While risk management has always been an important component of the board’s agenda, the devastating financial crisis taught everyone just how critical it is. In recent years, several boards have taken a hard look at their membership, how they operate, and whether their activities and the information to which they have access are conducive to effective risk oversight.
This article suggests concepts to help boards improve their monitoring of the company’s risk management.
1. Recognize the company’s key success factors.
Understanding the business and industry, what drives value creation, how the business model works, and the significant concerns affecting the organization are essential for an effective risk management strategy.
2. Evaluate the risks associated with the company’s strategy.
This concept and the one preceding it are linked since they both focus on understanding the corporate strategy and the risks that come with it. This understanding gives a context for distinguishing the ordinary, continuing hazards of business management to identify the risks that truly matter.
3. Define the risk oversight role of the full board and its standing committees.
This is an important notion for directors to remember as they work together to explain risk supervision responsibilities for the full board and the various standing committees.
4. Determine whether the company’s risk management system, which includes people and processes, is appropriate and has adequate resources.
Risk is frequently an afterthought in planning, and risk management is an afterthought or “side activity” in performance management. This principle tackles concerns such as appropriately positioning the chief risk officer or an analogous executive to support the board’s oversight activities. It considers the sufficiency of various aspects of risk management, such as sourcing, measuring, mitigating, and monitoring risk through suitable policies, processes, people, reporting, techniques, systems, and data.
5. Collaborate with management to understand and agree on the types of risk information required by the board.
This principle is still a source of contention for many boards. Directors suffering from information overload must focus more intently on actionable data. Whether or whether quantitative models are used, reporting should provide many viewpoints on a given risk.
6. Keep a close eye on potential threats to the company’s culture and incentive structure.
This theory also leads to another financial crisis lesson: a company’s culture and incentive compensation structure can potentially influence risk-taking behaviors, decisions, and attitudes.
Because they reflect the shared values, goals, practices, and reinforcement mechanisms that embed risk into an organization’s decision-making processes and risk management into its operating processes, culture and incentives serve as the glue that holds all elements of the risk management infrastructure together.
7. Keep track of critical strategy, risk, controls, compliance, incentives, and people alignments.
This principle emphasizes the need of aligning important pieces to get everyone and everything on the same page—people, processes, and the organization. Without alignment, there is a possibility of a gap between a company’s strategy and its execution, which can be costly and harmful.
8. Evaluate the board’s risk oversight processes regularly:
Do they enable the board to meet its risk oversight objectives? The last principle calls for the risk oversight process to incorporate the best practice of periodic board self-evaluations.