Does Board Involvement in Risk Management Add Value

12191

DOES BOARD INVOLVEMENT IN RISK MANAGEMENT ADD VALUE?

PaulMilevskiy

School of Business

University of Queensland

Brisbane QLD 4072

Australia

Tel: +61 7 3510 8111

Fax: +61 7 3510 8181

E-mail:

GeoffreyC.Kiel

School of Business

University of Queensland

BrisbaneQLD 4072

Australia

Tel: +61 7 3365 6758

Fax: +61 7 3365 6988

E-mail:

GavinJ.Nicholson

School of Business

University of Queensland

PO Box 2140

Milton QLD 4064

Australia

Tel: +61 7 3510 8111

Fax: +61 7 3510 8181

E-mail:

Paper presented at the Annual Meeting of the Academy of Management: Creating Actionable Knowledge, New Orleans, August 6-11, 2004

DOES BOARD INVOLVEMENT IN RISK MANAGEMENT ADD VALUE?

ABSTRACT

The normative governance literature has chronicled the emergence of risk management as a new role for directors, to the point where risk management is now seen as an important part of best practice corporate governance. However, the academic literature has not given this new role any attention to date. In this study we develop a number of hypotheses to test for an effect between risk management practices, risk committees and firm performance. We test the hypotheses on data fromAustralia’s top one hundred publicly listed companies over two consecutive financial years. Although there is some evidence of a positive effect between specific risk management practices and company performance, and the presence of a risk management committee and company performance, the findings are tentative and inconclusive.

Keywords: Risk management; Corporate governance; Firm performance

DOES BOARD INVOLVEMENT IN RISK MANAGEMENT ADD VALUE?

A new role is emerging from corporate governance practice: the role that boards and their member directors play in managing the risks faced by their companies. This new risk management role has had wide coverage in both the practitioner and general business media. However, despite the increasing importance of risk management in corporate governance, the role has been virtually ignored in the academic governance literature. An extensive literature search failed to find any empirical research, or even any theory based discussion on the subject, indicating that despite the ongoing commentary and analysis in the wider practitioner literature, governance researchers have yet to take an interest in this area.

With the wider business literature indicating that the board’s risk management role is becoming increasingly important, but without any empirical, or even theoretical support in the academic literature, it seems timely to conduct an initial investigation, to test whether this new role is as effective as its supporters are hoping it to be. We present this investigation in this paper. First, the normative and positive governance literatures are reviewed. We then discuss the research objectives of the investigation, and the specific hypotheses that were tested to meet these objectives.

These hypotheses were tested by collecting data on Australia’s top one hundred listed companies, by market capitalisation, over the two consecutive financial years of 2000/2001 and 2001/2002. The data were analysed by grouping the companies according to various risk management practices, and committee structure and composition characteristics, and comparing the average company performance of these groups. The paper then moves on to a discussion of the results of the analysis, before concluding with a discussion on its limitations, and recommendations for future research.

LITERATURE REVIEW

Normative Literature

In Australia, the board’s risk management role first began to emerge in the mid 1990s, when Hilmer and the Independent Working Party into Corporate Governance (1993: 5) described the board’s key role as being to “ensure that corporate management is continuously and effectively striving for above average performance, taking account of risk.” More recently in Australia, the Australian Stock Exchange (ASX) Corporate Governance Council (2003) established risk management as an essential principle of corporate governance best practice, recommending that boards establish a sound system of risk oversight, management and internal control, that can identify, assess, monitor and manage risk, and inform investors of changes to the company’s risk profile. To achieve best practice in risk management, the council recommended that, among other things, the board, or the appropriate board committee, should establish policies on risk oversight and management, with these policies covering:

• for larger companies, delegating risk management to a board committee, which can either deal exclusively with risk, or be combined with some other function, such as the audit committee;
• the board’s role in overseeing the establishment, implementation and ongoing review of the company’s risk management system;
• management’s role in establishing and implementing a system for identifying, assessing, monitoring and managing material risk throughout the organisation; and
• a means of analysing the effectiveness of the risk management system, recommended to be discharged by the company’s internal auditor.

The practitioner literature and the general business press have also picked up the theme, with many writers and commentators extolling the benefits of boards using risk management systems to benefit their companies. For example, Moody (2002) concludes that investors have lost confidence in corporate America, and that adopting enterprise risk management will become an important confidence building strategy. Kubitscheck (2001: 38) points out that “the need for an enterprise wide, integrated risk management framework is here to stay”, and McCaig (2002: 6) asserts, “more and more, chief executives will move towards adopting best practice risk management”.

