Home > Risk > Advice on board oversight of risk management

Advice on board oversight of risk management

December 1, 2011 Leave a comment Go to comments

BoardMember has a series in which it interviews experts on a variety of topics relevant to directors. Recently, they interviewed a good friend of mine (Brian Barnier). Brian (see here for his bio) works at a number of levels: with boards and executives, advising on several topics including risk management. In this video, he shares advice for directors on how they can effectively provide oversight on risk management and key questions they should ask.

Now, Brian is a good friend. He and I have partnered on presentations and we are both OCEG Fellows. But that doesn’t mean we always agree. This is one of those times where I would go further than Brian has in this discussion.

This is what I would say to a board:

1 Recognize that risk is the effect of uncertainty on objectives. Risk management is not just about how the organization is protected from adverse events, such as an earthquake, the loss of a top executive, a supply chain disruption, or a 60 Minutes piece on certain alleged waste disposal practices. It’s also about how the organization handles uncertainty in general, which includes its ability to respond with agility to minimize potential adverse effects and embrace potential opportunities. It’s not only about protecting corporate value; it’s about seizing the moment and achieving – or exceeding – objectives.

2. Ask penetrating questions of management about the more significant (adverse) risks facing the organization, including those that are emerging. How does management identify the risks and assess their likelihood and potential impact? Are those processes adequate? Does it have reliable processes for evaluating and responding to the risks? What assurance does it have that the risks are being managed at appropriate levels? Is the risk organization appropriately staffed and resourced? Does it report at a level where it will be heard?

It’s probably more important to obtain assurance that management has good processes than it is to understand and provide your counsel on the risks themselves! After all, management is relying on those processes between meetings and may only bring to your attention matters that are the result of the processes.

I would definitely ask the internal audit function to provide a formal report on the adequacy of the risk management framework and processes on at least an annual basis.

3. Work with management to agree on how they (and you) will determine when (adverse) risks should be accepted. Is there a way to set an acceptable risk level for each area so that not only can you and management monitor to ensure they are not exceeded, but operating management is able to apply the standards when they are making decisions – taking the risks?

4. Also ask about management’s readiness and agility to identify, evaluate, and respond when there are market opportunities? Can management move fast enough, yet in a thoughtful and considered fashion?

5. Ask management how they ensure that people on the front-line are trained to handle risk and make appropriate decisions. Do they understand the organization’s attitude towards risk (their inclination to take or avoid risk) and how do they ensure it is consistent with desired risk-taking practices? How is risk addressed when it comes to IT or other major projects?

6. Agree with management on when and how you will be informed that either risk levels have been exceeded or an adverse event has occurred.

7. Recognize that the board should take the lead on certain risk management activities, such as addressing risks relating to the performance of the CEO and other top executives, whether there are compensation or other risks that might influence executives to make decisions contrary to the long-term interests of the company and its stakeholders, and whether management’s process for determining strategies is sound.

8. Oversight of risk management can and probably should be allocated to several board committees, with an overall review by the full board. Be careful about overloading the audit committee. That team already bears a large burden and may not be able to give sufficient consideration to all areas if risk management is added. I would only assign financial and possible compliance risks (if there is no compliance committee) to the audit committee.

9. Don’t underestimate the need to obtain education and orientation in risk management. Have a look at the ISO 31000 standard, and have an expert on risk management present to the board.

10. Seek to continuously improve, assessing your performance annually. It would be useful, especially in the first few years, to engage an expert to assist in your self-assessment process.

Above all, the board needs to exercise common sense and not accept explanations that are not clear, or that it does not understand. While there is something of a science in quantifying certain risks (such as relating to currency fluctuations), most risk management functions have not failed because of that: they failed from a failure to apply common sense! (Just think of the assumption that house prices would never fall.)

Have I got this right? How would your advice differ? I would love to hear.

  1. Michael Corcoran
    December 1, 2011 at 12:15 PM

    The Board and management should be concerned about governance, value creation and preservation and performance. What events need to go right to create and preserve value? What events/activities need to go right to perform better than our competition? What events need to go right to govern well for the shareholders and stakeholders? Certainly, also look at events from an adverse or what could go awry perspective. But I like leading with the upside/positive view. Everyone is more understanding and receptive!

