7.1 Role of the Board in Risk Management

Potential profit often corresponds to the potential risk…. Stockholders’ investment interests will be advanced if corporate directors and managers honestly assess risk and reward, cost and benefit – Hon. E. Norman Veasey (former Chief Justice of the Delaware Supreme Court)​ (Waller Lansden Dortch & Davis, 2005)​

The board of directors plays a crucial role in risk management by providing oversight and strategic guidance. While not directly involved in day-to-day risk management activities, the board is responsible for ensuring that the organization has effective risk management systems and processes in place. The board’s primary functions in risk management include setting the company’s risk appetite, overseeing the development and implementation of risk management policies and procedures, monitoring significant risks facing the organization, and fostering a risk-aware culture throughout the company. By fulfilling these responsibilities, the board helps to safeguard the organization’s assets, reputation, and long-term sustainability.

From the COSO ERM framework, some of the key responsibilities and functions of the board this context are described below:

A representation of the COSO ERM Framework. See image description below
Figure 7.1.1: “COSO ERM Framework” in Enterprise Risk Management: Integrating with Strategy and Performance© 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. (See Acceptable Use of COSO Materials [PDF] for permission details).
Image Description

A double helix shape of different colours representing the various components: Governance & Culture with Information, Communication, & Reporting on one side and Strategy & Objective Setting, Performance, and Review & Revision on the other.  Interspersed through the double helix shape are Mission, Vision, & Core Values, Strategy Development, Business objective Formulation, Implementation & Performance, and Enhanced Value

Oversight and Governance

Risk Oversight

The board’s oversight role involves:

  • Regularly reviewing the organization’s risk profile and risk management strategies
  • Challenging management’s assumptions about risks
  • Ensuring that risk management is integrated into strategic planning and decision-making processes
  • Verifying that appropriate resources are allocated to risk management activities

Policy Development

In developing risk management policies, the board should:

  • Establish clear guidelines for risk identification, assessment, and mitigation
  • Define the organization’s risk appetite and tolerance levels
  • Ensure policies are adaptable to changing business environments
  • Regularly review and update policies to reflect new risks and best practices

Risk Culture

To foster a risk-aware culture, the board can:

  • Lead by example in prioritizing risk management
  • Encourage open communication about risks at all levels of the organization
  • Integrate risk considerations into performance evaluations and incentive structures
  • Promote training and education programs on risk management

Monitoring and Reporting

Continuous Assessment

This involves:

  • Implementing a systematic approach to identifying and assessing risks
  • Regularly reviewing the effectiveness of risk mitigation strategies
  • Ensuring that risk assessments are forward-looking and consider emerging risks
  • Conducting periodic independent reviews of the risk management framework

Key Risk Indicators (KRIs)

The board should:

  • Work with management to identify relevant KRIs for different risk categories
  • Ensure KRIs are aligned with the organization’s strategic objectives
  • Set appropriate thresholds for KRIs that trigger escalation or action
  • Regularly review the relevance and effectiveness of chosen KRIs

Risk Reporting

  • Effective risk reporting to the board includes:
  • Establishing a clear reporting structure and frequency
  • Ensuring reports provide a comprehensive view of the organization’s risk profile
  • Including both quantitative metrics and qualitative assessments
  • Highlighting significant changes in risk exposure and emerging risks

Committee Involvement

Audit and Risk Committees

These committees should:

  • Conduct deep dives into specific risk areas
  • Review the adequacy of internal controls and risk management processes
  • Oversee the internal audit function and its risk-based audit plans
  • Engage with external auditors to understand their risk assessments

Coordination Among Committees

To ensure comprehensive risk coverage:

  • Establish clear charters defining each committee’s risk responsibilities
  • Hold joint committee meetings to discuss overlapping risk areas
  • Ensure regular information sharing between committees
  • Provide periodic updates to the full board on committee-level risk discussions

Strategic Risk Management

Strategic Risks

The board’s involvement includes:

  • Dedicating time in board meetings to discuss strategic risks
  • Challenging management’s strategic assumptions and risk assessments
  • Considering scenario planning and stress testing for major strategic decisions
  • Ensuring alignment between risk management and strategic planning processes

Cyber Risks

Given the critical nature of cyber risks, the board should:

  • Ensure regular briefings on the organization’s cybersecurity posture
  • Oversee investments in cybersecurity infrastructure and talent
  • Review incident response and business continuity plans
  • Stay informed about evolving cyber threats and regulatory requirements

Accountability and Transparency

Accountability

To ensure accountability, the board should:

  • Clearly define risk management responsibilities for executives and management
  • Include risk management objectives in performance evaluations
  • Ensure there are consequences for non-compliance with risk policies
  • Regularly assess the effectiveness of the risk management function

Transparency

To promote transparency, the board can:

  • Oversee the development of comprehensive risk disclosures in financial reports
  • Ensure clear communication of risk management practices to stakeholders
  • Encourage management to be forthcoming about significant risks and mitigation efforts
  • Support engagement with regulators, investors, and other stakeholders on risk-related matters

The board’s role in risk monitoring and reporting is to provide oversight, develop policies, foster a risk-aware culture, ensure continuous risk assessment, and maintain accountability and transparency. By fulfilling these responsibilities, the board helps safeguard the organization against potential risks and supports its long-term success. The board can significantly enhance its risk monitoring and reporting effectiveness, ultimately contributing to the organization’s resilience and long-term success. ​ (Krishnamoorthy, n.d.; Barlow, 2016; Waller Lansden Dortch & Davis, 2005; Institute of Risk Management, n.d.)​

A risk management organizational flow chart. See image description below
Figure 7.1.2: “Risk Management Organization” by Sanaz Habibi, CC BY-NC-SA 4.0
Image Description

The image depicts an organizational chart for risk management within a company. The hierarchy and connections are as follows:

  1. Board (pink circle at the top): Connected to all committees and executive officers.
  2. Committees and Executive Officers:
    1. Risk Committee (green circle): Connected to the Chief Risk Officer (CRO).
    2. Chief Executive Officer (CEO) (blue circle): Connected to the Chief Risk Officer (CRO) and Chief Financial Officer (CFO).
    3. Audit Committee (purple circle): Connected to the Chief Risk Officer (CRO).
    4. Finance Committee (yellow circle): Connected to the Chief Financial Officer (CFO).
  3. Chief Officers:
    1. Chief Risk Officer (CRO) (purple circle): Connected to Risk Management and Internal Audit.
    2. Chief Financial Officer (CFO) (green circle): Connected to Financial.
  4. Functional Units:
    1. Risk Management (pink circle): Connected to the Chief Risk Officer (CRO).
    2. Internal Audit (purple circle): Connected to the Chief Risk Officer (CRO).
    3. Financial (yellow circle): Connected to the Chief Financial Officer (CFO).

The chart uses colour-coded circles to represent different roles and their connections, indicating lines of reporting and oversight within the organization.

License

Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Risk Management - Supply Chain and Operations Perspective Copyright © 2024 by Azim Abbas and Larry Watson is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.

Share This Book