Post a comment
Print articleDirectors and Risk Management
May, 2011 - André Laurin and André Vautour
Risk management is a key element in the management of an enterprise, which its management team is responsible for.
Risk management must be a part of a board’s charter in keeping with best governance practices.
Adhering to a director’s duty of care involves participating, to a certain extent, in risk management.
In the event that a risk which causes damages occurs, a director’s adherence or non‑adherence to the duty of care should be assessed by taking into account the circumstances and comparing the measures taken with those taken by other comparable organizations.
A director’s non-adherence to the duty of care respecting risk management may result in the director being held personally liable.
The risk management process involves risk assessment (identification, analysis and assessment) and risk treatment (selecting treatment options, developing and implementing plans, monitoring and review).
The risk management process is enterprise‑specific; it must be in line with the orientations and objectives of the enterprise and its risk appetite.
A high risk of violating the law or causing property damage or physical injuries to others is not a tolerable risk and must be the subject of treatment or prevention measures.
The selection, assessment and compensation of executives play a crucial role in the risk management process at the board level.
Planning and preparing successors constitute a particularly significant risk management challenge in SMEs and family-owned businesses.
“Nothing ventured, nothing gained”.
INTRODUCTION
Risk management has always been a part of an enterprise’s management profile. Historically, boards of directors did manage risk, albeit in a less systematic way.
Greater emphasis has been placed on this aspect of management over the last few years. Thus, the practices which were recommended to Canadian reporting issuers with respect to governance emphasized the need to include risk management in the board of directors’ mandate.1 In the United States, the Securities and Exchange Commission (“SEC”) requires reporting issuers to disclose the risk management actions they have taken.2
Moreover, numerous situations received significant media coverage. In this last respect, and only as examples, it is worth mentioning the recent sagas of the commercial paper and of BP’s drilling platform in the Gulf of Mexico.
There have also been many publications about this issue, and an ISO standard was even recently adopted by the Canadian Standards Association.(3) This standard reproduced, without modification, the identically entitled standard adopted in 2009 by the International Organization for Standardization.4 Many documents include, in one way or another, the same approach as the ISO-31000-10 standard, which provides a clear and detailed summary of the risk management process.
As can be seen from the standard and other documents, risk management is an approach as well as an analysis and implementation method proposed to organizations and their management. This approach and this method are derived from logical reasoning and contain no surprises. There is no sophisticated recipe. An organization’s successful risk management process depends upon the quality of the analysis, enlightened judgment, effective decisions, the accountability of the various levels of the organization and ongoing monitoring. In other words, it does not significantly differ from other aspects of management in an organization.
This bulletin will first position risk management within the context of good corporate governance and directors’ duties and potential liability. It will then propose a process, which directors should follow, not only based upon the authors’ legal knowledge and governance abilities, but also on their experience as directors and officers.
In this newsletter, the terms “enterprise,” “corporation” and “organization” are used equally to describe all types of private and public organizations.
BASIC DEFINITIONS AND CONCEPTS
The ISO standard defines risk as an effect of uncertainty on objectives and completes this definition with the five following notes:
“NOTE 1 An effect is a deviation from the expected — positive and/or negative.
NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
NOTE 3 Risk is often characterized by reference to potential events (3.5.1.2) and consequences (3.6.1.3), or a combination of these.
NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (3.6.1.1) of occurrence.
NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequences, or likelihood.”(5)
In 2004, a committee composed of representatives of accountants associations, including the American Institute of Certified Public Accountants, defined the enterprise risk management as follows:
“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”(6) (emphasis added)
The Canadian Institute of Chartered Accountants (“CICA”) described the basic concepts of the risk management process as follows:
“Risk management can be a complex process but the basic concepts are very simple. There are really just four choices of risk management strategy:
Avoiding risk by choosing not to undertake certain types of activity
Transferring risk to third parties through insurance, hedging, outsourcing, etc.
Mitigating risk through preventive and detective control measures
Accepting risk, recognizing that the benefits of doing so outweigh the costs of transfer or mitigation.”(7) (emphasis added)
THE NEED TO TAKE RISKS
It is essential to emphasize at the outset that risk-taking is the driving force behind any enterprise. As the saying goes, “Nothing ventured, nothing gained.” Hence, one does not manage risk by refusing to take any initiative or being systematically overcautious. Likewise, one cannot hope to create value without taking risks. The risk management process is based on the reasonable assessment and treatment of risks which may result in material adverse effects should they occur.