Similarly, the latest corporate governance best practice guideline in the United Kingdom, the Combined Code on Corporate Governance, which was released by the Financial Reporting Council in July 2003, firmly establishes the board’s role in risk management.

The Australian business press has also been supportive of boards expanding their risk management role. Gottliebsen (2003: B2), for example, warned “directors that do not have clear documentation on the risks facing the company … will be in grave danger of breaching stock exchange guidelines and their duties as a director”. While Fenton-Jones (2003: 51) stated that “organisations recognise that risk management and assessment is an essential part of effective corporate governance…”

In their recent book, Kiel and Nicholson (2003a) describe risk management as the two-fold process of evaluating a company’s exposure to critical events, and treating, monitoring and communicating responses to those threats. They argue that because risk management supports better decision making by developing a deeper insight into the risk-reward trade-off, it can become a source of competitive advantage for the company. The authors point out that the primary way that boards can improve risk management, is by implementing a risk management system within their company that allows directors to at least actively monitor the risks faced by the company, and the control responses developed and applied by management. One such system is Standards Australia’s risk management standard, AS/NZS 4360:1999. Standards Australia have developed a comprehensive risk management system, which can be applied to a very wide range of activities, or the operations of any public, private or community enterprise or group. This system is also supported by the ASX (2001) as a suitable system for boards to manage risk.

In summary, according to these authors writing from a normative perspective, the board’s risk management role now appears to be:

1. to establish a risk management function within the board, either by delegating this role to a specialist committee, combining the role with an existing committee or by some other means, such as making risk a regular agenda item;
2. overseeing the development and implementation of a risk management system within the company, and regularly reviewing the effectiveness of the system; and
3. ensuring that management identify, assess, monitor and manage material risks throughout the company.

The purpose of this role is to help the company manage those risks, which have the potential to prevent it from achieving its objectives.

Positive Literature

The ASX Corporate Governance Council (2003), apart from recommending the implementation of risk management systems, also recommended that larger companies delegate risk management to a board committee, which can either deal exclusively with risk, or be combined with some other function, such as audit. This concept is quite recent when compared to some other features of board structure and process, such as audit committees. Given the lack of empirical research on risk management and risk management committees, it is useful to briefly examine the literature on audit committees to see if any parallels can be drawn with the more recent trend of boards forming risk management committees.

Audit committees have long been seen as an essential feature of an effective board. In their extensive study of American boards, Lorsch and MacIver (1989) saw audit committees as being particularly helpful in assisting the main board deal with complex audit matters, in the limited time they have available. This view seems to have wide support in the United States, where an audit committee has long been a listing requirement for companies listed on the New York Stock Exchange and is now mandated by the Sarbanes-Oxley Act. In fact, the audit committee debate in the US centres around the composition of audit committees (Kirk, 2000), rather than whether or not a board actually needs an audit committee, which seems to indicate that US regulators and directors accept the need for these committees without question.

In the United Kingdom, the Committee on the Financial Aspects of Corporate Governance (1992: 30) regarded “the appointment of properly constituted audit committees as an important step in raising the standards of corporate governance.” In Australia, as a key way of ensuring the board’s conformance functions are being properly handled, Hilmer and the Independent Working Party into Corporate Governance (1993) recommended that each company have an audit committee. Bosch (1995) reinforced this view, recommending that each listed company board of more than four members should appoint an audit committee as a means of bolstering the effectiveness of the company’s auditing process, and contributing to the good governance of the company. The ASX Corporate Governance Council (2003) was equally emphatic in its support for audit committees, recommending that boards should establish audit committees, as this practice is recognised internationally as an important feature of good corporate governance.

The positive literature is more tentative in supporting the value of audit committees (Spira, 2002). There are a number of studies that indicate these committees have a positive impact. For example, empirical research has shown that active and effective audit committees can reduce the incidence of fraudulent or misleading reporting (Abbott, Park, & Parker, 2000), improve communication between the board and directors, and stimulate debate about accounting policies (Collier, 1993). McMullen (1996) also found that audit committees in the US are associated with fewer shareholder lawsuits alleging fraud, fewer quarterly earning restatements, fewer SEC enforcement actions, fewer illegal acts and fewer instances of auditor turnover where there is an auditor-client accounting disagreement, leading her to conclude that audit committees improve the quality of financial statements and disclosures. In addition, Wild (1994) found that the earnings reports of US companies that formed audit committees prior to 1981 are more informative for a given level of earnings information after the formation of audit committees, as compared to earnings reports released prior to audit committee formation.

