Courtesy of Virginia Harper Ho*
One of the most important functions of modern corporate boards is their risk oversight role, a responsibility that comes to the fore whenever corporate scandals emerge. In most jurisdictions, risk oversight is enforced partly as a matter of fiduciary duty. But, as the COVID-19 pandemic has made clear, board monitoring extends as a practical matter beyond legal (i.e. compliance) risk to an ever-expanding range of threats and opportunities that must be addressed holistically and transnationally on an enterprise-wide basis. Risk oversight and risk management is therefore also tied to other core roles of corporate boards, such as setting corporate strategy; hiring, removing, and compensating senior executives; and communicating with shareholders and other corporate stakeholders.
My chapter in a forthcoming research handbook on comparative corporate governance examines the mechanisms of risk oversight, risk management, and compliance through a comparative lens, drawing on examples from international guidance and from different legal systems, primarily the United States, the United Kingdom, leading European jurisdictions, and China. Understanding how different legal systems approach these common issues is critical in view of the interconnectedness of modern global business, and it is increasingly evident that emerging risks, including the threat of terrorism, cybersecurity, and climate-related risk, are potentially global in scope and impact. A comparative perspective also sheds light on the considerable variation across jurisdictions in the nature and source of risk oversight responsibility and in the institutional settings in which risk monitoring occurs.
Risk Oversight & Compliance – No One Size Fits All
To be sure, there are many formal similarities across jurisdictions in the role of corporate boards and the common demands of enterprise risk management (ERM). Under the strong global influence of the U.S. Sarbanes-Oxley (SOX) Act on corporate governance reform in the early and mid-2000s, most countries have now adopted formally similar internal mechanisms of risk oversight and risk management, including internal controls, an internal audit function, and related disclosure requirements. Most countries also understand fiduciary duties to require that directors act in the best interests of the company (or the company and its shareholders), on an informed basis, and with due diligence and care. Companies around the world also use many of the same globally recognized ERM frameworks, such as the ISO 31000 risk management guidelines and the COSO ERM Integrated Framework. In addition, both common law and civil law systems give boards broad discretion over how they implement compliance and risk management in practice.
At the same time, the monitoring function of corporate boards works differently across jurisdictions depending on the local corporate governance framework and the dominant ownership structures in the economy. Germany, Austria, and the Netherlands, for example, have dual board systems where the supervisory board bears primary oversight responsibility. In much of Asia and continental Europe, concentrated ownership by families, banks, the state, or cross-shareholding within business conglomerates is the norm, and controlling shareholders may influence the firm’s strategic direction and risk appetite. This stands in some contrast to the “outsider” governance systems of the U.S. and the U.K., where diversified shareholders have been, until relatively recently, content to delegate monitoring to the corporate board. In addition, the scope and source of board duties, and the enforcement mechanisms that motivate boards to carry them out all vary according to the firm’s ownership structure, internal corporate governance rules, and broader institutional context. For example, Japanese corporate governance does not extend fiduciary duties to officers or senior management, but only to directors. In China, as in Germany, controlling shareholders owe fiduciary duties, while in the U.K., France, and Switzerland, they do not. Jurisdictions also vary as to the scope of director oversight — it may be more narrowly focused on legal and financial risks that may impact shareholder value, or more broadly on risks to other stakeholders that result from corporate operations.
Lessons from a Global Perspective
Several themes emerge from a global look at corporate risk oversight and the role of corporate boards:
- First, it is increasingly clear that the complexity of modern corporations and of the risk environments in which they are situated challenge boards’ capacity to monitor and manage risk effectively.
- Second, in a context where risk oversight has simply become harder, the influence of corporate law and fiduciary duty over corporate boards’ role in monitoring compliance and in overseeing ERM has declined. Even in common law jurisdictions, fiduciary duty is less of a driver of risk management and compliance (and may be less effective) than capital market regulation, soft law corporate governance codes, and international accounting, corporate governance, and anti-fraud standards.
- Board monitoring as an internal source of accountability and control must be understood in relation to other sources of corporate oversight. This is because corporations and boards themselves operate within a transnational network of inter-related actors, regulatory regimes, and other institutions that affect how far the board’s duty to monitor extends, how seriously it takes its monitoring role, and how it carries out that function.
These observations raise a number of questions for further research. Key issues include how to strengthen ERM, how to help companies fully internalize their operational costs and risks, and how to strike the right balance between appropriate risk-taking and corporate accountability. Given the persistent variation in different jurisdictions’ approaches to these questions, finding answers will continue to require a comparative lens.
Corporate boards still have a critical risk oversight function, but effective board governance alone is not enough to prevent new corporate scandals or to keep corporations from externalizing risk. As I explain in my chapter, the crucial, yet limited, role of the monitoring board across jurisdictions calls instead for greater focus on complementary sources of oversight, including personal liability for corporate officers; enhanced monitoring by shareholders, stakeholders, and gatekeepers; and the external regulation of risk governance in its various forms.
*Virginia Harper Ho is the Earl B. Shurtz Research Professor and Associate Dean of International & Comparative Law Programs at the University of Kansas School of Law.