Managing risk--to your company and you: enterprise risk management is a term increasingly heard in boardrooms. Why? Because ERM helps a company get to where it wants to go and avoid pitfalls and surprises along the way.

• Author: Steinberg, Richard M.
• Position: INFORMATION FOR THE BOARD

LIKE EVERY DIRECTOR, especially in today's environment, you want to do the right thing for your company, ensuring risks are well managed and share growth achieved. You also want to avoid seeing your own personal reputation damaged and your accumulated wealth jeopardized. Now more than ever, your fellow directors speak of "risk management" and discuss how best to protect the company and themselves.

The term "risk management" is used freely today, but it means very different things to different people. The term is applied, for instance, to insurance coverage for activities of the company itself, protecting its assets and resources. The term is applied to insurance coverage and corporate indemnification provisions limiting liability of directors. It is used in the context of treasury functions engaging in sophisticated transactions, such as derivatives for hedging and related purposes. And often the term takes a legal compliance perspective.

Certainly a board of directors must look closely at all these aspects of risk to ensure that they are understood and managed effectively. Certainly insurance coverage and indemnification are of critical importance. And boards want to be sure they carry out all the legal requirements imposed on them.

But risk management, done well, goes far beyond legal and regulatory compliance and insurance coverage. As referenced here, we look at risk management from a broader, enterprise-wide perspective and consider what boards need to do in order to enable their companies to drive share value, as well as protect its resources and its directors.

Pitfalls of a purely compliance mindset

While legal compliance is important to boards, and needs to be done right, it should not be the primary focus. Boards taking a "checklist approach" to complying with the letter of the law will indeed limit directors' liability in the event legal action is taken. That is, the likelihood of an award or judgment against the company or individual directors, and the size of a potential settlement, are reduced.

But the best directors realize that it is more important to do what's right for the company by ensuring that management has effective risk management processes in place. Reality is that directors' twin goals--being part of a truly effective board that drives share growth, and protecting themselves against personal liability--are very much intertwined. Simply put, when a board helps the senior executives to manage a company's risk effectively, the likelihood is that the company will be successful, and the directors will never in the first place have to face charges of failing to carry out their fiduciary responsibilities.

A great many directors have been apprised by their companies that a "risk assessment" has been conducted. These directors should be pleased that management focused on risk, but they also need to be wary. A risk assessment often is limited in scope, and by definition is done as of a point in time--i.e., only those risks that existed as of the time of the "assessment," and only those appearing on managers' radar screens, are identified.

But what happens the next week, month, or quarter? How often are risks identified, what happens to risks that surface in between the assessments, and how wide a net is cast? And, equally important, how are risks that are identified dealt with?

Enterprise risk management

Enterprise risk management (ERM) is a term increasingly heard in boardrooms. ERM was first embraced in a meaningful way by large financial services companies, and today more and more directors want to know what it is and what it can do for them and their companies.

Much has been written on ERM. Probably the most relevant discussion has been crafted in a report called Enterprise Risk Management--Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (See sidebar, "ERM: The Action Components.")

Basically, ERM is a process that enables a company's management to identify potential events that can result in...