even for non-financial firms, companies may want to pay more attention to their disclosures.
“Our expectation going forward is that companies seen to be taking serious steps to augment risk oversight, especially in the financial sector, will be rewarded by the market,” Sherman said in a statement. GMI noted that it recently added new metrics related to risk oversight to its rating model.
Moreover, a paper prepared jointly by GMI and the Risk Consulting Practice of Marsh Inc., entitled The Importance of ERM During Times of Economic Upheaval (registration required), found that while ERM is gaining momentum globally, it isn’t regularly communicated to investors. The paper, based on a survey of 149 global public companies with average revenue of $4.74 billion in the last fiscal year, found that 75 percent of companies responding currently don’t provide information to investors on their approach to ERM. Of those, 73 percent reported that they have no plans to increase the amount of information they provide within the next 12 months.
While the vast majority of respondents to that survey (79 percent) indicated their companies employ a formal ERM program, most are either in the infancy of formal development (28 percent) or mature with opportunities for improvement (48 percent), according to the report. Of the companies that currently don’t have a formal ERM program, approximately 40 percent said they intend to employ a formal ERM program in the next 12 months.









Interesting, but not surprising given that there is no regulatory requirement to implement a “formal ERM program”, whatever that means. All registrants will disclose risk factors in their filings and will do something around the risk management topic given existing compliance / listing standards requirements, but until there is a regulatory requirement to do so, implementing a “formal ERM program” will remain a “good practice” - i.e., optional, much as use of the COSO Framework for internal control reporting purposes was pre-Sarbanes.
Frameworks, although a good starting point, are not a panacea. I do, however, commend your effort to generate discussion on this topic.
Comment by H.W. Willoughby — July 8, 2009 @ 5:02 pm