Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

Time for the Board to Take a Deep Dive Into Risk Management and Risks

Comments Views

I think that many boards (or a committee of the board) should take periodic deep dives into:

  • How the management team identify, understand, assess, and address risks to enterprise objectives, and
  • How that same management team addresses specific sources of risk.


Too many papers and articles have talked about adding people to the board with specific expertise in risk management, cybersecurity, China and other geographies, technology in general, and (more recently) compliance.

As I have argued in the past, no board can include an expert in every single area that is critical to the organization. But its members can all be experts in assessing management capability and performance — with the assistance, if necessary, of a subject matter expert or two.

In a recent newsletter, one of my Aussie friends, Todd Davies, talks about facilitating deep dives for his clients.

This is how he explains it:

The concept is ​fairly simple — an area is considered worthy of deeper discussion and exploration at board level (usually by the audit or risk committee). The executive and their team prepare well on this subject and the committee is satisfied that the management is completely across their brief, the risks and issues are in hand, any gaps are understood, flagged and scheduled for resolution to get them to a target level.

The deep dive may be an extended period for discussion during a regular board or committee meeting.

I prefer that quality time be set aside, either by scheduling a separate meeting (which could be a call) or by extending the regular meeting time to include an hour or two for the deep dive.

One, possibly the first deep dive could be on the general topic of management's capability for managing enterprise risk. If I were organizing and facilitating such a session, I would ask that the CEO lead off with his or her frank assessment of the organization's capability and performance. That would be followed by a presentation by the chief risk officer (CRO) or equivalent that not only points out what is in place, but where there are opportunities for improvement. For example, the CRO should comment on whether management at all levels is fully engaged and whether the consideration of risk is integrated into daily as well as strategic decision-making. How effective is the organization at identifying and assessing emerging risks or knowing when existing risks change?

While each director should seek to obtain comfort in management's ability to address enterprise risk, it would be useful to have a third party expert in risk management present (an experienced practitioner, not somebody who has only been a consultant). That individual can ask questions to probe management's presentation — not into detailed technical areas, but simply to confirm that the management team possesses the people, systems, and other resources necessary to address enterprise risk now and in the immediate future.

If issues are identified, actions are identified and management follows up with status reports at future meetings.

Other deep dives, similarly facilitated by subject matter experts, could be held on topics such as:

  • Cyberrisk.
  • Reputation risk.
  • Compliance risk.
  • Doing business in China or elsewhere.


The head of internal audit may be effective as a facilitator, assuming he or she has the requisite expertise in the area.

Todd has some additional useful thoughts in his newsletter, on different risk management topics relating to internal audit, which practitioners might find useful.

How useful would deep dives be for your board?


Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.

 

 

Comment on this blog post

comments powered by Disqus
  • IIA AuditBoard_Nov 2019_Blog 1
  • IIA AEC_Nov 2019_Blog 2
  • IIA Quality_Nov2019_Blog 3