RISK MANAGEMENT AND GOOD GOVERNANCE
Different definitions have been given to the expression “corporate governance”. In practice, corporate governance is composed of all the processes and systems designed and implemented to enable any entity to achieve its objectives. Among other things, it involves describing the tasks and mandates of the various levels within the organization as well as implementing controls and verifications.
In the Peoples’ case, the Supreme Court of Canada established a link between good corporate governance and the protection against the directors’ potential liability:
[64] “The establishment of good corporate governance rules should be a shield that protects directors from allegations that they have breached their duty of care.”(8)
It is almost universally recognized that the establishment of a risk management process constitutes a major part of the management and governance of an enterprise, as well as of the board of directors’ mandate or charter. In other words, risk management is at the core of an organization’s good corporate governance practices.
Recent surveys carried out by Marsh(9) and Aon(10) also revealed that reporting issuers increasingly focus on the issue of risk management.
Small to medium-sized enterprises (SME) and not-for-profit organizations (NFO) typically do not have the same resources as large organizations. However, this does not obviate the need for them or any other type of public and private organizations, such as educational institutions, hospital institutions and co-operatives, to manage their risks according to their means.
Although the management team is responsible for managing risk on a day‑to‑day basis, the board must encourage, understand, assess the effectiveness of, adopt, monitor, and, above all, support risk management within the enterprise.
RISK MANAGE MENT AND THE DUTY OF CARE OF THE DIRECTORS
The two (2) main duties of the directors are the duty of loyalty and the duty of care, which are defined as follows:
Fiduciary duty (loyalty): act honestly and in good faith with a view to the best interests of the organization
Duty of care: exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances(11)
Risk management is a part of the duty of care. However, this duty is analyzed and interpreted by the courts as an obligation to use reasonable means given the circumstances and not as an obligation of result. The analysis as to compliance with the duty of care is achieved by first defining and understanding the company’s context or situation and then comparing the means taken by the company with those which a prudent person would take in similar circumstances. In the Peoples’ case the Supreme Court of Canada summarized in the following terms how the courts should interpret this duty of care:
“[67] Directors and officers will not be held to be in breach of the duty of care under s. 122(1)(b) of the CBCA if they act prudently and on a reasonably informed basis. The decisions they make must be reasonable business decisions in light of all the circumstances about which the directors or officers knew or ought to have known. In determining whether directors have acted in a manner that breached the duty of care, it is worth repeating that perfection is not demanded. Courts are ill-suited and should be reluctant to second-guess the application of business expertise to the considerations that are involved in corporate decision-making, but they are capable, on the facts of any case, of determining whether an appropriate degree of prudence and diligence was brought to bear in reaching what is claimed to be a reasonable business decision at the time it was made.”(12) (emphasis added)
The applicable level of intensity of the duty of care increases according to the magnitude or severity of the potential adverse effects of the occurrence of the risk as well as the knowledge and improvement of peer practices on the subject. Thus, directors of oil companies preparing to install drilling platforms in open sea in 2010 or at a later date cannot overlook either the risks that occurred in the case of BP’s drilling platform in the Gulf of Mexico, or the lack of safety and the inadequacy of the corrective measures which were demonstrated on that occasion. Likewise, directors of investment companies or investment management companies will have to pay particular attention to the use of products or financial plans they do not sufficiently understand.
It is to be noted that, in practice, the means that a director must take evolve with time. Likewise, the means that other parties which provide goods or services or agents or mandataries, which generally perform services for the benefit of another person, are subject to a very similar process. All of them are also subject to an implicit or explicit duty of care. A surgeon cannot, in 2010, perform surgery in the same way surgeons did at the turn of the last century. A building contractor who has to fill the ground on which a building is to be built and an engineer who chooses or approves the filling materials can no longer, in our day, use pyrite without breaching their duty of care.
