Et le risque lié à la culture d’entreprise ?
Matteo Tonello du The Conference Board a publié le 13 juillet 2015 un très intéressant billet sur le blogue The Harvard Law School Forum on Corporate Governance and Financial Regulation consacré au risque d’appréhension par le CA du risque de culture de l’entreprise : « The Next Frontier for Boards, Oversight of Risk Culture ».
Over the past 15 years expectations for board oversight have skyrocketed. In 2002 the Sarbanes-Oxley Act put the spotlight on board oversight of financial reporting. The 2008 global financial crisis focused regulatory attention on the need to improve board oversight of management’s risk appetite and tolerance. Most recently, in the wake of a number of high-profile personal data breaches, questions are being asked about board oversight of cyber-security, the newest risk threatening companies’ long term success. This post provides a primer on the next frontier for boards: oversight of “risk culture.” (…)
This global regulatory storm has culminated in a series of papers from the Financial Stability Board (FSB), a global regulatory advisory body formed following the onset of the global financial crisis. Its main objective is to provide guidance to national financial sector and securities regulators around the world. In its most recent paper, issued in 2014, the FSB called on national regulators to actively assess the “risk appetite framework” and “risk culture” of systemically important financial institutions (SIFI), including assessing boards’ effectiveness in overseeing their company’s risk culture. The FSB summarized the new expectations of national financial sector regulators as follows:
“…efforts should be made by financial institutions and by supervisors to understand an institution’s culture and how it affects safety and soundness. While various definitions of culture exist, supervisors are focusing on the institution’s norms, attitudes and behaviour related to risk awareness, risk taking and risk management, or the institutions’ risk culture.”
The Financial Reporting Council (FRC), the United Kingdom’s national securities regulator, reacted to the FSB’s recommendations by updating The UK Corporate Governance Code that applies to all UK public companies. Provision C.2.3 of the Code mandates that the board should annually review and report on the effectiveness of their company’s risk management and internal control systems. Specifically, Item 43 in Section 5 of the guidance requires the board, in its annual review of effectiveness, to consider the company’s “willingness to take on risk (its ‘risk appetite’), the desired culture within the company and whether this culture has been embedded.”
The FRC, recognizing that there is little tangible guidance available to boards on how to oversee a company’s culture, stated that, in 2015, the initial year of implementation of the new board oversight requirements, it will focus on “company culture: how best to assess culture and practices and embed good corporate behaviour throughout companies.”
Financial regulators globally, including the SEC, are expected to follow the UK’s lead and significantly increase their focus on board oversight of corporate culture generally, and risk culture in particular. In a global survey conducted by KMPG, 1,500 audit committee members ranked government regulation second among risks that pose the greatest challenge for their company. Oversight of risk culture may be one of those areas of new government regulation.
À la prochaine…
Ivan Tchotourian