Enterprises are increasingly incorporating risk management functions into their operations. This is usually accomplished by establishing a board-level risk committee, hiring a chief risk officer (CRO) or both. There are some positive effects associated with having these roles, and the following study shows the association between these positions and the characteristics of public risk disclosure statements.
WHILE THE CRO AND RISK COMMITTEE ROLES SHARE AN OVERARCHING GOAL OF RISK GOVERNANCE, THE ROLES ARE DISTINCT IN TERMS OF RESPONSIBILITIES AND ACCOUNTABILITY.
While the CRO and risk committee roles share an overarching goal of risk governance, the roles are distinct in terms of responsibilities and accountability. Enterprises may choose to fill one or both positions. With regard to reporting structure, survey evidence shows that more than 80 percent of CROs report directly to the C-suite, while roughly 12 percent report to the board of directors (BoD).1 While these results suggest that a majority of CROs report to the C-suite, many CROs may have a dotted reporting line to the board as well.
Although the risk committee plays a substantial role in the governance of risk, in the majority of enterprises, overall risk responsibilities reside with the full BoD.2 A risk committee is commonly established at the board level, including independent directors, but it may also be established at the management level.
Background
The need for risk management within an enterprise has increased as the quantity and complexity of risk factors have evolved over time. This evolution prompted the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to augment its 1992 guidance on internal controls by publishing Enterprise Risk Management—Integrated Framework in 2004, followed by an updated version in 2017 titled Enterprise Risk Management—Integrating With Strategy and Performance. The updated COSO framework explains that enterprise risk management (ERM) is not a department; rather, it is “the culture, capabilities, and practices that organizations integrate with strategy-setting.”3 That said, it takes effective leadership to ensure that the risk management process is undertaken effectively. Thus, enterprises often establish a board-level risk committee, hire a CRO or do both.
The updated COSO framework provides a focused approach to risk management that can be customized to fit an individual enterprise. The framework contains five interrelated components. Each component is supported by a set of risk management principles, as presented in figure 1. The framework focuses on understanding and managing risk with a strategic focus, and it also extends to tactical and operational decisions.
The updated COSO framework aligns with International Organization for Standardization (ISO) standard ISO 31000. The COSO guidelines and ISO 31000 are two of today’s leading risk management strategies. Similar to the COSO model, ISO 31000 adopts an iterative approach to risk management, focusing on the assessment, treatment and monitoring of risk. In addition, both frameworks consider risk management to be a component of overall governance and suggest an approach that involves all levels of the enterprise.
According to a 2019 survey, more than 60 percent of the enterprises surveyed delegated risk oversight to a board-level committee—an audit committee, a risk committee or an executive committee.4 According to that same survey, enterprises in the financial services industry were most likely to establish a risk committee. Similarly, about 50 percent of the enterprises surveyed had a CRO or equivalent position, but that number rose to 70 percent for those in the financial services industry.
To provide additional perspective on these roles over time, proxy statements and news releases of a sample of financial services enterprises (i.e., in the banking and insurance industries) were used to determine whether they had a board-level risk committee and/or CRO from 2005 to 2015 (figure 2). The sample included 200 enterprises, resulting in 1,684 observations across this period.
In the first year (2005), 41 percent of enterprises already had a CRO in place. This is not surprising, given changes in the financial reporting landscape after the US Sarbanes-Oxley Act of 2002 (SOX) was passed. SOX focused on corporate governance and internal controls over financial reporting. Although SOX did not specifically require a CRO or a risk committee, it did mandate that the audit committee’s charter include responsibility for discussing risk assessment policies and risk management.5 The prevalence of CROs and risk committees increased over time. A significant surge occurred in 2009 and 2010, directly related to the financial crisis in 2008. The increase was especially notable with regard to risk committees and the presence of both positions. This was not surprising, given that the sample came from the financial services sector, and one of the major conclusions of the Financial Crisis Inquiry Commission was that “dramatic failures of corporate governance and risk management”6 occurred at important financial institutions.