THE POTENTIAL DIRECTORS’ LIABILITY WITH REGARD TO RISKS
The duty of care, or more precisely the failure to abide by it, may open the door to a claim for liability and damages against the director by the organization (or through a derivative action, possibly by shareholders or members of the organization, for instance) of which he is a director or by third parties.
A director may be held liable in the event that a risk producing adverse effects occurs where he failed to take preventive action that could reasonably have been taken while such preventive action was taken by other organizations of the same type, in similar circumstances and at the time the decision to take the risk was made.
MAIN ELEMENTS OF THE RISK MANAGE MENT PROCESS
The ISO 31000-10 standard, previously referred to, describes the two main elements of good risk management as well as their respective components:
1. risk assessment (risk identification, analysis and evaluation); and
2. risk treatment (selecting risk treatment options, developing and implementing risk treatment plans, monitoring and review). 13
Risk assessment
Factors which must guide the risk assessment process include the nature of an enterprise’s activities, its mission and objectives, the environment or internal and external context of its activities, the consequences or effects on the organization and third parties of a risk occurring as well as the degree of probability of such occurrence, the severity of the effects and consequences as well as the relative importance of the risk.
Risk treatment measures
In selecting risk treatment measures, one must take into account, among others, the following:
the analysis of the best practices of comparable organizations involved in the same industry segment
* the actual availability of treatment measures
* the financial and human resources which are available to the organization
* the anticipated relative effectiveness of each available measure
* the relative costs of implementing the available measures
* the enterprise’s degree of risk tolerance or risk appetite if such a risk is tolerable at all.
It should be pointed out that Hugh Lindsay of the CICA, in his previously mentioned text, commented that an enterprise truly has but four options, which may be combined: avoiding, transferring, mitigating or accepting the risk.
Once measures are developed and chosen, they must be implemented and monitored. This involves selecting persons within the company who will be responsible for implementing the measures, following up on and controlling such implementation and conducting regular assessments of the quality of the implementation and the effectiveness of the measures taken.
It is also important to mention the need to adapt the risk management process to the reality of each organization, as indicated in several of the documents previously referred to. AON’s report summary on the survey, carried out during the third quarter of 2009 and entitled “Global Enterprise Management Survey 2010”, summarizes this need as follows:
“It is clear from the survey findings that the ERM journey is organic in nature and unique for each organization; it cannot be completed with a cookie-cutter approach. The objective is to have ERM rooted in an organization’s individual culture, management processes and strategic vision, leading to enhanced riskbased decision making. Advanced practitioners have honed this capability and are better positioned to capitalize on emerging opportunities.”(14) (emphasis added)
An enterprise’s strategic orientations and its organizational culture influence its risk appetite.
DISTINCTION BETWEEN TYPES OF RISKS
One can make the following distinctions: (a) firstly, between the risks involved in an investment or a significant capital expenditure and business risks that may be defined as risks relating to the operations which are not carried out in the ordinary course of business and operational risks in the ordinary course of business (class factor) (b) secondly, between tolerable risks and risks that cannot be tolerated (tolerance factor), (c) thirdly, between the risks involving severe consequences and risks involving minor consequences (severity factor) and (d) fourthly, between the high or low foreseeable probability of the risk occurring (foreseeability factor).
These distinctions are not all at the same level: they intersect and may be combined in whole or in part. Nevertheless, they make it possible to establish certain criteria and parameters.
Category of the risk
An investment in the form of a significant purchase of assets or shares or of a major capital expenditure is usually the subject of an opportunity analysis, a comparative analysis of the solutions available and a study of the projected return on investment. Business risks evolve constantly and depend on the internal context (e.g. productivity, capacity, etc.) and external factors (e.g. new competitors, new products or services, the cost of raw material, the cost of credit, exchange rates, etc.). The latter risks must therefore be re‑evaluated regularly.
As previously mentioned, an organization which wants to succeed must take initiatives and thus assume certain risks in accordance with its objectives. If the future could be predicted and the positive results of measures were certain, everybody would probably take the same measures. However, the final outcome of many decisions is not always certain. Hence, there will always be risks.
