Questions to ask executives about risk management
I recently shared the following with a good friend, a senior partner with a law firm, who frequently chairs discussions with boards around risk management.
I have my own set of 10 questions (OK, they have follow-on questions). These were developed for boards, but they would probably be a good basis for questions auditors could ask as well.
- How has the executive team become familiar with leading risk management practices? When you manage risk, and uncertainty in general, are you using a recognized risk standard or framework?
- Risk management is about managing uncertainties that may impact our ability to achieve our goals. In broad strokes, can you describe how you identify, assess, and determine how to manage those uncertainties?
- How do you integrate the consideration and management of risk in the setting of strategy, achievement of goals and objectives, optimization of performance and management of major projects?
- How have you assigned the management of risk within the companies? Is it clearly part of each manager’s responsibilities, or is it seen as the responsibility of the risk officer, CFO, or other person? If the latter, why? If the former, how are they informed, educated in risk management techniques, and provided the tools for the task?
- How are risk criteria, including risk appetite and tolerance, set? How are those levels and expectations for taking risk communicated across the organization? How do you know when the levels are exceeded?
- If each manager is responsible for managing risks within their sphere of operations, within their set of responsibilities, how do you make sure you as an executive team have a clear view of risk across the organization? How do you manage the accumulation and interplay of risks when a single situation can affect multiple areas, or when the activities of one manager affect others?
- Are you managing risk fast enough, so you can act when necessary? Is the organization agile? Are you able to change strategic directions if risk levels change?
- What is your process for involving the board? Under what circumstances will you notify us? What information will you share and when?
- If you have a risk office, what is their role relative to the responsibilities of management? Where do they report, do they have access to executives and the board, and are they adequately resourced?
- How do you make sure the risk management process is working as you expect? Are you using internal audit to obtain that assurance?