Home > Risk > Part-time boards can provide full-time oversight of risk management

Part-time boards can provide full-time oversight of risk management

Oversight by the board of this critical area is an essential element of effective governance. With this in mind, many organizations have provided guidance – but while some is good, others are likely to lead boards astray; they may even lead to errors in the implementation of risk management such as a failure to recognize that risk management is a dynamic process that needs to be integrated across the organization and made part of strategy-setting, performance management, and daily decision-making. It is not a periodic exercise.

Just as the management of risk is a dynamic, iterative process, the board needs continued assurance that management has an effective process in place.

Let’s take some of the guidance and see what is good and not so good.

COSO, in its Enterprise Risk Management – Integrated Framework, says that “through the risk oversight process, the board should:

  • Understand the entity’s risk philosophy and concur with the entity’s risk appetite
  • Know the extent to which management has established effective risk management of the organization
  • Review the entity’s portfolio of risk and consider it against the entity’s risk appetite
  • Be appraised of the most significant risks and whether management is responding appropriately

This tells some but not all the story:

  • The board should have an active role in understanding and approving the entity’s taking of risk. Yes
  • It should know whether management has established an effective risk management framework and process. Yes – a critical point
  • But it should also know what actions are being taken to upgrade the management of risk where it is not sufficient, and understand the level of risk that deficient risk management represents to the success of the organization
  • It should understand the more significant risks to the organization as a whole, and whether management has taken appropriate steps in response
  • But, it is unrealistic to expect the board to “review the entity’s portfolio of risk”. Risk is dynamic and is present in every decision, every day. The board needs to be aware of the more significant risks, be involved where it can add value, and then be able to rely on the ongoing and continuous management of risk by executives and managers across the organization. If the organization feels it is able to provide a report that shows the entire “portfolio of risk”, I have to question whether they are addressing every risk that matters.

[A 2010 COSO report, Board Risk Oversight: A Progress Report from Protiviti, makes interesting reading, together with a 2009 report: Effective Enterprise Risk Oversight, The Role of the Board of Directors].

The problem with many guides from so-called thought leaders and experts on risk oversight is that they talk about the board reviewing a list of top risks from management, seeing if they agree that they are the top risks, validating management’s assessment of each risk, and discussing the actions management is taking in response.

This constitutes a periodic review of a list of risks. It may provide some level of comfort but it is limited to that list of risks and is only at that point in time.

One influential internal audit thought leader believes that internal audit should provide assurance that the board receives an accurate report of [residual] risk levels. I don’t believe that is sufficient because (a) it remains a point in time activity while risk is managed continuously, and (b) it involves internal audit second-guessing management’s assessment of risk levels. Internal audit should ensure management has effective processes for managing risk every day, which includes but is certainly not limited to periodic reporting to executives and the board.

The Canadian Institute of Chartered Accountants produced a thoughtful guide: A Framework for Board Oversight of Enterprise Risk. In the Introduction, you will find this excellent section:

“What is the appropriate role of the board in corporate risk management? Traditional governance models support the notion that boards cannot and should not be involved in day-to-day risk management. Rather, through their risk oversight role, directors should be able to satisfy themselves that effective risk management processes are in place and functioning effectively. The risk management system should allow management to bring to the board’s attention the company’s material risks and assist the board to understand and evaluate how these risks interrelate, how they may affect the company, and how these risks are being managed. To meaningfully assess those risks, directors require experience, training and knowledge of the business.”

I recommend a read of this interesting document.

I also recommend listening to my friend Jim DeLoach talk about risk oversight in this video. Note how he discusses the need for the board to satisfy itself that management has an effective risk management program in place.

The board relies on the system of internal control, with assurance from external and internal audit on its effectiveness, to produce periodic financial reports. It then reviews and asks appropriate questions of the financial statements before they are filed.

In the same way, it should seek to rely on an effective set of processes for managing risks to the achievement of objectives and creation of value. Board members should similarly review periodic risk reports and ask appropriate questions of management.

When the board knows that it can rely on management’s processes for managing risk, will be informed on a timely basis on changes in risk that merit its attention, and reviews and questions reports produced by the risk management process (not only at scheduled meetings but when the board is notified of significant changes), it is providing full-time oversight.

This is my advice for directors in discharging their responsibilities for oversight of risk management (see my prior blog):

1. The responsibility of the board is to ensure that management has appropriate processes for risk management. It is not the directors who identify and assess risk (with the exception of the point below), but management.