Risk tolerance
A distinction must be made between, on the one hand, risk tolerance or the degree of risk appetite and, on the other hand, the tolerability of the risk. A negligent or illegal behaviour or the failure to comply with regulatory requirements is not a tolerable risk. Therefore, the decision to endanger the lives of employees, pollute the environment, or even violate the law cannot be subject to the same assessment as the decision as to whether or not to buy another enterprise. In the first case, measures must be taken whereas, in the second case, the director is left with a certain discretion as to the measures to be taken. In the second case, a director is guided by the assessment of the chances of success and the reasonable projected return, taking into account the enterprise’s financial capacity and strategy. It is only in this second case that risk tolerance may reasonably be assessed.
In 2008, IBM carried out an analysis of the financial institutions’ level of risk tolerance or risk appetite. The results of this analysis revealed, among other things, that the risk appetite must reflect the enterprise’s business strategy and the relative importance of this propensity varies according to the type of decisions or risks:
“The survey participants unanimously agree with this statement. One important consequence is the recognition that any risk measure is not fully relevant if dissociated from its strategic context (just as a temperature of 16 degrees is neither ‘hot’ nor ‘cold’ unless put in context).
More specifically, the respondents believe that risk appetite is a critical consideration when evaluating strategic decisions, especially those concerning mergers and acquisitions, product portfolio and geographical expansion. By contrast, using risk appetite as an input to drive transformational projects was given a relatively lower priority. While organizational and operational design are part of the strategy, survey participants indicate that their relationship with risk and profitability profiles is less direct than for the other components.”15 (emphasis added)
Severity of the risk
Obviously, the potential severity of the negative effects or consequences of the occurrence of a risk affects its assessment and the determination of its tolerability. In other words, the amount of attention and level of care a director must display in respect of a given risk increases proportionally with the severity of the negative consequences involved.
Foreseeability
The degree of foreseeability or the probability that a risk will occur also influences its assessment and the treatment measure which must be taken, according to circumstances. The more probable the occurrence of the risk is, the more carefully the decision must be considered and prudent and the more significant the measures for the prevention or reduction of adverse consequences must be. Thus, the fact that an organization and its directors choose to go ahead with a project which will very likely cause damages to a third party may be perilously close to be deemed an intentional fault or even wilful blindness. Such could be the case, for example, for an organization that decides to market a product knowing that it is deficient or dangerous or another organization that decides to continue the use of a site, plant or equipment which fails to comply with the applicable regulatory or safety requirements, thus endangering its workers. Mining accidents, the sagas of drilling platforms in open seas, breast implants, tobacco, known defects in automobiles and side effects of medication are examples of the stakes involved in making decisions with regard to their probability of causing damage.
LIST OF CERTAIN TYPES OF RISKS
We have no intention of, nor will we attempt to draw a comprehensive picture of the various possible risks. However, we can identify some types of risks which are common to a great number of enterprises:
* financial risks including credit risks, risks of liquidity shortage, exchange rates, cash position, use of derivatives, etc.
* risks of property damage or loss
* risks of prosecution or lawsuits and risks of civil liability (whether contractual or extra-contractual) including against the directors and officers
* risks of business interruption
* risks of data loss or theft
* risks related to defamation
* technological risks
* risks related to human resources (insufficiency, incompetence, labour disruptions, succession, industrial accidents, pandemics, etc.)
* risks of violation of, or non-compliance with the law
environmental risks
* risks related to procurement (accessibility, price, inventory size, etc.)
* contractual risks
* risks related to customers (defaults, failure to perform or improper performance, non-payment, insolvency, etc.)
* product risks (defects, obsolescence, etc.)
* competition risks
* risks related to the titles of ownership and intellectual property rights
* political risks
CASE LAW AND TRENDS
Case law does not deal directly with risk management by directors. However, the courts have often been called upon to determine whether or not directors had carried out their duty of care in the circumstances of the proceedings instituted against them. In the majority of these cases, the courts base their decision on the analysis of the level of duty of care and prudence exercised by the directors prior to making the decision in the circumstances described in the statement of claim. Here are a few comments from the Supreme Court, as previously quoted in this newsletter:
“They [the courts] are capable, on the facts of any case, of determining whether an appropriate degree of prudence and diligence was brought to bear in reaching what is claimed to be a reasonable business decision at the time it was made.” 16 (emphasis added)
Here are some examples:
* the directors of a subsidiary of Cogeco were found liable in having accepted the risks of damage to the reputation of third parties resulting from defamatory remarks of a radio host (André Arthur) as well in failing to properly supervise his activities and not having intervened quickly enough to stop the defamatory remarks; 17
* the directors of Caremark 18 and Stroh Brewery 19 were not held liable for the employees’ violation of the law because policies and supervision methods for the activities of the corporation’s representatives had been set up and implemented.
