A Framework for Board Oversight of Enterprise Risk

The following post comes to us from Gigi Dawe, principal at the Canadian Institute of Chartered Accountants. This post is based on a framework developed by CICA; the full document, including footnotes, is available here.


In the aftermath of financial crises and a global recession, board oversight of enterprise risk continues to be a topical issue for board deliberation. The re-examination of the board’s role in the oversight of enterprise-wide risk has not been limited to investors or boards asking what could have been done to better understand and proactively address exposures. The SEC, New York Stock Exchange and other regulatory bodies continue to examine disclosure requirements related to various forms of enterprise risk. Risk oversight is a high priority for most boards, but for many it is also more-or-less uncharted territory.

What is the appropriate role of the board in corporate risk management? Traditional governance models support the notion that boards cannot and should not be involved in day-to-day risk management. Rather, through their risk oversight role, directors should be able to satisfy themselves that effective risk management processes are in place and functioning effectively. The risk management system should allow management to bring to the board’s attention the company’s material risks and assist the board to understand and evaluate how these risks interrelate, how they may affect the company, and how these risks are being managed. To meaningfully assess those risks, directors require experience, training and knowledge of the business.

The number of well publicized bankruptcies each year — both unforeseen and anticipated — shows that over-reliance on or absence of effective, management-led enterprise risk processes and models can have unexpected or even catastrophic results. These high-profile corporate disasters are often cited as extreme examples of failure of enterprise risk management systems and board oversight. For most corporations, however, the consequences of failure are more likely to be underperformance and destruction of shareholder value.

Effective risk management and board oversight should not be premised on risk avoidance. Every corporation is exposed to and takes risks daily. What is important is to manage the balance of risk and reward and to identify and minimize the consequences of a negative occurrence to the extent possible.

In our view, boards must take a more active and direct role in risk assessment well beyond traditional oversight of typical risk management processes. In particular, risks associated with leadership and strategy are prime examples of areas where a board must assert itself more directly since management cannot be expected to objectively assess its own performance, capabilities and strategy in such areas from a risk perspective. Unlike other embedded responsibilities of boards and committees, such as the oversight of financial reporting and disclosure, there are no standards for risk oversight and few, if any, authoritative sources on which boards may rely.

This framework is not intended to advise directors on how to create an enterprise risk management system or a technical management-led risk process; these are more suited to development by management. We also do not address crisis management in the event of an occurrence. Rather, our intent is to provide a practical approach to risk oversight designed specifically for boards of directors, including a framework, methodology and toolsets.

Executive Summary of Critical Issues


What is the board’s role in the context of risk oversight? Typically, boards of directors are tasked with providing oversight on identifying, assessing and to the extent possible mitigating corporate risk. It is the general view that boards are expected to provide an oversight role of the risk management systems and processes as well as continuously reviewing both the planning and outcomes of such processes.

This implies that oversight is somewhat passive and involves significant reliance on management. But there are valid circumstances in which boards must take a leadership role in assessing risk. For example, a primary risk might be an ill-advised strategy or a failure to execute strategy. How does management critically evaluate the very strategy it developed or objectively assess its ability to execute? Similarly, the quality and effectiveness of a corporation’s leadership, including the chief executive officer can pose a major risk. How is it possible for management to assess itself?

Questions for directors to ask:

  • Does the board clearly understand its oversight mandate and role?
  • Is the board sufficiently active in fulfilling this part of its mandate?
  • Do the directors share a common, practical understanding of their responsibility for risk oversight? Is this view the same as that of the CEO and executive team?
  • Does the board properly distinguish its responsibility for risk oversight from risk disclosure?
  • Are the objectives of the board’s responsibility for risk understood?

Directors’ individual knowledge and understanding of risk

If directors were asked whether they understand business risk, we believe most would say they do. Yet time after time, corporations find themselves in distressed situations and even bankruptcy, which invariably prompts the question, “Where were the directors?”

Questions for directors to ask:

  • Do board members have an adequate, up-to-date appreciation of the nature, types and sources of risks faced by the organization?
  • Does the board truly understand the interdependencies and how events or conditions occurring simultaneously can spell disaster?
  • Are seemingly unthinkable business risks ignored because their occurrence is thought to be unlikely?
  • Does the board have the necessary blend of business and industry knowledge and experience to assess risk?

Board’s primary objectives for enterprise risk management

By conventional thinking, the primary objectives of board oversight of risk are preserving the viability of the enterprise and improving shareholder value. In reality, the likelihood of total failure for most businesses is remote.

Questions for directors to ask:

  • Beyond the obvious objective of preserving the corporation’s viability, do board members understand that the most likely outcome of ineffective risk management is underperformance and the destruction of shareholder value?
  • Conversely, does the board recognize that a key objective of a robust enterprise risk oversight process should be to enhance performance and improve shareholder value?

Determining a corporation’s capacity, tolerance and appetite for risk

Whether advertently or not, every corporation faces risk constantly. In fact, an ongoing management responsibility is evaluating and adequately balancing risk with reward.

Questions for directors to ask:

  • Does the board periodically consider and quantify the corporation’s capability to take on and manage risk?
  • Does the board understand the differences between risk capacity, risk tolerance and risk appetite?
  • Does the board consciously assess risk and reward when considering major strategic or tactical initiatives?
  • Does the board have a framework within which to make meaningful judgments around risk tolerance and risk appetite?

