Risk Oversight: A Board Imperative

This post comes to us from James DeLoach, a Managing Director at Protiviti.

Risk oversight is a high priority for today’s boards of directors. The risk oversight playbook is likely to evolve as boards refine their processes into 2010 and beyond. There are signs that legislators and regulators have risk oversight in their line of sight. For example, in the United States, the SEC proposed new proxy disclosures to spotlight directors’ qualifications and the role of the board in the risk management process. Some U.S. law- makers are sponsoring a bill to mandate a separate risk committee of the board. Whatever happens, it is clear the bar is being raised as boards take a fresh look at the qualifications of their members, how they operate, the extent to which they avail themselves of the appropriate company officers and other expertise to understand the enterprise’s risks, and whether their committee structure and the information to which their committees have access are conducive to effective risk oversight.

Key Considerations

“Risk oversight” describes the board’s role in the risk management process. Effective risk oversight deter- mines that the company has in place a robust process for identifying, prioritizing, sourcing, managing and monitoring its critical risks, and that this process is improved continuously as the business environment changes. By contrast, “risk management” is what management does to execute the risk management process in accordance with established performance goals and risk tolerances. Through the risk oversight process, the board (1) obtains an understanding of the risks inherent in the corporate strategy and the risk appetite of management in executing that strategy, (2) accesses useful information from internal and external sources about the critical assumptions underlying the strategy, (3) is alert for possible organizational dysfunctional behavior that can lead to excessive risk taking, and (4) provides input to executive management regarding critical risk issues on a timely basis.

If we accept this delineation as a working premise, then the role of risk oversight becomes clearer – it is the process by which the board and management develop a mutual understanding regarding the risks the company faces over time as it executes its business model and pursues new opportunities. If poisonous snakes are encountered along the way as the strategy is executed, the board and management will know they are there and, if the company is bitten, how much it might hurt. Therefore, risk oversight seeks a balance between enhancing and protecting enterprise value.

Questions for Boards

Following are some suggested questions that boards may consider, as appropriate to the entity’s operations, as they seek to clarify their risk oversight responsibilities:

  • Is there a robust process in place for identifying, prioritizing, sourcing, managing and monitoring the enterprise’s critical risks in a changing operating environment?
  • Do we understand the risks inherent in the corporate strategy? Is there a sufficient understanding of the significant assumptions underlying the strategy and is a process in place to monitor for changes in the environment that could alter those assumptions?
  • Are we and executive management on the same page with respect to the risks the entity is willing to accept and the risks the entity should avoid (i.e., the entity’s risk appetite)? Is there sufficient dialogue enabling appropriate and timely board input to executive management on the risks undertaken?
  • Are policies in place for managing significant financial and commodity risks on an enterprise-wide basis? Has management quantified the loss exposures involving these risks and prepared response plans to address multiple future scenarios?
  • If new and complex risks emerge, are the appropriate expertise, processes and information brought to bear to ensure there is an understanding of the emerging risks and their implications to the enterprise’s strategy and business model?
  • Is the board receiving the information it needs to foster effective risk oversight, or is it drowning in data providing little knowledge or insight? Is there sufficient agenda time for discussing the enterprise’s risks? In what areas does the organization need to improve its capabilities for managing risk?
  • Does the organization have a process for thinking about the “unthinkable,” i.e., the plausible scenarios that could occur over the time horizon covered by the corporate strategy and business plan? Has management considered how the entity would respond should any of these scenarios occur? Has considering these scenarios created awareness of the forces affecting the organization in the present that can make it captive to events in the future?
  • Are the enterprise’s “tone at the top” and culture conducive to effective risk management? For example, does the compensation structure reward short-term risk taking without taking into account the potential longer-term effects on the company? If there is a chief risk officer, does that individual have the right skills and is he or she positioned to be successful? Does he or she provide the board with timely information about the company’s risks? Is it clear that executive management will pay attention to the warning signs posted by the risk management function at the crucial moment?
Both comments and trackbacks are currently closed.


  1. v shankar srinivasan
    Posted Sunday, February 7, 2010 at 8:40 pm | Permalink

    Just another knee jerk reaction from policy makers who dont know what they are legislating and what is that which needs legislating.

    All these qualifications in the past havent worked have they? The basic human tendency of greed and fear are all that matter. These can never be eliminated and control of these require an entirely different cultural mind set.

    the Q’s to be addressed are:
    1. How do you regulate greed? (make the markets lesser of a casino)
    2. how do you regulate fear? (lesser of the too big to fail companies)
    3. how do you create a reporting that is free from manipulation? (if you think IFRS is the answer THINK again!! – if the use of the IFRS was suspended during the credit squeeze then the existing system was obviously the better one – DUH!!)

  2. David Griffiths
    Posted Monday, February 8, 2010 at 3:52 pm | Permalink

    So risk is the flavour for 2010. Good to see, especially as we in the UK have been harping on about it since before 2000…not that it did us much good. But before we gloat too much, haven’t small, successful business entrepreneurs being balancing risk and reward since the dawn of time. They haven’t done it formally, but if they don’t do it – they don’t become successful.
    Big business is finally catching up, but lest it look too simple, we are wrapping it up in complicated wording. Let’s keep it simple:

    Dear board members:
    Risks prevent you achieving your targets
    If you do not achieve your targets you will get a reduced bonus
    Therefore managing your risks helps protect your bonus.

    That should get them interested!

  3. Emily
    Posted Wednesday, February 10, 2010 at 3:54 pm | Permalink

    I agree with David. Big business and gov’t, what do you expect?

2 Trackbacks

  1. By TOP BLOGS on Monday, February 8, 2010 at 1:36 am

    The Corporate Counsel.net…


  2. Commercial Law in the Blogosphere…

    Here’s a look at what’s happening on some of the Commercial Top Blogs: Lawrence Solum has…