Home > Risk > Goldman Sachs’ 10 Principles of Effective Risk Oversight

Goldman Sachs’ 10 Principles of Effective Risk Oversight

January 11, 2010 Leave a comment Go to comments

I have been reading the December 2009/January 2010 edition of Directorship, a magazine well worth the subscription cost. This edition includes an article on Lloyd Blanfein, CEO of Goldman Sachs.

A sidebar lists Goldman Sachs’ 10 Principles of Effective Risk Oversight. Here they are, with a few observations from me. Overall, they are excellent and worthy of consideration by any company.

  • Understand the company’s key drivers of success

I love that they start here – taking a top-down approach. I would expect this task to include understanding the business environment and context, and making sure the risk management program focuses on what really matters.

  • Assess the risk in the company’s strategy

The top-down approach continues. Having understood what is necessary to be successful, what are the potential barriers and obstacles to success? This step is consistent with my advocacy for linking strategy and risk management processes/systems.

  • Define the role of the full board and its standing committees with regard to risk oversight

Some commentators have discussed the Audit Committee as providing oversight of risk management, some advocate a specialized risk committee, several say the full board should provide oversight, and at least one has suggested the Audit Committee focus exclusively on financial risks (presumably assigning other risks to other committees). Each of these approaches has pros and cons, and the board should decide how to ensure appropriate oversight of all significant risks – including how to coordinate governance when different committees oversee management of different risks.

  • Consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources

The internal audit function can (and should, IMHO) provide assistance through consulting advice, or a formal assessment of the risk management system.

  • Work with management to understand and agree on the types (and format) of risk information the board requires
  • Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions
  • Closely monitor the potential risks in the company’s culture and the incentive structure

This will be hard to achieve for the board without objective and independent sources of reliable information. I believe the internal audit function can fill that role.

  • Monitor critical alignments – of strategy, risk, controls, compliance, incentives, and people

This speaks to the too-common siloed approach to these areas. If boards tackle this and force coordination and cooperation, the organization will benefit significantly

  • Consider emerging and interrelated risks. What’s around the next corner?

Management’s risk management process should address these aspects, and the board should challenge – using their insights and experience, which can be greater than that of the management team in some areas.

  • Periodically assess the board’s risk oversight processes. Do they enable the board to achieve its risk-oversight objectives?

I welcome your comments on these. Do you believe they would be useful at your organization?

  1. will Ozier
    January 12, 2010 at 2:36 PM

    I’m not so sure the Audit Committee is the right place to address risk. Seems to me that risk assessment is a specialized activity that should be addressed by a dedicated individual (CRO) and associated staff, or committee of the Board.

  2. Jerome Pugnet
    January 18, 2010 at 8:38 AM

    I think Risk assessment should absolutely NOT be the task of the CRO and a central risk team: recipe for failure..
    I will never forget the despair of a CRO I met in an Insurance company who couldn’t get the Risk culture to move forward into his organisation, because people in operations just thought it was “not their business”, but a matter for specialists, and the company top Management was not really helping change that in the corporate culture (obviously since then this CRO has left)
    The CRO and his team have a key role to play to support /organize the process though, but the knowledge of the reality where the risks reside is primarily best understood and assessed by those who live in it. A good way to make it work I often see is for the CRO to build a network of “decentralized” risk correspondents that help coordinate this effort and help motivate people in operations on the benefits of the exercise..

  3. August 19, 2011 at 3:37 AM

    I like the helpful information you supply on your articles. I will bookmark your blog and test once more right here regularly. I am relatively certain I will be informed many new stuff proper right here! Good luck for the following!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: