When the idea of corporate risk management only related to financial risks, it was simple to see where on the org chart responsibility for it should fall. In today’s business world, it’s much more complicated, and regulators have been pushing boards to do more oversight.

Wharton accounting professor Christopher Ittner has been researching the results of these changes: Do they make a real difference to internal behavior or the bottom line, or are companies just going through the motions? In this interview with Knowledge at Wharton, Ittner talks about who should be monitoring risk, who shouldn’t, and what the right choices can do for a business.

An edited transcript of the interview appears below.

Risk and business:

Fundamentally, what we’re looking at is whether board oversight of risk management actually makes any difference at all. There’s been a big push for risk management given the financial crisis and many other things impacting the economy now. So, institutional investor companies’ regulators have been pushing boards to do more oversight of risk management. The question is: Is it real or is just window dressing? Do you just see companies putting this in because this is what everybody wants? We’re looking at whether it really makes a difference how a board does risk oversight. Does it have an impact on the risk management practices of the companies? And ultimately, does it pay off? Do firms have lower risks when they have more board oversight, and higher stock returns?

Key takeaways:

One important thing is, it really matters who is responsible on the board for risk management. There’s a lot of controversy right now in terms of whether it should be the board as a whole. Should you have a committee, like the audit committee, responsible for this? Should you set up a separate risk management committee? Various regulators and groups have taken different stances on this. If you’re a member of the New York Stock Exchange, your audit committee is required to do board risk oversight. The Australian stock exchange is completely different. They say the entire board should be responsible for [risk] oversight, and the financial institutions — a lot of them are required to have a separate risk committee. So one big issue was, does it really matter where you put this?

“You’d better have the entire board responsible instead of delegating [risk oversight] to an audit or a risk committee.”

It turns out it matters a lot. You’d better have the entire board responsible instead of delegating this to an audit or a risk committee. And something really interesting was, even if you have a separate risk committee, it seemed to have zero impact overall in terms of what the company does in terms of risk management practices and performance. So there is an instance where it does look like it may be window dressing. Boards are putting this in, they’re setting up separate risk committees to look like “We’re paying a lot of attention to enterprise risk management,” but in truth, it really does not look like it makes all that much difference if you do that as opposed to using existing board structures.

Remarkably casual:

One of the interesting things [we found] was how informal a lot of the discussions between the board and the top management are in terms of risk management. You would think these days, companies would make these much more formal in terms of things like risk appetite. How much risk are we really willing to take on? Because the idea of risk management is not to get rid of risk. It’s to do things within your risk appetite and risk tolerance: “How much variability am I willing to take on this?” And you just look at the survey responses — these are people admitting that, “Well, if we do discuss this, it’s very informal,” and we found this very surprising given the atmosphere now. You would think boards would be much more formal in trying to figure out what is the risk appetite we want to go after. And what kind of tolerances — how much variability are we willing to accept once we’ve done this? But it’s very, very informal.

Consistent communication is key:

One of the big things is, who is going to be responsible? You really have to set in your charter having a whole board responsible. Now, you may decide that certain types of risks are handled by different committees. Obviously, financial risks are generally [handled by the] audit committee. You might have other risks go to other committees where the expertise is, but overall the board has to be responsible. This is not something you can delegate.

The other thing is, you have to have much better communication between the board and your senior management. What we found out is, if the only time that you actually talk to senior management about risk practices is during the annual or quarterly board meetings, it’s very detrimental. You really have to have these discussions outside the board meetings, and have an ongoing review of what is our risk appetite and what is our risk tolerance?

“You might have other risks go to other committees where the expertise is, but overall the board has to be responsible. This is not something you can delegate.”

After you determine your risks, what’s next?

I think at that point, you need to hire a risk expert. Once you’ve identified the key risks, you need to have somebody on the board — and this is part of the problem with delegating it to a committee. The audit committee — which is generally the committee that’s responsible — their expertise is with financial risks: credit risks, market risks, can we use derivatives or not use derivatives? They know almost nothing about cybersecurity, and that’s where you’re seeing the big push.

Once the board spends time figuring out where our issues are — maybe that’s when you need expertise there — you can’t expect existing board members to know much about this stuff. If nothing else, have them figure out who is the risk expert they’re going to hire within the firm, and enhance the communications that go on — even if you don’t have somebody on the board specifically who has that expertise.

Expanding boards’ understanding of ‘risk’:

I think one of the big issues is, risk is a responsibility of the audit committee and it’s all an issue of where traditionally risk is. We’ve always thought of financial risk in the companies. It’s not that companies don’t think about risks, but it’s always been financial risk, credit risk that people have worried about. I’m in an accounting department — let me tell you, finance and accounting people are not experts at any kind of risk outside financial risks. So putting it there, which is the requirement of the New York Stock Exchange, so that the board audit committee will have oversight over risk — it’s just not right. Especially as you expand the number of risks we’re facing, or at least recognize them even if we’ve had them in the past — this notion that it should be the board audit committee, because they’ve always done risk, is not right. They’ve always done financial risks. They just do not have the expertise outside of that.

The value of a ‘top down’ approach:

People generally have looked at whether there is some association between some overall risk management index or score and things like firm variability and stock price. We’re really trying to say, “Okay, what are the mechanisms here?” If I’m a manager, just saying, “Okay, I should have better risk management,” really is not going to help much. What I want to know is, how do I organize my firm? The reason we start at the board is the whole notion that the tone is always set at the top. Forget about worrying about how I do individual risk management. The first thing you’ve got to do is get the whole company on board, and it’s got to start with the board of directors. That’s very different than what other people have done, but until you can say, “Well, what’s the mechanism I have to put in place to make sure that we put risk management as a strategic issue in the firm?” — there’s no point.

“It’s not that companies don’t think about risks, but it’s always been financial risk, credit risk that people have worried about.”

Incentives and accountability:

There are requirements in the United States and other countries where there’s actually board performance evaluation. Very few people realize this, but you’re supposed to evaluate the performance of your own board. And part of it is putting responsibility for risk management practices and board oversight into the performance evaluation…. We actually did find in our results that companies that do performance evaluations of their boards and incorporate risk management responsibilities in those evaluations — those were the ones who put in better risk management practices. So again, incentives and accountability are key — not just looking at the managers in your firm, but also looking at the board, and getting their incentives aligned with risk management.

The real winners of risk management:

Part of what we’re looking at is what’s the objective of risk management in your company? How does that impact which practices you’re going to put in and what the implications are? One simple way to think about risk management is that all we’re trying to do is avoid risks or at least mitigate them if they happen. That’s only looking at the downside of risk. But if you really believe that there’s a risk/return tradeoff, is the only way to make higher returns to take on more risk? You can also use risk management to increase the value of the firm. Let’s take on the right risks. Let’s figure out where I have multiple risks in the firm, how they interact with each other — such that I don’t take one that has a big impact somewhere else.

So when you take companies that really see risk management as a value-enhancing objective as opposed to just a cost-minimization one, a way to avoid a problem — how does that impact the practices you actually put in, and which ones are more effective? And ultimately, how does that impact firm performance? Some of our initial results suggest that it makes a huge difference. The firms that have looked at this as a value-enhancing objective as opposed to just a way to minimize cost or avoid the downside are really the ones that are seeing any kind of real financial gain, as opposed to just minimizing costs from enterprise risk management practices.