It is obvious that
* there is a growing tendency to institute legal proceedings against directors;
* the quality of the analysis that a board conducted prior to making a decision and the measures taken to avoid causing damages constitute important factors of exculpation or attenuation of liability; and
* activities likely to cause serious damages to third parties or employees and particularly the risk management process which the board adopted with respect to the operations of the enterprise will be henceforth examined under a magnifying glass both by the sector stakeholders prior to any occurrence of the risk and by the victims and their relatives in the event of the realization of the risk.
The recent financial crisis, the many decisions or situations which caused it and the incidents in the Gulf of Mexico triggered or focused the attention of the victims and stakeholders, as did the incidents which occurred in the United States, primarily in Pennsylvania, in relation to shale gas development, as well as the debate which arose in Quebec on the same issue.
ADDITIONAL THOUGHTS ON THE BOARD’S INVOLVEMENT IN RISK MANAGEMENT
The form and terms of the board’s involvement will obviously vary according to the type of organization, its mission, size and activities as well as its financial and human capacity.
The forum to deal with risk management at the level of the board may be the board itself or a committee of the board fully or partially dedicated to that issue.
Regardless of the type of forum or organization, certain measures have to be taken by any board of directors:
* requesting management to submit a systematic and organized risk management process and the approval of such a plan
* understanding the risks facing the enterprise
* obtaining confirmation or validation of the management’s conclusions by external experts and comparing such conclusions with the best practices of other organizations of the same industry
* following-up on the establishment of both the projects and risk mitigation measures, including the comparison between the results and the initial evaluation in order to measure the credibility of the evaluations in the future, the assessment of the effectiveness of the measures taken and the identification of the additional measures that should be taken
* participating actively and in an informed manner in the selection and evaluation of the executives as well as aligning their compensation with compliance with risk management measures and the organization’s risk appetite.
As witnessed by several cases reported by the media, contributing factors in the failure of certain investments or projects included the board’s lack of understanding of what was presented to them or of the market (for example, sophisticated financial products), exaggerated optimism or significant temerity (for example, the real estate market and insufficient equity or capitalization) and even poorly targeted and planned executive compensation, which induced executives to take risks or choosing projects that were detrimental to the best interest of the organization and its longevity (examples: Nortel, Enron.).
Choosing executives probably represents the most important tool a board has to manage the risks of the company. The quality of the processes governing recruitment, career development, assessment and compensation probably is the cornerstone of any risk management process.
In the case of many family-owned businesses and SMEs, the succession, particularly the planning and training of successors, constitutes the main challenge of the board of directors.
One must realize that there are limits to what a board can control and verify. However, if the current executives are competent, reliable and honest and if their compensation is well aligned with the organization’s objectives, the board undoubtedly has implemented the best protection it can against the occurrence of undesired risks and their negative effects.
SMES, NFOS AND OTHER TYPES OF ORGANIZATIONS
SMEs and their directors are not free from legal proceedings similar to those larger enterprises may have to face.
As for most NFOs, the nature of their activities does not put them at a high risk of being sued. However, the financial risks are real for many of them, considering their low revenues. Moreover, NFOs that organize cultural, social, political or artistic events that attract a significant number of spectators or participants (e.g. the incident which occurred in the summer of 2010 in Germany), those that provide care for the elderly or the handicapped (ill treatment causing death or significant damages), as well as those that deal with children in the context of sports activities (sexual abuse, motor vehicle accidents, etc.) should be concerned about the risks involved in conducting their activities.
Indeed, beyond the risks of legal proceedings, good corporate governance of SMEs and NFOs relies on the adoption of a risk management process. The financial precariousness of several SMEs and NFOs should also prompt them to adopt a prudent management approach that obviously includes risk management.