However, support for audit committees in the positive governance literature is far from universal. For example, Kalbers and Fogarty (1993) observed that very few studies on audit committee effectiveness have been conducted, and most of these did not form testable hypotheses, adopt a theoretical grounding, or take a comprehensive approach to effectiveness. In an extensive review of the literature on audit committee effectiveness, Collier (1996) concluded that support for audit committees is largely based on opinions about their effectiveness, and reflects an “act of faith” rather than a decision founded on hard evidence. An empirical study by Collier and Gregory (1996) provides support for this conclusion, with the researchers finding that although the results of their study showed that the audit committee is effective in its role of overseeing the external audit, there is no conclusive evidence to suggest that it is effective in promoting a stronger internal control environment.

In addition to the literature dealing with the benefits of the presence of an audit committee, there is also a body of work on audit committee composition. Using an agency theory (Fama & Jensen, 1983) approach, much of this research focuses on the hypothesis that appointing non-executive and independent directors to audit committees will improve the effectiveness of these committees, with subsequent benefits for the governance of the company. For example, Scarbrough, Rama and Raghunandan (1998) found that Canadian audit committees consisting solely of non-executive directors had more frequent meetings with the chief internal auditor and were more likely to review the internal auditing program and the results of internal auditing. A subsequent study also concluded that committees consisting solely of non-executive directors are also more likely to review management’s interaction with internal auditing (Raghunandan, Read, & Rama, 2001). In addition, Abbott and Parker (2000) found that audit committees that are both independent and active are positively related to the selection of an industry specialist as an auditor, implying that these committees have a higher demand for auditor quality and subsequently, quality audit outcomes. Finally, Collier and Gregory (1999) found that the presence of executive directors on audit committees had a significant negative impact on audit committee activity.

While agency theory alone cannot be used to support an argument for appointing non-executive directors and other independents to risk management committees, it is still possible that excluding executive directors from risk management committees can have a beneficial affect. Agency theory, and the findings of the audit committee composition research outlined above, suggests that if members of the management team are participating in this oversight role, then they would be more likely to protect their own reputations by supporting the actions of the management team and downplaying any new threats, or the magnitude of existing threats, when participating as members of the risk management committee. If this is correct, then risk management committees consisting solely of non-executive directors should be more effective than those committees that include company employees.

The positive and normative literature also suggests that in order for board involvement in risk management to be effective, boards will need to closely monitor existing risk levels, the emergence of new threats and managerial responses to these. Given that audit committees in major UK companies can meet for less than ten hours a year (Collier, 1993), it is possible that when audit committees have to contend with risk management as well, they will not have enough time to monitor and manage the company’s risks, and instead will have to rely on the advice of, and the responses developed by, the management team. This could mean the board committees that deal exclusively with risk are more effective than the mixed audit/risk committees that were recommended by the ASX Corporate Governance Council (2003).

In summary, although the normative arguments supporting risk management seem to be conceptually sound and enjoy strong support in the wider business community, there is no empirical evidence to support risk management’s effectiveness. This leaves open the possibility that these systems will not help directors to effectively manage the risks faced by their companies. By moving beyond the governance and general business literature, it is possible to find support for this alternative proposition, by firstly going back to the origins of risk management, and the original applications of risk management systems. While these origins are a subject of some controversy, there is general agreement that safety professionals developed probabilistic tools of safety analysis during the post World War II years to deal with the complex safety problems presented by such frontier initiatives as the US space program, nuclear power plants and large scale chemical plants (Renn, 1998). From this highly technical beginning, the practice of risk management has spread into a number of different disciplines, each using their own individual approach. For example, engineering uses check lists, fault trees, event trees and loss control procedures to identify, rank and control risks (Ball & Golob, 1999).

The common thread running through these traditional applications of risk management is that they are generally applied to relatively simple systems. For example, occupational safety risk management is usually applied at the micro-organisational level, considering only simple work processes and relatively simple equipment. Where these traditional approaches have been applied to complex systems, they have traditionally only been applied to well bounded technical systems, such as nuclear power and chemical plants, or where the availability of large amounts of historical data makes probability and consequence calculations relatively simple, such as in the insurance industry. In contrast to the relatively simple systems outlined above, directors and senior managers are required to manage risk in highly complex and dynamic socio-technical systems, and this key difference raises some important questions over the effectiveness of board level risk management practices.