Goldman Sachs’ 10 Principles of Effective Risk Oversight
I have been reading the December 2009/January 2010 edition of Directorship, a magazine well worth the subscription cost. This edition includes an article on Lloyd Blanfein, CEO of Goldman Sachs.
A sidebar lists Goldman Sachs’ 10 Principles of Effective Risk Oversight. Here they are, with a few observations from me. Overall, they are excellent and worthy of consideration by any company.
- Understand the company’s key drivers of success
I love that they start here – taking a top-down approach. I would expect this task to include understanding the business environment and context, and making sure the risk management program focuses on what really matters.
- Assess the risk in the company’s strategy
The top-down approach continues. Having understood what is necessary to be successful, what are the potential barriers and obstacles to success? This step is consistent with my advocacy for linking strategy and risk management processes/systems.
- Define the role of the full board and its standing committees with regard to risk oversight
Some commentators have discussed the Audit Committee as providing oversight of risk management, some advocate a specialized risk committee, several say the full board should provide oversight, and at least one has suggested the Audit Committee focus exclusively on financial risks (presumably assigning other risks to other committees). Each of these approaches has pros and cons, and the board should decide how to ensure appropriate oversight of all significant risks – including how to coordinate governance when different committees oversee management of different risks.
- Consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources
The internal audit function can (and should, IMHO) provide assistance through consulting advice, or a formal assessment of the risk management system.
- Work with management to understand and agree on the types (and format) of risk information the board requires
- Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions
- Closely monitor the potential risks in the company’s culture and the incentive structure
This will be hard to achieve for the board without objective and independent sources of reliable information. I believe the internal audit function can fill that role.
- Monitor critical alignments – of strategy, risk, controls, compliance, incentives, and people
This speaks to the too-common siloed approach to these areas. If boards tackle this and force coordination and cooperation, the organization will benefit significantly
- Consider emerging and interrelated risks. What’s around the next corner?
Management’s risk management process should address these aspects, and the board should challenge – using their insights and experience, which can be greater than that of the management team in some areas.
- Periodically assess the board’s risk oversight processes. Do they enable the board to achieve its risk-oversight objectives?
I welcome your comments on these. Do you believe they would be useful at your organization?