I just listened to an
excellent video presentation from NACD featuring Reatha Clark King talking about risk oversight by the board.
I recommend this to boards, especially board chairs, governance committee members, as well as members of the audit and risk committees. It is also useful for executives, general counsel, and practitioners.
What I like: she advises that:
- Boards should step up and insist they receive the information they want, when they want it, how they want it.
- The CEO is the primary risk owner and is responsible for the implementation of the enterprise risk management system.
- If there is a CRO, he should be among those presenting on risk to the board.
- But, the CRO should not be the only person presenting. The business leads should be among those sharing information.
- The discussion of risk should be intertwined with discussion on strategy and compliance.
- The full board should take the lead role on risk oversight, with each standing committee responsible for oversight of risk in its area.
- The structure for risk oversight should be carefully thought through and tailored to each board’s needs.
What I didn’t like:
- The presentation was on board oversight of risk. I believe it should instead provide oversight on the management of risk, making it clear that management is responsible for the identification, assessment, and treatment of risk.
- There was no discussion of oversight of management’s risk management process, ensuring through questioning of management that it is effective and suitable for the organization’s business needs — every day.
- The board, in my view, should not be the ones assessing risk or deciding treatment of risk. Instead, they should be asking questions and challenging management’s assessment and treatment of risk.
- There was no mention of internal audit providing assurance on the effectiveness of risk management processes.
The management of risk and consideration of risk in decisions is a daily, even hourly, even every minute requirement. Relying on the board’s occasional meetings to obtain assurance that risk is managed effectively is misguided in my view.
What do you think?