Overall, there has been a heightened focus on governance within the ERM system, as demonstrated by the growing trend toward the presence of CROs and/or risk committees.
Do Risk Management Positions Provide Value?
As demonstrated in the preceding discussion, there is a growing demand for risk management functions to oversee the ERM apparatus. One important question is whether these functions provide value to an enterprise. To gain insight into this question, a review of the current academic literature about these roles is helpful. This discussion can be extended by examining risk-related disclosure and the presence of risk management positions.
The CRO’s role is generally “consultative (assess and recommend) or authoritarian (approve), or both.”7 This does not mean that the CRO is responsible for identifying and mitigating all risk factors; rather, the CRO acts as the hub, or champion, ensuring that the ERM vision is carried out effectively. Similarly, if a board-level risk committee is established, this committee’s role is to ensure that ERM activities receive the appropriate attention. If both a CRO and a risk committee exist, the enterprise must carefully define roles and delegate responsibilities for a successful ERM program.
Academic literature provides evidence that risk management functions are important to an entity from a value standpoint. Some research in this area blended the existence of a CRO with the implementation of an ERM system, assuming that the presence of the former meant the existence of the latter. These studies found that the presence of a CRO/ERM system is associated with lower stock return volatility and lower cost of capital.8, 9 Although these studies are interesting, the research design makes it difficult to disentangle whether the results are driven by the implementation of an ERM system or the hiring of a CRO within an existing system.
THERE IS A GROWING DEMAND FOR RISK MANAGEMENT FUNCTIONS TO OVERSEE THE ERM APPARATUS.
Other studies have documented a more direct relationship between risk management functions and value to the enterprise. Specifically, the presence of a CRO or risk committee is associated with superior ERM programs, and better ERM programs are associated with better operating performance, as measured by Tobin’s Q.10 Using an approach that allows the study of the cash-flow implications of ERM initiatives for both private and public organizations, there is evidence that enterprises with a CRO or a risk committee are more cost efficient.11
Overall, the evidence supports enterprises’ increased emphasis on dedicated risk management positions, especially in the banking and insurance industries. These industries tend to be well studied because they are considered leaders in ERM implementation and quality. In addition, external ratings are available to assess their ERM system quality (e.g., Standard & Poor’s [S&P] ratings).
Risk Management Functions and Disclosure
An area of great importance in a well-functioning ERM system is communication. In fact, in the updated COSO framework, Information, Communication and Reporting, is one of the five components (figure 1). A 2019 survey found most executives noted that they experienced “somewhat” to “extensive” external pressure to provide more information about risk.12 This suggests that external reporting is an important facet of a well-functioning ERM system.
For the same sample of banking and insurance enterprises used to compile figure 2, a Python script was run to collect risk factor disclosure sections (Item 1A) from their 10-K filings with the US Securities and Exchange Commission (SEC). Form 10-K is a required annual report for publicly traded US enterprises, providing comprehensive information related to financial performance and business operations. Item 1A, which was first required in 2005, includes information related to significant risk factors affecting the enterprise. This is where enterprises are required to disclose all material potential problems and often includes information about the impact of risk factors and the steps taken to mitigate each risk. Based on these data, figure 3 presents the differences in the natural logarithm of disclosure length (in words) in the enterprises’ annual reports, averaged by group, and t-tests for statistical differences between those enterprises with or without CROs, risk committees or both.
Parts A and B show that, on average, there is a greater amount of disclosure when either a CRO or a risk committee is present in an enterprise. The differences suggest that the presence of a CRO is associated with 11 percent more disclosure (e0.105) relative to enterprises that do not have CROs, and the presence of a risk committee is associated with 45 percent more disclosure (e0.374) relative to enterprises that do not have risk committees. Likewise, the presence of both roles is associated with 45 percent more disclosure (e0.371) relative to enterprises with neither CROs nor risk committees. One interpretation of this finding is that having a CRO or a risk committee may result in the better identification of risk (assuming that all identified risk factors are being disclosed). Given that these functions increase the value of an enterprise, more complete identification and disclosure of risk factors may be one way that these roles provide value.