2. Some risks should be the remit of directors, such as:

  • CEO performance
  • Executive succession planning
  • The effectiveness of the board and its committees
  • The adequate performance of those that report to the board, such as the internal and external audit functions and, in some organizations, the chief risk and chief compliance officers

3. Directors should understand that risk management is not just about protecting value but creating it. When risk information is provided to decision-makers and considered in the making of business decisions, better decisions are likely and this will drive better performance. When we are talking about risk, we are talking about uncertainties (potential events or situations) that lie in the path to the organization’s objectives. The effect of those uncertainties can be positive, creating value (often referred to as opportunities), as well as negative, impeding progress. Risk management is, at its core, about understanding those uncertainties (both those with positive and negative effects on objectives) and taking actions to optimize outcomes.

4. Directors should also understand that it is essential that the risk management process be dynamic, iterative, and responsive to change because (a) business conditions, including risks, are changing at an accelerating pace, (b) the volatility of risk seems to be increasing, (c) the time to respond to those changes is diminishing, and (d) business decisions have to be made at speed. Assessing and responding to risk at periodic intervals is unlikely to be sufficient; the understanding and consideration of risk has to be embedded into how the business is run – every day.

5. Risk management should not be a separate activity; it should be embedded in the processes for establishing objectives and setting strategies; managing major projects; monitoring and optimizing performance; reporting of results, both financial and operational; reviewing executive compensation; and daily decision-making.

6. As business conditions change, not only external to the business but also internal – such as organization changes – management should consider updating its risk framework (including approved risk appetite or criteria) and processes

7. Reviewing the effectiveness of risk management and internal control is an essential part of the board’s responsibilities and should be performed at least annually. The board will need to form its own view on effectiveness based on the information and assurances provided to it (see #10, below), and in doing so it must exercise the standard of care generally applicable to directors in carrying out their duties. Management is accountable to the board for implementing and monitoring the system of risk management and internal control and for providing assurance to the board that it has done so.

8. Neither risk management nor internal control processes provide perfect assurance. Rather, the board should assess whether management’s processes provide reasonable assurance that the more significant risks to the company’s objectives and strategies are within levels appropriate to the company’s business and approved by the board.

9. When assessing the adequacy of risk management, the board should consider:

  • CEO performance
  • Executive succession planning
  • The effectiveness of the board and its committees
  • The adequate performance of those that report to the board, such as the internal and external audit functions and, in some organizations, the chief risk and chief compliance officers
  • The processes for establishing the company’s longer and shorter-term objectives and strategies, and whether they give appropriate consideration to risk;
  • The processes for determining the company’s risk appetite or criteria, and communicating them to managers and other employees as appropriate. While it can be valuable (and is required by law or regulation in some cases) to establish the organization’s overall risk appetite (the level of risk the organization is willing to accept), unless that appetite is translated into practical guidance that each manager can apply in decision-making to take the right risks, an appetite statement will be form without substance;
  • The adequacy of the company’s risk policies and standards;
  • The adequacy of management’s processes for identifying, analyzing, evaluating, and treating new or modified risks;
  • Whether there is sufficient effective communication of risk and control information across the business;
  • The processes for monitoring and optimizing performance, and whether they give sufficient consideration to risk levels;
  • Whether management’s processes for monitoring the adequacy of internal control and risk management processes provide reasonable assurance that they continue to operate as intended and are modified as business conditions or risks change; and
  • Management’s reporting of risk and whether it provides both senior management and the board sufficient timely visibility of risk levels across the organization and whether they are at acceptable levels.

10. The board should solicit a formal opinion on the adequacy of risk management and internal control from the head of the internal audit function at least annually, which should be considered in the board’s own assessment. The board should also solicit the observations of the independent auditor, recognizing that such observations will generally be limited to risks and controls related to the preparation of the external financial statements. If the organization has a chief risk officer, their opinion should be obtained of the adequacy of risk management processes and practices, including the organization’s risk culture, the adequacy of resources for the management of risk, and the integration of risk into strategy-setting, major project management, performance management, etc.

11. The board should ensure that its members have sufficient collective understanding of risk management practices and techniques to effectively question and assess management’s risk management framework and processes.

12. The board should ensure it receives sufficient useful, reliable, complete, timely, and current information to provide effective oversight of the organization’s performance, including risk management.

