Questions to ask executives about risk management
I recently shared the following with a good friend, a senior partner with a law firm, who frequently chairs discussions with boards around risk management.
A good reference for boards is the 20 Questions series from the Canadian Institute of Chartered Accountants. The series includes one on risk management.
I have my own set of 10 questions (OK, they have follow-on questions). These were developed for boards, but they would probably be a good basis for questions auditors could ask as well.
- How has the executive team become familiar with leading risk management practices? When you manage risk, and uncertainty in general, are you using a recognized risk standard or framework?
- Risk management is about managing uncertainties that may impact our ability to achieve our goals. In broad strokes, can you describe how you identify, assess, and determine how to manage those uncertainties?
- How do you integrate the consideration and management of risk in the setting of strategy, achievement of goals and objectives, optimization of performance and management of major projects?
- How have you assigned the management of risk within the companies? Is it clearly part of each manager’s responsibilities, or is it seen as the responsibility of the risk officer, CFO, or other person? If the latter, why? If the former, how are they informed, educated in risk management techniques, and provided the tools for the task?
- How are risk criteria, including risk appetite and tolerance, set? How are those levels and expectations for taking risk communicated across the organization? How do you know when the levels are exceeded?
- If each manager is responsible for managing risks within their sphere of operations, within their set of responsibilities, how do you make sure you as an executive team have a clear view of risk across the organization? How do you manage the accumulation and interplay of risks when a single situation can affect multiple areas, or when the activities of one manager affect others?
- Are you managing risk fast enough, so you can act when necessary? Is the organization agile? Are you able to change strategic directions if risk levels change?
- What is your process for involving the board? Under what circumstances will you notify us? What information will you share and when?
- If you have a risk office, what is their role relative to the responsibilities of management? Where do they report, do they have access to executives and the board, and are they adequately resourced?
- How do you make sure the risk management process is working as you expect? Are you using internal audit to obtain that assurance?
How would you change these questions? What would you ask?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
All good questions Norman, that have to do with the process but not the actual identification, assessment and handling of specific risks.
I would try to limit the questions to 10 or less, with no multi-part questions, as the board needs to get to the actual assessment and oversight of specific risks.
Additionally, you are an expert at risk identification, assessment and handling, but most directors probably are not. At this point in time, I would assume that many directors need education or interactive discussions to help them get to the point of being comfortable with how they can best and most efficiently handle risk management and their oversight. Until they have sufficient background understanding, your questions probably don’t do them much good other than showing that they asked good questions.
So, if a board is going to ask and then discuss only 10 questions, I would ask some questions relating to the process, and use the other questions to identify, assess and handle specific risks. In terms of board meeting time, I believe that those 10 questions alone would take considerable time to ask and discuss.
David Tate
these questions helped me a lot when attending risk management workshop