Information about other characteristics of risk factor disclosure was also collected. One area of importance to investors is the specificity of disclosures.13 The Named Entity Recognizer (NER) tool can be used to assess how specific a text is.14 Multiple dimensions of specificity can be assessed, and the largest set of dimensions currently includes seven categories:15 Location, person, organization, money, percent, date and time. To create a measure of specificity, risk factor disclosure sections were analyzed, and the total number of words from each category was counted. Then the total number of specific words was divided by the total word count in the risk factor disclosure section to obtain a percentage of specific words used. Figure 4 presents the average percentage of specific words used (specificity) by enterprises with or without CROs, risk committees or both.
Similar to length of disclosure, the presence of a CRO or risk committee is associated with more specific disclosure. The average specificity in these disclosures is 3.8 percent for enterprises with CROs, compared with 3.2 percent for those without. Although this difference may seem small, it represents a 17 percent increase in specificity for enterprises with CROs vs. those without. The presence of a risk committee leads to similar results that are somewhat smaller in magnitude. There is an approximately 12 percent increase in specificity for enterprises with risk committees relative to those without risk committees. The presence of both CROs and risk committees results in the largest increase in specificity: approximately 22 percent. Overall, these results suggest that CROs and risk committees may be better suited (or more willing) to discuss in greater detail the potential effects of risk factors facing the enterprise.
Finally, the readability of disclosures was examined. Specifically, the standard used was the Bog Index, which is a plain English measure of the readability of text.16 This standard has been used to assess readability in the context of financial reporting and disclosure.17 Because the Bog Index requires use of the StyleWriter program to evaluate each disclosure individually, the sample in this case extended only through 2012.18 With the Bog Index, lower scores are considered more readable. Figure 5 presents the results related to the average Bog Index for risk factor disclosures collected from annual reports.
Part A shows that the Bog Index is lower when a CRO position exists, indicating that the presence of a CRO is associated with more readable risk factor disclosures. The presence of risk committees (Part B) did not result in a similar effect. Part C shows that the presence of both roles results in a lower Bog Index, but this difference is not statistically significant. These results suggest that the CRO plays the biggest role in terms of disclosure readability.
Overall, this analysis documents some interesting associations between risk management positions and risk-related disclosure characteristics. However, these results document only simple statistical relationships between the variables presented. Notably, other factors such as industry regulations and shareholder demands can impact an enterprise’s disclosure practices. Therefore, additional work is needed to explore these relationships in more detail and assess these associations in a multivariate setting, controlling for other factors associated with disclosure. In addition, future work could explore other areas in which risk management positions might have an impact. For example, in light of Basel III postcrisis reforms, understanding how risk management functions impact operational risk capital ratios would be an interesting topic of study.
Summary and Conclusion
Enterprise risk management systems and the governance of these systems are becoming increasingly important.19, 20 As such, CRO positions and risk committees are becoming more common. In the sample used for this study, the percentage of enterprises having CROs increased from 41 percent to 62 percent between 2005 and 2015, and the percentage having risk committees increased from 11 percent to 57 percent over the same period. Given the growing prevalence of these positions, it is important to consider the tangible benefits for enterprises adopting these roles. Studies have shown that an enterprise’s value is improved with risk management functions in place. This supports the updated COSO framework’s focus on the integration of performance and risk management from a strategic perspective.21 There is also evidence that risk management functions are associated with reporting outcomes, another important component of effective ERM systems. On average, there is more disclosure, and it is more specific and more readable, when risk management functions are in place. Overall, as business leaders continue to think about the value of these positions and whether these roles are important for their enterprises, these and other factors will be significant considerations.
