Only 42% of board members surveyed have formal practices and policies in place to address reputational risk.

Corporate directors could find themselves exposed to liability if they fail to keep pace with evolving best practices in enterprise risk management (ERM), according to new study by The Conference Board.

Since ERM processes have improved in some companies, many corporate directors could be functioning with a false sense of security, the study points out. New legal requirements are steadily suggesting that directors should ensure that their companies have a "robust" ERM program.

The report, authored by Carolyn Kay Brancato, Matteo Tonello, and Ellen Hexter of The Conference Board, is entitled The Role of the U.S. Corporate Board of Directors in Enterprise Risk Management. These findings are based on a comprehensive research effort on the topic that incorporated personal interviews with 30 board members, analysis of Fortune 100 board committee charters, and a broad survey of 127 board members. The report has not yet been released, but is forthcoming.

Dr. Brancato, Director of The Conference Board Governance Center and Directors' Institute, said today: "Our research shows many directors believe they have a good handle on the risks their companies face. But since many directors tend to approach risk more on a case-by-case basis, they may not have adequately robust and systematic enterprise risk management processes in place."

The study shows that financial services tend to have more developed ERM processes and may therefore set the standard by which other industries will be measured.

Chief Risk Officers Gaining Clout
In addition to the CEO, the corporate executive most frequently cited by directors as responsible for informing the board on risk issues is the CFO (71% of companies). However, at a growing number of companies, a Chief Risk Officer is cited as the person informing the board and appears to be an increasingly visible company executive (for instance, in 16.1% of financial companies, up from virtually none a few years ago).

False Sense of Security?
Dr. Gunnar Pritsch, a partner of McKinsey & Company, who collaborated with The Conference Board on the study, said: "Things have definitely improved since we did a similar survey in 2002." Data in 2002 showed that 36% of directors did not believe that they had a full understanding of the major risks facing their companies. By 2006, that percentage decreased to 10.5%. However, he also said that "Boards still have a way to go. Directors serving on multiple boards reported significant variations in the quality of the risk dialogue and fewer boards seem to have well established risk processes."

Dr. Brancato reports: "There may indeed be a false sense of security among those directors reporting that they have a full understanding of the company's risks. When we asked directors personally, many said they approach risk on a case-by-case basis in connection with a specific strategic issue such as a merger or acquisition or the entrance into a new market. This may not constitute a sufficiently robust process to satisfy directors' fiduciary responsibilities."

The new research found significant differences in how directors understand risk and how their companies manage risk. Moreover, directors may have more of a top down understanding of risk. The Conference Board study finds: Although 89.5% of directors say they fully understand the risk implications of the current strategy;

Only 77.4% of directors say they fully understand the risk/return tradeoffs underlying the current strategy.

Only 73.4% of directors say their companies fully manage risk.

Only 59.3% of directors fully understand how business segments interact in the company's overall risk portfolio.

Only 54.0% have clearly defined risk tolerance levels.

Only 47.6% of boards rank key risks.

Only 42% have formal practices and policies in place to address reputational risk.

Directors are, however, sensitive to the need for additional information:

While 71.8% of directors believe they have the right risk metrics and methodologies in making strategic decisions, 47.6% of directors would like to see more data analysis related to the company's risk profile.

Financial Services Companies Out in Front on ERM
Financial service company directors report a higher level of routine consideration of all major risks compared to considering risks only when management brings them to the board. Two major findings:

55% of financial directors report the board considers all major risks including strategic risks versus only 25% of nonfinancial directors (compared with an average of 39% for all directors).

27% of financial directors report they consider risks primarily when management brings them to the board, versus 50% of nonfinancial directors (compared with an average of 39% for all directors).

The Conference Board study suggests that standards used in the banking and insurance industries may set the pace for all companies. This factor may be increasingly important to directors in determining their exposure to liability for failing to meet their fiduciary duties - as the courts may increasingly look to comparative "best practice" standards by which to measure directors' performance of fiduciary duties of care, loyalty and good faith.

Beyond Audit Committees
The board committee charter analysis of the Fortune 100 companies indicated that about two-thirds of corporate boards place board risk responsibility in the audit committee. Caryn P. Bocchino of KPMG's Audit Committee Institute, who also worked with The Conference Board on the study, discussed the organizational aspects of board oversight of risk management. She noted: "Although it's clear that the audit committee is the most common place for risk management oversight responsibility, audit committees are already heavily involved with their basic financial reporting risk responsibilities. Boards may consider assigning the non-financial reporting aspects of risk management oversight to another committee in coordination with the audit committee." Dr. Brancato also noted that giving the more operational aspects of ERM to another committee might be beneficial; then the audit committee and this other risk-related committee would report to the full board. In fact, the study finds that, in addition to the 66% of companies where the audit committee is the sole repository of risk oversight, in 23% of companies another committee shares this responsibility with the audit committee.

A few, mostly financial, institutions have established separate Risk Committees with an integrated view on all risks the company faces (of the companies surveyed, 16% in the financial services area report having a separate and distinct risk committee for more than 2 years, versus less than 4% in the nonfinancial area).