In December, SpencerStuart (an executive search firm that has publishes excellent governance-related studies) released a special issue of Point of View. It focuses on "today's board agenda" and has several articles worth reading. One is on board oversight of risk management (it starts on page 33).
Here are a few quotes:
"The board must set up a precise risk profile and risk tolerance, communicate it loudly and clearly to the business units, make sure that the business units remain within it, and see to it that the monitoring process captures any meaningful deviation from the profile and tolerance accurately and in a timely fashion."
"Effective risk oversight is about courage — the courage of swimming against the tide when there's momentum for something, whether it's a new product or innovation or an M&A opportunity. And part of the courage is to accept that you'll have false positives and will be engaged in a degree of apology, but you won't be deterred."
"The trouble with risk oversight is that you have to up the intellectual stakes on the board to be able to do it. It can't be accomplished by a board in which the directors sit around and joke about all the confusing numbers that are brought to them."
"It's inconceivable to me that a CRO could handle the product and engineering complexity that we have. Responsibilities for those risks need to be embedded in the businesses, and if you're not going to listen to the employees in the trenches and hold them responsible for the risks they take, you will not have good risk management."
The checklist for directors on page 36 is simple but gets to the point.
What do you think? Will you share this with your board?