Endnotes
1 Grace, M.; J. Leverty; R. Phillips; P. Shimpi; “The Value of Investing in Enterprise Risk Management,” Journal of Risk and Insurance, vol. 82, iss. 2, 2015, p. 289–316
2 Protiviti, “Board Risk Oversight—A Progress Report,” https://www.protiviti.com/UK-en/insights/board-risk-oversight-progress-report
3 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management—Integrating With Strategy and Performance, USA, 2017
4 Enterprise Risk Management Initiative Staff, 2019 the State of Risk Oversight: An Overview of Enterprise Risk Management Practices, 10th Edition, 2 April 2019, https://erm.ncsu.edu/library/article/2019-the-state-of-risk-oversight-an-overview-of-enterprise-risk-management-practices-10th-edition
5 Lander, G. P.; What Is Sarbanes-Oxley? McGraw-Hill, USA, 2004
6 National Commission on the Causes of the Financial and Economic Crisis in the United States, The Financial Crisis Inquiry Report, January 2011, https://www.govinfo.gov/content/pkg/GPO-FCIC/pdf/GPO-FCIC.pdf
7 Protiviti, “Guide to Enterprise Risk Management,” 2006, https://www.protiviti.com/US-en/insights/guide-enterprise-risk-management
8 Eckles, D.; R. Hoyt; S. Miller; “The Impact of Enterprise Risk Management on the Marginal Cost of Reducing Risk: Evidence From the Insurance Industry,” Journal of Banking and Finance, vol. 43, 2014, p. 247–261
9 Berry-Stölzle, T.; J. Xu; “Enterprise Risk Management and the Cost of Capital,” Journal of Risk and Insurance, vol. 85, 2018, p. 159–201
10 Baxter, R.; J. Bedard; R. Hoitash; A. Yezegel; “Enterprise Risk Management Program Quality: Determinants, Value Relevance, and the Financial Crisis,” Contemporary Accounting Research, vol. 30, 2013, p. 1264–1295
11 Op cit Grace et al.
12 Op cit Enterprise Risk Management Initiative Staff
13 Hope, O.; D. Hu; H. Lu; “The Benefits of Specific Risk-Factor Disclosures,” Review of Accounting Studies, vol. 21, 2016, p. 1005–1045
14 Stanford Named Entity Recognizer (NER), https://nlp.stanford.edu/software/CRF-NER.shtml
15 The authors thank Kyle Shannon for programming assistance.
16 StyleWriter Version 4, “A Better Readability Formula: StyleWriter’s Bog Index,” www.stylewriter-usa.com/stylewriter-editing-readability.php
17 Bosnall, S., IV; A. Leone; B. Miller; K. Rennekamp; “A Plain English Measure of Financial Reporting Readability,” Journal of Accounting and Economics, vol. 63, 2017, p. 329–357
18 The authors thank Judy Hoyt and Vinton Gwinn for assistance collecting this measure for the sample.
19 Doughty, K.; “The Three Lines of Defense Related to Risk Governance,” ISACA® Journal, 5, 2011
20 Beasley, M.; “Confronting Risk With Strong Leadership,” FM Magazine, May 2017
21 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management—Integrating With Strategy and Performance, USA, 2017
Cristina Bailey, Ph.D.
Is an assistant professor of accounting in the Anderson School of Management at the University of New Mexico (USA). Her previous professional experience includes assistant professorships at the University of New Hampshire (USA) and Boise State University (Idaho, USA) and a position as a corporate accountant at Sandia National Laboratories.
Joshua J. Filzen, Ph.D., CPA
Is an associate professor of accountancy and Ada Burke fellow in the College of Business and Economics at Boise State University. His previous professional experience includes assistant professorships at the University of Nevada–Reno (USA) and Michigan Technological University (USA) and a position as a senior accountant at Moss Adams LLP.