Home
> Uncategorized > Questions the Board should ask about Risk Management – suggestions from Protiviti and Marks
Questions the Board should ask about Risk Management – suggestions from Protiviti and Marks
Protiviti has added a new issue, number 39, to its series on Board Perspectives: Risk Oversight. The latest has the title of Shaping the Risk Oversight Agenda and includes a list of 10 questions board should ask as they consider their oversight of risk management in 2013.
The 10 questions are decent ones and I will let you review the Protiviti piece to see them and the useful discussion provided on each. They are fine as far as they go, but they are probably not the questions I would have the board ask.
Here are 5 questions I think boards should consider asking of management in formal session:
- Are you, board and management separately and together, satisfied that the organization has an effective process for identifying, assessing, and responding to risks to the achievement of the organization’s objectives? If so, please explain why you believe it is effective now and how you know it will continue to be effective as we go through the year.
- Does that process provide sufficient timely information so that you are not surprised by changes in risk conditions, including changes in risk levels as well as by emerging risks?
- Is the consideration of risk sufficiently integrated into management processes and operations, so that it impacts strategy-setting and decision-making across the organization, or is risk management performed in a silo that is separate from performance reporting and management and how the organization is run every day?
- What are the plans for improving the maturity and effectiveness of risk management in 2013?
- Where is the risk management program weakest (such as incomplete, unreliable, or untimely information) and what does this mean to the management of the organization? How are you compensating for the risk that this represents?
Are these questions boards should be asking? What would you ask as a board member?
Leave a Reply
Share this blog
Recent Posts on Norman’s IIA Blog
- Excellent Advice on Risk Oversight May 20, 2013
- Deloitte Takes a Highly Intelligent Approach to Risk Management May 3, 2013
- Gartner Points to Failures to Obtain Value From Technology April 29, 2013
- The Important Risks That Are Overlooked but Should Come First April 23, 2013
- Technology is Too Important to Leave to IT April 23, 2013
- Does It Make Sense to Discuss GRC? April 23, 2013
- Risk-Based Audit Opinions That Matter April 8, 2013
- Deloitte Discusses Disruptive Technology April 1, 2013
- The Path to Excellence for Internal Audit March 26, 2013
- PwC Issues State of the Internal Audit Profession 2013 March 26, 2013
Not exactly the questions I would ask but your thinking is at least quite solid. I would ask
Are we operating within the risk criteria of the company that we have established and if so please show us this?
Are we satisfied that what we are looking at is a comprehensive summary of our risk portfolio and what is the basis for reaching this level of satisfaction?
Are things getting better or worse in terms of the company’s management of risks.? What improvements have we seen during the course of this year and what would our overall ranking be at end of the current year and how does that compare to last year?
Are we satisfied that the right levels of assurance are being applied to the risk portfolio and the various assurance providers are doing what they are supposed to be doing? What is the basis for this satisfaction?
Have we adequately addressed needs of all of the company’s major stakeholders and how do we know this?
These are great questions to ask the Board. I would add several things from my experience.
My most successful approach to the Board was to first send personalized questions and keep them short and semi-formal. For example, ‘Do you know the top ten risks facing the organization today and do you agree with them? If not, why?’ I also think it is important to probe their knowledge and confidence in the assurance activities that accompany those reported risks. I would ask: ‘Do you have confidence that the information you receive is reliable and helpful to you in assessing these risks? What would you improve?’ I did not treat this as a survey; I simply left the questions in their hands. I found that Board members came to the workshop well prepared to discuss key questions about the organization’s ERM program. I find that the Board, like any other Committee, is prone to ‘Group Think’ and may not individually bring their own positions fully into the discussions, especially if they have not done any pre-meeting preparation. Also, Boards are very busy and have a minimal amount of time and attention to address these serious matters. My reaching out to them on an individual level in advance I believe greatly improved their participation in the workshop.