Risk Management: Why and How Boards Should be Involved
Corporate boards are facing fresh demands from shareholders, creditors, suppliers and even customers that they have an in-depth understanding of the risks their companies face.
Directors must be able to knowledgeably pressure-test executive management. They must be sure that their questions ascertain whether or not the company is prepared to react to quickly evolving situations, such as the UK’s referendum on Brexit.
Global Calls on Boards to Take Specific Steps – All Positive News
One of the many examples of the new emphasis on the board’s role is updated risk management guidance from the UK’s Financial Reporting Council’s (FRC). It explicitly says that directors must:
- Annually review the company’s risk appetite.
- Make sure that risk and controls align with corporate strategy.
- Check any changes to the likelihood and impact of principal threats to the organization.
Another is the proposed King IV code from the Institute of Directors in Southern Africa (IoDSA) is open for comment. Among the steps it urges are that boards:
- Include subject matter experts for certain risks among their ranks
- Consider risks and opportunities together, and report them
Both pieces of guidance move boards in the right direction. Following this advice should lead to a board that is supportive of the enterprise risk management (ERM) team’s efforts and that recruits board members with knowledge of the major threats companies face.
For instance, because cyber issues are so important, some boards specifically invite people with IT expertise, who then can act as an operational facilitator for what is such a pervasive and dangerous threat.
Two Ways to Improve Board Oversight: A Joint Exercise and a List of Questions
More direct board involvement can take numerous forms. The risk team from one firm in CEB’s network of ERM professionals asked the board and the management team to perform a risk assessment exercise together. They learned to reconcile difference of opinions and to articulate a plan of action.
For a lighter touch, ERM teams can prepare the board to ask challenging questions of management, and of itself. Risk Management for Directors: A Handbook, published by the Governance Institute of Australia, provides valuable advice, that CEB’s research certainly agrees with.
The handbook includes a collection of questions that all boards should be asking. An Internal Auditor article highlights some of them. ERM leaders should bring this set of questions to the full board, and to risk and audit committees. Here are five of them:
- Does the overall strategic planning process consider and prioritize the uncertainty attached to achieving strategic objectives across the organization?
- Is risk handled in accordance with the risk appetite and tolerances? What are the areas of risk that have been assessed by management as outside the board’s risk appetite? Have they been reported to the board?
- Does the approach to risk management take into account risk scenarios and the interaction of multiple risks?
- How close to the business is the risk team? Is the team able to operate objectively?
- Does the CEO set and demonstrate consistency in relation to accountability for values and behaviors?
Tough Questions for ERM, Too: Examples of Board Queries to Risk Leaders
The board must also be ready to ask tough questions of ERM leaders and, in turn, those teams should be prepared with answers. Here are 16 challenging inquiries that risk executives told CEB they have received from the board (see chart 1).
Chart 1: Questions the board should be asking risk executives Source: CEB analysis