Board organization and structure for addressing risk

Various models of board organization are currently used for the oversight of risk. In many cases, risk assessment is delegated to one or more board committees. In other cases, the board as a whole takes on the responsibility. In some cases, boards simply fail to assign this responsibility at all.

Questions for directors to ask:

  • Is the assignment of risk oversight clearly mandated?
  • Are the chair of the board and CEO committed to a dynamic and robust risk management environment?
  • If risk oversight is delegated to one or more committees, are the committees capable of overseeing risk in its broadest form?
  • Is sufficient time set aside to carry out this responsibility?
  • Do the board’s agendas promote integration of risk issues with other agenda items such as strategy, organization and finance?

Management approach to enterprise risk

Management approach to risk can vary widely. At one extreme are highly structured enterprise risk management processes with dedicated organizational resources. At the other extreme are more unsophisticated and passive approaches that address risk as an afterthought, usually regarding major expenditures, or through a SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis.

Questions for directors to ask:

  • Does management have a robust framework and comprehensive process to assess risk?
  • Does the board accept management’s assessment of risk too readily even when it appears superficial?
  • Are risk management processes or systems well designed such that risk is managed holistically and not in silos?
  • Does the corporation have adequate systems and processes in place to monitor the effectiveness of risk management?
  • Do the board and management learn from and act on instances where risk management strategies and systems have been ineffective?
  • Can management adequately and objectively assess risk when it is the architect of the risk management framework?
  • Does management have the openness and humility to recognize its shortcomings and the courage to recognize flawed strategy and change course?
  • Is risk tolerance and risk appetite set out in the company’s strategic plan? Is it appropriate?

Interrelationships and compounding effect of risks

Company failures, much like air disasters, usually result from many factors occurring simultaneously. In hindsight, the origins of these unfortunate and often disastrous events are painfully apparent.

Questions for directors to ask:

  • Does management understand the interconnectivity and interdependencies of risks?
  • Does the board recognize that the corporation may have several embedded exposures so that even relatively minor risks can produce significant unfavourable consequences?
  • Are risk interrelationships ignored because the likelihood of a negative occurrence is deemed remote?
  • Does the board have an adequate framework to understand the interrelationships, interdependencies and compounding effect of risks?

Strategic risk

Strategic plans are developed to map future direction, delineate the basis of a corporation’s competitive advantage and set out specific plans to achieve financial and other objectives. Since strategy ultimately involves choices, risks are inherent in virtually every strategic plan.

Questions for directors to ask:

  • Does the board understand and discuss the linkages between strategy and risk?
  • Does the board assess strategic plans in terms of their potential failure and the attendant consequences?
  • Does the board integrate assessment of risk and choices about risk into strategic plans?
  • Does the board have a framework and toolsets, such as competitive analysis and stress test modelling, to assist it to understand the consequences of strategic risk?

Adequacy and timeliness of relevant information

Boards of directors and board committees typically receive substantial information on quarterly performance, annual and longer-term plans, together with committee-specific information.

Questions for directors to ask:

  • Beyond risk-related strategic plan supplements and financial reporting data, do boards receive comprehensive reports on risk?
  • Is this information sufficient to make well-reasoned judgments about risk and risk management?

External advice

Typically, boards of directors have access to expert advice related to areas such as legal, accounting, compensation, financing, and mergers and acquisitions.

Questions for directors to ask:

  • Are there reputable experts to advise the board on various risk matters?
  • Does the board regularly engage such experts?

Executive performance evaluation and compensation

Boards evaluate executives using a variety of metrics and other criteria. Compensation philosophy and evaluation criteria are typically designed to align the executives’ objectives with the corporation’s goals.

Questions for directors to ask:

  • Does the board include risk management as a criterion for executive evaluation?
  • Are current compensation practices aligned or at odds with prudent risk management?
Both comments and trackbacks are currently closed.

One Comment

  1. Peter Robertshaw
    Posted Wednesday, September 19, 2012 at 4:14 am | Permalink

    Thank you for this great, very practical summary. The question check-lists will be very useful for many boards and highlight questions that have probably never been asked before.

    I wanted to make two comments – the first about what’s included and the second about an omission.

    It’s great to see you recognize the importance of the inter-connectivity of risks. Typically risks have been scored and acted upon in isolation when this is quite obviously not mirroring reality. Typically boards are presented with information on individual risks and the individual mitigation strategies in place. Sitting atop the organization it is they who must lead the questioning on inter-connectivity as this is most often the place where the clearest picture can be seen.

    I was surprised by the omission of any discussion of reputational risk. Several high profile cases in recent years (e.g. BP, Barclays, Newscorp) have shown how failure to consider the reputational and trust implications of risks can destroy value, threaten companies and lead to high-profile executive departures. This is becoming increasingly important in the age of social media when reputations can be destroyed in minutes rather than months.

    Finally, my organization, Active Risk, recently participated in World Risk Day 2012. This event had the aim of raising the profile of enterprise risk management and the need to take smarter risks. The web site http://www.worldriskday.com has built up a valuable independent set of risk information, reports and surveys and is definitely worth a look for advice on how to get started with enterprise risk management.