December 20, 2011, the Federal Reserve Board issued proposed regulations under section 165(h) of the Dodd-Frank Act requiring all large financial institutions to create enterprise-wide risk management committees complete with independent chairs and direct shared supervision of the chief risk officer. While I take issue with the definition of the term "independent," these proposed new rules embody a strong regulatory initiative to rationalize corporate governance in the US, starting with the megabanks. The proposed rules do not apply to every publicly held company; nevertheless, the Fed's clear endorsement of the theoretical underpinnings of enterprise-wide risk management could operate as a game-changer for limiting excessive CEO autonomy for all public firms. Let me explain, by way of a short history of ERM.
As Betty Simkins and I wrote, in Enterprise-Wide Risk Management and Corporate Governance, there is a powerful empirical and theoretical basis for actively managing all risks that a business enterprise faces in a coordinated way at the highest managerial levels. Enterprise-wide risk management (or "ERM") arose as natural evolution of the best means of managing risk within the modern firm that emerged in the 1990s. After the Enron series of corporate governance failures, it was apparent that firms needed to think about risk across all business functions. As we stated in 2008, "under ERM, all risk areas function as parts of an integrated, strategic, and enterprise-wide system. While risk management is coordinated with senior-level oversight, employees at all levels of the organization using ERM are encouraged to view risk management as an integral and ongoing part of their jobs." We identified a number of ERM best practices. For example, we argued in favor of diverse perspectives on risk and against allowing the CEO to act as a risk silo. Too often, the CEO faces distorted incentives to maximize short term profits regardless of risk. The CEO necessarily holds limited expertise regarding the full range of risks a large firm may face. Board involvement is therefore crucial. Nevertheless, we did not advocate any regulatory mandates with regard to ERM due to its relative infancy and lack of any empirical basis for any particular detailed approach. Instead, we argued in favor of SEC rulemaking to require disclosure of risk management policies to facilitate a market based outcome.
In December 2009, the SEC obliged, issuing rules to require disclosure of risk management policies within public firms. Specifically, the SEC directed that all public firms disclose the extent of the board’s role in the risk oversight of the firm, such as how the board administers its oversight function and the effect that this has on the board’s leadership structure. In addition, the SEC noted that in some cases firms should consider disclosing: "whether the individuals who supervise the day-to-day risk management responsibilities report directly to the board as a whole or to a board committee or how the board or committee otherwise receives information from such individuals." The SEC's approach to risk management, while laudatory, seemed too little and too late. After all, by late 2009, it was clear that American firms actually pursued risk mismanagement as a business model as I documented here, and as the Financial Crisis Inquiry Commission confirms here.
The shocking depths of the dementia revealed by the financial meltdown of 2008, caused me to reassess the law's role in fostering rational risk management within the public firm (among other things) in Lessons From the Subprime Debacle. There, I advocated that "every financial firm that is publicly held should now be required to have an independent risk management committee, comprised of experts in some field of risk management." I further argued that the independent risk management committee enjoy the power to promulgate and enforce risk management policies, appoint and supervise the chief risk management officer, and retain experts as needed to achieve the mission of the committee.
The Fed largely adopted this approach. Here is the Fed's own summary of its proposal:
"The Board is proposing to address the risk management weaknesses observed during the recent crisis and implement the risk management requirements of the Dodd-Frank Act by establishing risk management standards for all covered companies that would (i) require oversight of enterprise-wide risk management by a stand-alone risk committee of the board of directors and chief risk officer (CRO); (ii) reinforce the independence of a firm’s risk management function; and (iii) ensure appropriate expertise and stature for the chief risk officer. The proposal would also require bank holding companies with total consolidated assets of $10 billion or more that are publicly traded. . . to establish an enterprise-wide risk committee of the board of directors. . . .The proposal sets out certain responsibilities of a risk committee, which include the oversight and documentation of the enterprise-wide risk management practices of the company. The proposal also would establish various requirements for a risk committee, including membership with appropriate risk management expertise and an independent chair. The proposed rule also requires a covered company to employ a CRO who will implement appropriate enterprise-wide risk management practices and report to the covered company’s risk committee and chief executive officer."
The Fed's proposal is fundamentally sound. It is a positive step away from our current regime of CEO primacy because it limits CEO autonomy to manipulate a firm's risk profile for profit. I take issue with the Fed's definition of independence and other issues, and will post on these objections in due course. Today, I wish to posit that the Fed's embrace of enterprise-wide risk management for large financial companies constitutes a powerful incentive for all firms to embrace enterprise-wide risk management. The Fed's proposal is based in part on the findings of the Senior Supervisory Group's (SSG) reports on the causes of the financial crisis. That group, consisting of senior regulators from seven nations, found that firms with stronger risk management systems fared better during the financial crisis than firms with weak risk management. The SSG found that firms at the center of the crisis lacked basic risk management coordination.
Thus, the Fed's proposal amounts to an expert endorsement of fundamental enterprise-wide risk management principles, based upon a solid empirical foundation. As such, public firms subject to the SEC's disclosure mandates (as discussed above) face added pressure to adopt sound risk management precepts. Firms that do not do so will face market sanction, as well as a more difficult defense of any director liability claim. Indeed, if board members ignore solid evidence of the efficacy of enterprise-wide risk management they will essentially be subordinating the interests of the corporation to their loyalty to the CEO, and the maintenance of CEO primacy. I will be expanding on these points in a forthcoming law review article.