​​Board Oversight of Risk Management

Comments Views

​Australia has been a world-leader when it comes to risk management. In 1999, working with its New Zealand counterpart, Standards Australia published the excellent AS/NZS 4360:1999 Risk Management standard (updated in 2004 and the foundation for the ISO global risk management standard, 31000:2009).

Now, the Governance Institute of Australia has made what I consider a significant contribution to the discussion of board oversight of risk management.

Risk Management for Directors: A Handbook is excellent.

I would share it with every member of the board as well as those in management responsible for advising the board, such as the CEO, CFO, General Counsel, CRO, CAE, outside counsel, and so on.

There are a few areas where I could nitpick the guidance. For example, I would prefer to see more about the role of the CRO and a question about whether the board has confidence in him or her.

But, it is better to highlight some of the excellent content that can be found.

The paper includes discussions and suggested questions directors can ask (which, in fact, all of us can ask to assess how effective the board is) about the mission and responsibilities of the board, risk culture (including risk appetite), whether there should be a risk committee, risk reporting, and more.

If you have been reading my earlier risk management blog posts or World-Class Risk Management (now available from the IIA Bookstore), you will understand why I like this (emphasis added):

Governance codes and regulators, therefore, place risk attitude (or risk appetite), risk tolerance, and the oversight of the maintenance of sound risk management and internal control systems at the center of corporate governance and the role of the board in steering organizations. They recognise that risk-taking is what organisations do — risk encompasses the opportunities to be realised by the organization, as well as the hazards to be avoided, with recognition of the uncertainties attached to the opportunities and hazards alike. ​

Here is a selection of the first-class questions:

  • Are there processes in place to integrate risk management into strategic planning?
  • Does the overall strategic planning process consider and prioritise the uncertainty attached to achieving strategic objectives across the organization?
  • Does management need to be encouraged to incorporate value creation as well as preservation into its risk management framework?
  • Do the board's agendas promote integration of risk issues with other agenda items such as strategy, organizational structure, and finance?
  • Does the board have an adequate framework to understand the interrelationships, interdependencies, and compounding effect of risks?
  • How does the board satisfy itself that the risk management framework established by management is operating effectively?
  • Is risk handled in accordance with the risk appetite and tolerances? What are the areas of risk that have been assessed by management as outside the board's risk appetite? Have they been reported to the board?
  • Does the board know what risks management is bringing into the business and whether these are aligned with the risk appetite?
  • Is there an over-reaction to risk management failures, with the risk that there will in future be a reluctance to report failures?
  • Is there a consistency between the actions of employees and the values of the organization?
  • Has the board established mechanisms for satisfying itself that a culture that allows, rewards, and encourages openness is in place?
  • Are there accountability mechanisms in place to ensure that the lived values and behaviors of management align with the desired values and behaviors?
  • Are there consequences for individuals if they fail to enact the desired values and behaviors?
  • Is there defensiveness about organizational culture?
  • Do the engagement results of employee surveys identify regular concerns or conflicts of interest or a fear of speaking up?
  • Does the style and entrenchment of the CEO block the possibility of constructive challenge from within the executive team?
  • Does the CEO exhibit a degree of concern, if not resentment, that challenge from the non-executive directors is unproductively time-consuming, adding little or no value, and potentially intruding on or constraining the ability of the executive team to implement the agreed strategy?
  • Does the CEO point to the risk and audit committee(s) or function when risk management is discussed rather than talking of risk management in terms of the business and management?
  • Are both the overt and implicit incentives aligned with either the stated values of the organization or the mitigation framework to prevent undue risk-taking?    
  • Does the board establish and reinforce executive accountability for risk management?
  • Does the CEO set and demonstrate consistency in relation to accountability for values and behaviors?
  • Does the board expect full disclosure by management of the risks associated with each aspect of the strategy?
  • Does the board provide management with ongoing feedback about its satisfaction with their level of disclosure and the quality of risk-reward analyses?
  • How close to the business is the risk team? Is the team able to operate objectively?
  • Are the terms used relevant and understood by everyone in the business?
  • Does management retain accountability for managing risk?
  • Do the board and the CEO provide a clear licence to the chief risk officer to assist divisions?
  • Does the chief risk officer have a direct line of report to the audit or risk committee?
  • Can the chief risk officer be fired by the CEO or other senior executives, or are they independent of the senior executive team?
  • Is the risk management function given appropriate levels of authority, influence, and independence in the organization?
  • Does the approach to risk management take into account risk scenarios and the interaction of multiple risks?
  • What was the date of the last operational review of the risk management function by internal audit and what was the result and action taken by management?
  • Are the elements of the risk management framework operating as intended and providing the benefits sought?
  • Does the board have assurance that it is receiving the information it needs?
  • Is risk management integrated with all of the business's systems, such as performance management, process management,​ and implementation of strategy?

Which is your favorite question?

Will you share this guide with your board and others?

How much of this is in place at your organization?

I welcome your comments.


As a postscript, my good friend Jim DeLoach just published a piece with the NACD. Sorry, Jim, but I think "Staying Engaged in the Risk Oversight Process" is very thin, especially when compared to the publication discussed above.​​




Comment on this article

comments powered by Disqus
  • IIA CAE-AEC_Jan 2018_IAO_Blog 1
  • IIA CIA LS_Jan 2019_Blog 2