Most comments and recommendations formulated in this newsletter are also relevant and valid for other types of organizations such as educational institutions, hospital institutions and government corporations. Clearly, the financial risks of these organizations are not analyzed in the same way and the mission, framework and control of several of these organizations limit the inventory of measures available. This does not eliminate, however, the need to adopt a risk management process.
Since a sufficient amount of free tools is available to enable SMEs, NFOs and other organizations to adopt a risk management process at a relatively small cost, costs should not be an obstacle to adopting such a process.
CONCLUSION
All organizations should adopt a risk management process. This is not only a part of good corporate governance but it also enables directors to abide by their duty of care.
The first table below summarizes the main elements of a risk management process whereas the second table describes anew the measures that should be taken by a board of directors.
RISK MANAGEMENT PROCESS
1. Define clearly and understand the organization’s objectives and orientations, its organizational culture, the external context in which it operates as well as its propensity for taking risks.
2. Identify risks which are specific to the organization by using the grid or list of risks proposed in this bulletin.
3. Analyze and evaluate these risks according to their tolerability, foreseeability or probability of occurrence, their severity (low, medium, high), their effects and consequences (minor, moderate, severe) as well as the organization’s propensity for taking risks.
4. Identify treatment options and assess the organization’s capacity to use those options and the associated costs.
5. Choose between avoiding, transferring, mitigating or accepting each significant risk identified and, when applicable, the transfer or mitigation measures.
6. Designate persons in charge of implementing the risk management process within the enterprise, communicate and execute.
7. Monitor and supervise the implementation of the treatment measures.
8. Evaluate the efficiency of the risk management process on a regular basis.
9. Adapt and improve the risk management process on a regular basis.
A BOARD'S TOOLS
* Requesting management to submit a systematic and organized risk management process and the approval of such a plan.
* Understanding the risks facing the enterprise.
* Obtaining confirmation or validation of the management’s conclusions by external experts and comparing such conclusions with the best practices of other organizations in the same industry.
* Following up on the establishment of both the projects and risk mitigation measures, including the comparison between the results and the initial evaluation in order to measure the credibility of the evaluations in the future, the assessment of the effectiveness of the measures taken and the identification of the additional measures that should be taken.
* Participating actively and in an informed manner in the selection and evaluation of the executives as well as aligning their compensation with compliance with risk management measures and the organization’s propensity for taking risks.
Footnotes: 1. - National Policy 58-201, Corporate Governance Guidelines, section 3.4(c). 2. - Rule 30-9089, U.S. Securities and Exchange Commission. 3. - CAN/CSA-ISO-31000-10: Risk management - Principles and guidelines. Canadian Standards Association. 6. - Enterprise Risk Management - Integrated Framework Executive Summary, September 2004, Committee of Sponsoring Organizations of the Treadway Commission, page 2. 7. - Hugh Lindsay, 20 Questions Directors Should Ask about Risk, 2nd Edition, Canadian Institute of Chartered Accountants, page 2. 8. - Peoples’ Department Stores Inc. v. Wise, [2004] S.C.R. 461. 9. - Excellence in Risk Management VII, “Elevating the Practice of Strategic Risk Management”, April 2010, Marsh. 10. - “Global Enterprise Risk Management Survey 2010”, AON Corporation. 11. - Articles 321 et seq. of the Civil Code of Québec namely section 322 and section 122 of the Canada Business Corporations Act. 12. - Loc. cit. supra note 8. 13. - Section 5, mainly paragraphs 5.4 and 5.5 of the document referred to in note 3. 14. - Global Enterprise Risk Management Survey 2010, AON Corporation, page 4. 15. - IBM Financial Services, April 2008, Risk appetite: A multifaceted approach to risk management, page 6. 16. - Note 12. 17. - Arthur v. Johnson, 2006 QCCA 138; Carole Julien, J., C.S. Montréal 500-05-042565-984, 2002-10-01 (not referenced). 18. - In re Caremark international Inc. 698 A.2d 959; 1996 Del Ch. LEXIS 125. 19. - R . v. The Stroh Brewery Company Ltd. (File No. T - 1504-02- Competition Bureau). |
Link to article
