While it ’ s true that everyone in the organization ’ s value chain needs to acknowledge the effects of risk , the Board also has a crucial role to play in establishing the risk culture and providing clear direction on matters risk .
What Role Does Oversight Play ?
A Board ’ s responsibility is to ensure that the Management team has appropriate risk Management policies and procedures in place and that they are being successfully implemented across all organizational functions . Therefore risk Management is directly under the Board ’ s supervision .
To make sure Management is responsible for risks facing the organization and is developing a strategy that matches the proper degrees of acceptable risk with organizational goals and objectives , Board monitoring and by extension oversight is essential .
The Oversight Journey Begins With Objectives
Before establishing the oversight mechanisms , the Board should first come up with risk oversight objectives .
The risk appetite implicit in the business model , strategy , and execution of the organization is an example of such objectives . In addition , the expected risks should be proportionate to the expected returns and values . Putting in place a system for managing , monitoring , and mitigating risk is another objective for Management , and it should be aligned to the organization ’ s business model . Having the Risk Management system inform the Board of the key risks the organization faces , ensuring a suitable culture of risk awareness exists throughout the organization , and having a clear understanding among all business functions that Risk Management is crucial to the successful execution of the organization ’ s strategy are additional objectives to take into account .
The Crucial Part
After completing with the objectives and after the strategic priorities have been agreed , the Board should purpose to reflect on key risks at least quarterly or earlier should the need arise . Basically , the Board should be made better aware of the key risks ( or key risk combinations ) that have the potential to materially impact the Organization ’ s perspectives ; though this seems simple , it requires careful consideration that should include the following :
Key Considerations
It is ideal to create a distinct risk committee at the Board level that collaborates closely with the Audit Committee . Boards should be made up of people with a variety of backgrounds , skills , and viewpoints . The Board must promote an Enterprise-wide risk culture that values accurate communication . Executives , as well as mid-managers and staff , must feel comfortable raising issues without fear of rebuke or criticism .
The Board should identify and discuss significant risks that could affect how well the Organization achieves its objectives , impact its reputation , ruin its financial situation , and force it out of business . To do this , Management should be given the responsibility of developing a Corporate Risk Register and submitting reports to the Board using a Heat Map , which graphs risks against levels of impact and likelihood of occurrence . Members of the Board should be open and straightforward when sharing their thoughts and opinions . To make sure that no blind spots are overlooked , Board members should challenge Management ’ s assumptions . The Board should have a clear understanding , influence , and Management of risk appetite as this develops .
The Board should also keep track of developments and always be aware of whether the Management-instituted controls are having the desired impact , such as lowering the likelihood or severity of the risk . To recognize and assess various sources of risk , the Board should systematically monitor the company ’ s risk status . They should evaluate the way in which Management has embedded risk Management within the organization .
The Board should collaborate with Management to determine not just the type of risk information required , but the best presentation format as well . Risk reports should clearly show what ’ s being done about each risk , and whether that risk is reducing or escalating . The agenda for Board meetings should be influenced by changes in key risks , with emerging risks identified and actions agreed . The Board should take a portfolio perspective of corporate risks to make the oversight function easier to manage .
The Board should resist the temptation to shift from a risk oversight role to a risk Management role . Executives and business heads are ultimately responsible for managing the risks . The Risk function in the Organization should exist in the real sense , engaging and consulting with staff in business , controls and compliance and Internal Audit functions to provide helpful inputs to the Management of key risks .
And finally , the Board should reflect on learnings from previous governance failures .
Critical Risk Oversight Questions To Keep Asking
The Board members should ask themselves a few searching questions . These questions may offer a useful starting point for any Board that feels its risk Management should be improved . These questions serve as a useful baseline for efforts to pinpoint instances when current risk Management approaches may not be the best option .
In the early section of this article , I suggested that the Board takes a portfolio view of corporate risks for effective oversighting hence , the categorization of questions the Board should consider asking :
Risk Environment Questions
In order to increase shareholder value , what type and amount of risk is the business willing to take on ? Is the Board and top Management on the same page in this regard ? Are Risk Governance and Management responsibilities clearly defined at all levels of the organization ? Is there a process in place for identifying and collecting information about new or changing risks and are you improving your risk Management capabilities continuously to ensure you are managing your risks effectively in a changing business environment ?
Risk Assessment Questions
Has a risk assessment framework that takes into account the risk factors that matter most to the organization as a whole been developed ? Is risk assessment linked to the business strategy ? Do existing controls and processes adequately mitigate identified risks ? Is there a competent designated official heading the Risk Function and are the tools being used to assess risk adequate ?
Risk Monitoring Questions
Are all identified risk metrics properly aligned with strategy objectives to serve as indicators of potential problems ? Is the dialogue and reporting of risk throughout all Organization levels , including the Boardroom , open and ongoing ? How effective are your Board ’ s sub-committees in enabling you to focus on strategic Risk-Management issues ?
Cybersecurity Questions
Do you have the visibility to detect the threats most relevant to your organization , whether
38 MAL50 / 22 ISSUE