Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

More Thoughts on How Boards Address Risk Management

Matt Kelly | October 25, 2015

Last week I wrote two columns: one on audit committees and the language in their charters that talks about risk; and another about Deutsche Bank’s new effort to improve its culture, and why large businesses seem to have cultures that tolerate misconduct.

I received plenty of feedback on both columns. On the piece about audit committee charters and how rarely they use the word “risk,” numerous people said a simple count of how often the word “risk” appears in the charter isn’t fair; audit committees talk plenty about risk behind closed doors, even if the charter doesn’t spell out how they should think about risk.

On the piece about Deutsche Bank—where I tried to tease out the flaws in large companies that leads to bad culture, whether that manifests as illegal conduct at a bank or slaveshop pressure at Amazon.com—the best comment came from one John Cunningham, who said this:

[T]he cure is redefining success, incentivization and compensation structures, under the principle that the risk and compliance disciplines reside between the human natures of greed and fear.

Hmmm. Not only are those good points individually, I thought; they are good points that lead to another question—how often the compensation committee talks about risk.

So like I did previously with the audit committees, I pulled out the charters for a bunch of compensation committees and started counting.

The results are not good. Because Cunningham is right, that flawed compensation plans can pressure managers to cut corners on product safety, bet too big on certain investments, pressure other employees to work too much, or wreak all manner of other havoc. Pressure to succeed—and at its heart, that’s what compensation is—can be disastrous if it is not governed properly. That’s the job of the compensation committee, and overall, we are entirely too loosey-goosey in how the comp committee should approach that task.

Once again, my research was simple: I looked at the compensation committee charters of the Fortune 50, and counted the number of times the word “risk” appeared in the charter. The median number for all 50 companies: 1. I also counted the number of times the words “unnecessary” or “excessive” appeared, under the theory that companies are supposed to disclose the how their compensation plans might cause employees to take excessive or unnecessary risk.

Median number of times those two words appeared in the charters for those 50 companies: zero.

But just like my prior research on audit committee charters, the same pattern emerged—if your board also has a separate risk committee, your compensation committee had the word “risk” in its charter more often. Among those 10 companies in the Fortune 50 that do have risk committees, the median number for “risk” in the compensation charter was 3.5; for “unnecessary” or “excessive,” the median was 1.5.

This time I did pay more attention to how the word “risk” was used in the charter. Even put into that context, the news remains not good. Some companies (Amazon.com, for example) talk about risk only in terms of CEO succession—which is a very different risk than the corrosive effects of too much pay or too much compensation based on hitting sales goals by any means necessary.

How risk is addressed in board committee charters is important, because that tells the directors how they themselves should think about risk.

Exxon Mobil’s charter directs the compensation committee to assess risk “as defined by SEC rules,” which is as bland and check-the-box as you can get about risk. Other charters have the committee assess whether compensation risks “will cause any material adverse effects to the company,” which I put in the same bland category.

And 12 of the Fortune 50—including Walmart, Apple, IBM, Johnson & Johnson, Procter & Gamble—have no mention of “risk” in their compensation committee charters at all. (Costco has the notorious distinction of being the only company that omits “risk” from both compensation and audit committee charters.)

One criticism of my look at committee charters will be this: that investors are far more interested in how often risk is mentioned in the Management Discussion & Analysis or the Compensation Discussion & Analysis than they are in how risk is addressed in any audit or compensation charter. That’s a fair point, even if many MD&A and CD&A disclosures are rather boilerplate. But I would make a distinction between those disclosures, which announce to investors what risks worry the company; and how risk is addressed in the charters—which is important, because that tells the directors how they should think about risk.

That’s what boards and their respective committees need to achieve, really—a systematic approach to thinking about risk and risk management. We all already run around telling ourselves cybersecurity should be managed as a process, for example, but that’s only one slice of the pizza. All significant risks should be managed by a process, within the organization and at the board level too. Heck, even my crude research shows one step in that process: have a separate risk committee. For whatever reason, that alone seems to make your other committees address risk more seriously.

Matt Kelly has been editor of Compliance Week for 10 years. He will step down from that role at the end of this year. You can find him on LinkedIn at www.LinkedIn.com/in/mkelly1971 or on GoogleTalk at MattCompliance@gmail.com

Comment on this post on LinkedIn.