that be everyday malware or cyber criminals ? What do you assess your main cyber risks to be , how well protected against them are you and how are they changing ? What gaps exist in current strategies and budgets ? Are you prepared with a plan to deal with a system breach ? Do you know when this gets triggered and where responsibilities lie ? Has the anti-breach infrastructure been tested ? Do you believe security training is customized and provided to make sure every workforce section is informed about threat actors and their current behaviors ?
Common Mistakes Boards Make About Risk Management Oversight
The risk oversight function of the Board may not succeed for a variety of reasons . The causes range from neglecting to put risk at the forefront of business to poor communication . Although it may not be comprehensive , the list below summarizes the most significant flaws :
Failing to prioritize risk in your operations
Due to an underestimation of the degree to which possible risk affects every facet of an Organization ’ s operations , Boards frequently fail to place risk at the center of the Organization . Instead of including it in the Board ’ s overall thinking and decision-making process , there is a propensity to approach it as a standalone item thus missing the Big Picture .
Failing to identify and comprehend risks
A frequent error of judgment is failing to recognize key risks on the Organization ’ s risk register and comprehend how they affect operations . Boards cannot implement the proper controls if they do not comprehend the risks to which they are exposed . However , top-performing Boards will look beyond these to reputational risk and failure to connect with stakeholders , notably shareholders and consumers . Concerns like cyber threats , outsourcing exposure , and currency risks should be among the additional areas of focus .
Unwillingness of the board to exercise oversight
A common error is to exclude the entire Board from the Risk Management process and instead assign the Audit Committee the responsibility for oversighting risks . This is normally the case in situations without a board risk committee . It becomes challenging for Internal Audit to develop and implement Risk Management and at the same time check itself for compliance .
Roles are not clearly defined
Boards occasionally forget to explicitly define the risk responsibilities of committees like Audit and Risk and the Chief Risk Officer . To attain the finest risk Management practices , a robust Board oversight collaborating with specific members of the Risk Committee and Risk Officer are required .
Not defining risk appetite
A number of Boards fail to guide their businesses through defined risk appetite statements that inform the type and level of risks to be taken in pursuit of organizational objectives . This is contrary to Corporate Governance Codes on risk and internal control requiring Boards to agree on risk limits .
Getting wrong communication
Lack of timely , high-quality communication results in increased risk , whereas effective information flow reduces it . Boards cannot evaluate or take action in response to potential risk without the proper information at the appropriate time . Communication channels between the Board , the Audit and Risk Committees , and the senior risk officers must be effective .
Avoiding difficult questions
Director unwillingness to pose probing inquiries about risk issues is another drawback . Any areas of concern should be questioned by the Board members , who should then work through the issues with the Management and Risk Committees until they are content with the solutions . Boards should not be afraid to probe deeply until clear facts surface .
Becoming complacent
The easiest approach to prevent this mistake is to carry out an independent audit of Risk Management that offers the Board with expert , unbiased comments on how it manages risk . The Board should continually carryout risk reviews to keep up with local and global risk challenges . It should also continue to consider the potential harm to reputation , clients , and goods and services and keep asking what could damage customers , products , services and organizational reputation . Boards should also pay close attention to internal risk audits .
Tunnel vision
A typical mistake is the inability to comprehend the wider picture and how global risks , especially those related to the environment , society , and governance , affect the company ’ s risk perspective . The degree of risk preparation is constrained by this restricted focus .
Failure to learn from mistakes
Cases exist where Boards have been slow to learn from past errors . Particularly troubling are instances in which senior leaders have continued to flout internal risk Management safeguards and caused harm to their organizations , markets , and even economies . Companies and directors frequently do not take the time to learn from their own mistakes , hasty judgment calls , or those of their peers . The failure to recognize the underlying reasons of risk and how to mitigate them in the future is not the least of these mistakes .
Way forward
Boards are essential in managing risk and keeping shareholders informed in a business risk environment that is getting more complicated and interrelated .
The issue is whether Organizations will stick to their current practices or radically reevaluate how risk is managed .
Organizations that are satisfied with their current strategy will experience ineffective processes , a lack of proactive risk identification and management capabilities , and difficulty obtaining a comprehensive understanding of the Organization ’ s vulnerabilities .
By examining and refining its approach to risk oversight , a Board can deliver enhanced value to the Organization and its shareholders .
In today ’ s business environment tolerance levels for failure are almost nil , Boards can no longer say they were not aware . If they employ such an excuse , they will be confronted with the question , “ Why didn ’ t you know ? As a board member , it is your duty to be aware !
Reuben Kisigwa is a strategic consultant and a certified competency-based curriculum developer . You can engage him vide mail at : RKisigwa @ gmail . com .