7.1 Role of the Board in Risk Management
Potential profit often corresponds to the potential risk…. Stockholders’ investment interests will be advanced if corporate directors and managers honestly assess risk and reward, cost and benefit – Hon. E. Norman Veasey (former Chief Justice of the Delaware Supreme Court) (Waller Lansden Dortch & Davis, 2005)
The board of directors plays a crucial role in risk management by providing oversight and strategic guidance. While not directly involved in day-to-day risk management activities, the board is responsible for ensuring that the organization has effective risk management systems and processes in place. The board’s primary functions in risk management include setting the company’s risk appetite, overseeing the development and implementation of risk management policies and procedures, monitoring significant risks facing the organization, and fostering a risk-aware culture throughout the company. By fulfilling these responsibilities, the board helps to safeguard the organization’s assets, reputation, and long-term sustainability.
From the COSO ERM framework, some of the key responsibilities and functions of the board this context are described below:
Image Description
A double helix shape of different colours representing the various components: Governance & Culture with Information, Communication, & Reporting on one side and Strategy & Objective Setting, Performance, and Review & Revision on the other. Interspersed through the double helix shape are Mission, Vision, & Core Values, Strategy Development, Business objective Formulation, Implementation & Performance, and Enhanced Value
Oversight and Governance
Risk Oversight
The board’s oversight role involves:
- Regularly reviewing the organization’s risk profile and risk management strategies
- Challenging management’s assumptions about risks
- Ensuring that risk management is integrated into strategic planning and decision-making processes
- Verifying that appropriate resources are allocated to risk management activities
Policy Development
In developing risk management policies, the board should:
- Establish clear guidelines for risk identification, assessment, and mitigation
- Define the organization’s risk appetite and tolerance levels
- Ensure policies are adaptable to changing business environments
- Regularly review and update policies to reflect new risks and best practices
Risk Culture
To foster a risk-aware culture, the board can:
- Lead by example in prioritizing risk management
- Encourage open communication about risks at all levels of the organization
- Integrate risk considerations into performance evaluations and incentive structures
- Promote training and education programs on risk management
Monitoring and Reporting
Continuous Assessment
This involves:
- Implementing a systematic approach to identifying and assessing risks
- Regularly reviewing the effectiveness of risk mitigation strategies
- Ensuring that risk assessments are forward-looking and consider emerging risks
- Conducting periodic independent reviews of the risk management framework
Key Risk Indicators (KRIs)
The board should:
- Work with management to identify relevant KRIs for different risk categories
- Ensure KRIs are aligned with the organization’s strategic objectives
- Set appropriate thresholds for KRIs that trigger escalation or action
- Regularly review the relevance and effectiveness of chosen KRIs
Risk Reporting
- Effective risk reporting to the board includes:
- Establishing a clear reporting structure and frequency
- Ensuring reports provide a comprehensive view of the organization’s risk profile
- Including both quantitative metrics and qualitative assessments
- Highlighting significant changes in risk exposure and emerging risks
Committee Involvement
Audit and Risk Committees
These committees should:
- Conduct deep dives into specific risk areas
- Review the adequacy of internal controls and risk management processes
- Oversee the internal audit function and its risk-based audit plans
- Engage with external auditors to understand their risk assessments
Coordination Among Committees
To ensure comprehensive risk coverage:
- Establish clear charters defining each committee’s risk responsibilities
- Hold joint committee meetings to discuss overlapping risk areas
- Ensure regular information sharing between committees
- Provide periodic updates to the full board on committee-level risk discussions
Strategic Risk Management
Strategic Risks
The board’s involvement includes:
- Dedicating time in board meetings to discuss strategic risks
- Challenging management’s strategic assumptions and risk assessments
- Considering scenario planning and stress testing for major strategic decisions
- Ensuring alignment between risk management and strategic planning processes
Cyber Risks
Given the critical nature of cyber risks, the board should:
- Ensure regular briefings on the organization’s cybersecurity posture
- Oversee investments in cybersecurity infrastructure and talent
- Review incident response and business continuity plans
- Stay informed about evolving cyber threats and regulatory requirements
Accountability and Transparency
Accountability
To ensure accountability, the board should:
- Clearly define risk management responsibilities for executives and management
- Include risk management objectives in performance evaluations
- Ensure there are consequences for non-compliance with risk policies
- Regularly assess the effectiveness of the risk management function
Transparency
To promote transparency, the board can:
- Oversee the development of comprehensive risk disclosures in financial reports
- Ensure clear communication of risk management practices to stakeholders
- Encourage management to be forthcoming about significant risks and mitigation efforts
- Support engagement with regulators, investors, and other stakeholders on risk-related matters
The board’s role in risk monitoring and reporting is to provide oversight, develop policies, foster a risk-aware culture, ensure continuous risk assessment, and maintain accountability and transparency. By fulfilling these responsibilities, the board helps safeguard the organization against potential risks and supports its long-term success. The board can significantly enhance its risk monitoring and reporting effectiveness, ultimately contributing to the organization’s resilience and long-term success. (Krishnamoorthy, n.d.; Barlow, 2016; Waller Lansden Dortch & Davis, 2005; Institute of Risk Management, n.d.)
Image Description
The image depicts an organizational chart for risk management within a company. The hierarchy and connections are as follows:
- Board (pink circle at the top): Connected to all committees and executive officers.
- Committees and Executive Officers:
- Risk Committee (green circle): Connected to the Chief Risk Officer (CRO).
- Chief Executive Officer (CEO) (blue circle): Connected to the Chief Risk Officer (CRO) and Chief Financial Officer (CFO).
- Audit Committee (purple circle): Connected to the Chief Risk Officer (CRO).
- Finance Committee (yellow circle): Connected to the Chief Financial Officer (CFO).
- Chief Officers:
- Chief Risk Officer (CRO) (purple circle): Connected to Risk Management and Internal Audit.
- Chief Financial Officer (CFO) (green circle): Connected to Financial.
- Functional Units:
- Risk Management (pink circle): Connected to the Chief Risk Officer (CRO).
- Internal Audit (purple circle): Connected to the Chief Risk Officer (CRO).
- Financial (yellow circle): Connected to the Chief Financial Officer (CFO).
The chart uses colour-coded circles to represent different roles and their connections, indicating lines of reporting and oversight within the organization.