It is no surprise that corporate boards are paying more attention to risk management.  It is about time but change is slow to come in corporate board rooms. 

The reasons for the change in corporate attitude is not just an unprecedented aggressive enforcement environment.  It reflects the confluence of public attitudes toward business in the wake of the financial crisis and economic meltdown, political forces which partly reflect public opinion, growing frustration with the global marketplace, and the media focus on economic difficulties around the world. 

Corporate boards face increasing scrutiny in everything they do, especially with regard to executive compensation arrangements.  Individual board members are required to deal with threats of civil and criminal liability.

Board members need to ensure proper management and oversight of risks.  That does not mean that boards have to identify and respond to each and every significant risk.  It does mena that corporate boards need to monitor how a company manages its risks, responds to risks and minimizes risks.

The compliance tone-at-the-top integrates risk oversight into an overall corporate culture which emphasizes that compliance is an integral part of the overall business operations.  That does not mean that a company avoids all risk.  It means that the board should ensure that a company analyzes, assesses and decides on the amount of risk that it can tolerate as part of its business operations.

The board must oversee the risk management process to make sure that management adopts and implements appropriate policies and procedures and codes of conduct.  In establishing business strategies, risk management has to be incorporated into the company’s business operations, along with training programs, assessments and modifications when needed.

Corporate board members have a number of fiduciary duties, one of which is to ensure proper corporate  oversight.   The seminal Delaware case of Caremark and subsequent decisions established that directors can be liable for a failure of board oversight where there is “sustained or systemic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists.”

A corporate board does not need to take extraordinary efforts to uncover misconduct when there is an adequate compliance, monitoring and assessment program in place to manage risk.  However, directors need to take account of the political winds.  It is likely that courts will be looking for an case to make an example of a poor functioning board, or one that may not have been as diligent as it should have been in response to clear risks. 

Corporate boards need to assess and improve their risk management efforts.  The process should include:

1.  Identify and measure material risks.  Directors need to review with senior management existing and potential risks, and measurement of such risks. 

2.  Review the design and implementation of  appropriate strategies to minimize risk, consistent with overall risk appetite and business strategy. 

3.  Review risk management strategies to make sure that risk management is adequately considered in every business decision;

4.  Review the risk policies and procedures adopted by management, including procedures for reporting matters to the board and appropriate committees and providing timely information to make sure the board and the company have accurate and timely information.