Earlier this year, I suggested 5 questions board members should ask management:

  1. Are you, board and management separately and together, satisfied that the organization has an effective process for identifying, assessing, and responding to risks to the achievement of the organization’s objectives? If so, please explain why you believe it is effective now and how you know it will continue to be effective as we go through the year.
  2. Does that process provide sufficient timely information so that you are not surprised by changes in risk conditions, including changes in risk levels as well as by emerging risks?
  3. Is the consideration of risk sufficiently integrated into management processes and operations, so that it impacts strategy-setting and decision-making across the organization, or is risk management performed in a silo that is separate from performance reporting and management and how the organization is run every day?
  4. What are the plans for improving the maturity and effectiveness of risk management in the next 12 months?
  5. Where is the risk management program weakest (such as incomplete, unreliable, or untimely information) and what does this mean to the management of the organization? How are you compensating for the risk that this represents?

I welcome your comments.

Related posts:

About these ads
  1. Deb
    August 25, 2013 at 11:23 PM

    Norman: Very comprehensive and cogent approach outlined, as always. In the initial steps to ERM, a Board may sometimes need to review at least major risks, even if not “review the entity’s portfolio of risk”. I guess anything which goes towards sensitizing Boards to the significant of instituting good risk management practices should be welcome.

    I’ve a small doubt: Towards the end of #10 (‘The board should solicit a formal opinion on…’), you include “the adequacy of resources for the management of risk”. But in your ‘5 questions’, you (rightly) warn against the pitfall (#3) of “risk management performed in a silo that is separate from performance reporting and management and how the organization is run every day”.

    If ERM is to be tightly integrated with business performance management (as ideal), do we need a separate assessment of adequacy of resources for ERM? Shouldn’t such assessment actually be of/integrated with the resource adequacy for business performance management?

    Deb

  2. Norman Marks
    August 26, 2013 at 7:01 AM

    Deb,

    Good point. Judgement will have to be exercised to answer the question of resources. In most organizations, somebody will have to aggregate and report risk information, hopefully integrated with strategy and performance reporting. Somebody will have to maintain risk policies, processes, and systems and train/mentor new people.

    Some of the best at risk management have it integrated into business operations with a limited central team. Other styles have a team of experts that assist operating management in the same way lawyers do – co-located and providing additional expertise (such as leading risk workshops) as needed.

    Norman

  3. August 27, 2013 at 10:01 AM

    Norman: Great post with a lot of excellent points.

    I would like to add one point of clarification. In case the mysterious person referenced in your post is me, I would like to state that I don’t believe it accurately captures my views. Your post states:

    “One influential internal audit thought leader believes that internal audit should provide assurance that the board receives an accurate report of [residual] risk levels. I don’t believe that is sufficient because (a) it remains a point in time activity while risk is managed continuously, and (b) it involves internal audit second-guessing management’s assessment of risk levels. Internal audit should ensure management has effective processes for managing risk every day, which includes but is certainly not limited to periodic reporting to executives and the board.

    While it is true I believe that internal audit should provide assurance to the board that the board is, or is not, receiving reliable information on the retained/residual risk linked to the entity’s top value creation and potentially value eroding objectives this should be done first and foremost by internal audit assessing and reporting to the board on the effectiveness of the organization’s entity level risk management processes. In a large percentage of organizations today those processes (increasingly referred to as an organization’s “Risk Appetite Framework”) are not producing the quantity or quality of risk information recommended by groups like the Financial Stability Board (“FSB”) in their ground breaking July 2013 consultative draft “Principles for an Effective Risk Appetite Framework”. Particular attention should be paid to the role envisioned by the FSB for boards on page 7 and the role defined for internal audit (or other independent assessor) described on page 10. The consultative paper can be sourced at:

    http://www.financialstabilityboard.org/publications/r_130717.htm

    I applaud the IIA for elevating the importance of IA providing opinions on the effectiveness of risk management processes required by IIA IPPF standard 2120 and working to equip auditors to complete the work through the new CRMA designation. I fear however that a very large percentage of internal auditors still see their main role planning and completing spot-in-time audits and providing subjective opinions whether they think controls are “effective”. It will take a concerted effort by scores of IA leaders to adjust this paradigm to one capable of supporting the role for IA envisioned by the Financial Stability Board.

  4. August 30, 2013 at 11:30 PM

    The Practice Advisory notes that the chief audit executive (CAE) plays a key role in assurance mapping. It is their responsibility to understand the independent assurance requirements of the board and the organization. Based on the level of assurance that internal audit provides, the board must be certain that all risks are being managed effectively. Some organizations require an overall opinion from the CAE. In that case, the CAE must understand the assurance mapping process before expressing an opinion on assurance. In other organizations, the CAE can act as the coordinator of assurance activities to ensure an efficient process. In either situation, assurance mapping is an effective way of coordinating risk management and assurance coverage within an organization.

  1. September 26, 2013 at 4:09 PM
  2. October 17, 2013 at 7:59 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 5,082 other followers

%d bloggers like this: