Questions the Board should ask about Risk Management – suggestions from Protiviti and Marks
Protiviti has added a new issue, number 39, to its series on Board Perspectives: Risk Oversight. The latest has the title of Shaping the Risk Oversight Agenda and includes a list of 10 questions board should ask as they consider their oversight of risk management in 2013.
The 10 questions are decent ones and I will let you review the Protiviti piece to see them and the useful discussion provided on each. They are fine as far as they go, but they are probably not the questions I would have the board ask.
Here are 5 questions I think boards should consider asking of management in formal session:
- Are you, board and management separately and together, satisfied that the organization has an effective process for identifying, assessing, and responding to risks to the achievement of the organization’s objectives? If so, please explain why you believe it is effective now and how you know it will continue to be effective as we go through the year.
- Does that process provide sufficient timely information so that you are not surprised by changes in risk conditions, including changes in risk levels as well as by emerging risks?
- Is the consideration of risk sufficiently integrated into management processes and operations, so that it impacts strategy-setting and decision-making across the organization, or is risk management performed in a silo that is separate from performance reporting and management and how the organization is run every day?
- What are the plans for improving the maturity and effectiveness of risk management in 2013?
- Where is the risk management program weakest (such as incomplete, unreliable, or untimely information) and what does this mean to the management of the organization? How are you compensating for the risk that this represents?
Are these questions boards should be asking? What would you ask as a board member?