Risk oversight is a high priority for today’s boards of directors. The risk oversight playbook is likely to evolve as boards refine their processes into 2010 and beyond. There are signs that legislators and regulators have risk oversight in their line of sight. For example, in the United States, the SEC proposed new proxy disclosures to spotlight directors’ qualifications and the role of the board in the risk management process. Some U.S. law- makers are sponsoring a bill to mandate a separate risk committee of the board. Whatever happens, it is clear the bar is being raised as boards take a fresh look at the qualifications of their members, how they operate, the extent to which they avail themselves of the appropriate company officers and other expertise to understand the enterprise’s risks, and whether their committee structure and the information to which their committees have access are conducive to effective risk oversight.
“Risk oversight” describes the board’s role in the risk management process. Effective risk oversight deter- mines that the company has in place a robust process for identifying, prioritizing, sourcing, managing and monitoring its critical risks, and that this process is improved continuously as the business environment changes. By contrast, “risk management” is what management does to execute the risk management process in accordance with established performance goals and risk tolerances. Through the risk oversight process, the board (1) obtains an understanding of the risks inherent in the corporate strategy and the risk appetite of management in executing that strategy, (2) accesses useful information from internal and external sources about the critical assumptions underlying the strategy, (3) is alert for possible organizational dysfunctional behavior that can lead to excessive risk taking, and (4) provides input to executive management regarding critical risk issues on a timely basis.
If we accept this delineation as a working premise, then the role of risk oversight becomes clearer – it is the process by which the board and management develop a mutual understanding regarding the risks the company faces over time as it executes its business model and pursues new opportunities. If poisonous snakes are encountered along the way as the strategy is executed, the board and management will know they are there and, if the company is bitten, how much it might hurt. Therefore, risk oversight seeks a balance between enhancing and protecting enterprise value.
Questions for Boards
Following are some suggested questions that boards may consider, as appropriate to the entity’s operations, as they seek to clarify their risk oversight responsibilities:
- Is there a robust process in place for identifying, prioritizing, sourcing, managing and monitoring the enterprise’s critical risks in a changing operating environment?
- Do we understand the risks inherent in the corporate strategy? Is there a sufficient understanding of the significant assumptions underlying the strategy and is a process in place to monitor for changes in the environment that could alter those assumptions?
- Are we and executive management on the same page with respect to the risks the entity is willing to accept and the risks the entity should avoid (i.e., the entity’s risk appetite)? Is there sufficient dialogue enabling appropriate and timely board input to executive management on the risks undertaken?
- Are policies in place for managing significant financial and commodity risks on an enterprise-wide basis? Has management quantified the loss exposures involving these risks and prepared response plans to address multiple future scenarios?
- If new and complex risks emerge, are the appropriate expertise, processes and information brought to bear to ensure there is an understanding of the emerging risks and their implications to the enterprise’s strategy and business model?
- Is the board receiving the information it needs to foster effective risk oversight, or is it drowning in data providing little knowledge or insight? Is there sufficient agenda time for discussing the enterprise’s risks? In what areas does the organization need to improve its capabilities for managing risk?
- Does the organization have a process for thinking about the “unthinkable,” i.e., the plausible scenarios that could occur over the time horizon covered by the corporate strategy and business plan? Has management considered how the entity would respond should any of these scenarios occur? Has considering these scenarios created awareness of the forces affecting the organization in the present that can make it captive to events in the future?
- Are the enterprise’s “tone at the top” and culture conducive to effective risk management? For example, does the compensation structure reward short-term risk taking without taking into account the potential longer-term effects on the company? If there is a chief risk officer, does that individual have the right skills and is he or she positioned to be successful? Does he or she provide the board with timely information about the company’s risks? Is it clear that executive management will pay attention to the warning signs posted by the risk management function at the crucial moment?