  2. Deb
    December 1, 2011 at 10:05 PM


    As usual your advice comes from a deep understanding and with unique perspective. I have a small issue with “It’s probably more important to obtain assurance that management has good processes than it is to understand and provide your counsel on the risks themselves!” Agreed, that should the role in the ideal situation, even if seemingly a bit slanted towards the ‘assurance’ aspect rather than the governance aspect (an auditor speaking?!). However, I’d wager there are less than ideal situations prevailing in many many organizations, both in terms of business environment & management styles (specifically consider organizations outside North America and Europe) and in the context of the prevailing ‘troubled’ control environment in general, what with corporate frauds crawling out like ants out of woodwork.

    In such less-than-ideal situations, where not all significant risks may rise to the surface due to a variety of reasons, e.g. management override or unethical environment, despite apparent good processes being in place, the Board may have to go further than obtaining assurance on such processes. It’d probably do good for Boards in such situations to enlarge the scope to “Recognize that the board should take the lead on certain risk management activities” beyond the ones stated above (e.g. CEO performance & strategy planning process). May look at micro-managing from a distance, but at times there may be no alternative to taking the bull by the horns, if only for a limited, agreed time.

    My 2 cents.


  3. Norman Marks
    December 2, 2011 at 4:50 AM

    Deb, you make an excellent point. If management is unable to convince the board that they have a good and reliable appreciation of the risks, then the board has to step up and drive management (with their help) to achieve it. This is similar (IMHO) to how the board needs to intervene if they are not convinced that management has proposed the best strategies for the organization.

    I think the board always has to “go further than obtaining assurance”. Even if it believes management has great processes, it should still question and challenge the results based on its variety of knowledge and understanding of the environment – one of their primary governance roles.

    Again, thanks for the comment and extension of the discussion.

  4. Joe O'Donnell
    December 2, 2011 at 7:41 AM

    Norman: Agree with your comments. I would add the following. The Board should periodically engage a qualified consultant to evaluate both the content and accuracy of the information/reports provided by management. In larger, more complex organizations, data validation is helpful to ensure against errors of omission and/or breakdowns in the compilation of the data which can occur simply due to the volume and complexity of the information. In smaller institutions which will typically lack sophisticated automation, reliance on more manual procedures to gather data creates increased risk of bad information. Additionally, engagement of an independent consultant to perform this type of assessment will also identify situations where management may be inclined to “massage” or “filter” the data which I think happens a lot more frequently than we realize. In any event, it is imperative that the Board have reliable data and information to effectively assess and respond to risks and taking steps to independently validate the reports they receive provides the Board with additional protection down the road should they face a liability/culpability issue. Secondly, I would advise Board members to periodically require uncensored interaction with middle level managers who perform and are accountable for key functional assignments within their organization. In my opinion, Board members have an obligation to know what the risks are and what is going on within their organizations and to pursue this beyond the traditional “executive summary” level. Accordingly, hearing from the folks in the trenches who have the first hand exposure to the risks represents a best practice. In today’s regulatory environment, particularly within banking, Board members are held accountable and liable. If I was in such a position, I would exercise my right to have access to personnel who could provide detailed, first hand information on risks, problems, issues and challenges across the organization and would not accept high level “executive summary” answers from executives who may or may not be appropriately engaged at a granular level. Thank you for introducing this discussion.

  5. December 4, 2011 at 2:47 PM

    This is a very helpful check list, Norman. Many thanks. And also for highlighting Brian’s interview. His warning about the perfunctory use of latest risk tools is important.

    I have two “and’s”.

    1) Good boards are rightly worried about what they don’t know. Whether it’s because execs themselves don’t know this info or because, for whatever reason, execs know but haven’t told the board, the outcome can be the same. You rightly focus on the importance of good process and the obvious process step to deal with this aspect of risk is a proper ombudsman system with a proper whistle-blowing system as a back-up (i.e. both are needed, the former offering a more constructive means for dealing with concerns). Based on my experience at 2 large institutional investors, I would say that a board that is ideologically/politically closed to these systems (or just too weak to challenge the execs about their negativity) is a weak board.

    2) Both you and Brian rightly focused on what is currently best in class risk management, but I think the debate in the EU at least, is changing fast and this best in class benchmark isn’t good enough anymore. The big question is how risk should be shared between corporations (i.e. execs and a few shareholders) and society, especially with regards to high impact, low probability events. Currently it’s often a “heads we win and tails you lose game” with benefits privatised and costs socialised. Think BP, Tepco and Wall Street banks. Growing awareness of this is resulting in nitty gritty changes which the board will have to lead/approve (e.g. malus to balance bonus, putting material corporate health performance targets into exec remuneration KPIs, etc). But it also goes further and affects the way risk is defined. Currently we think of ERM as the ultimate goal (and in many companies even that feels a long way away). But leading thinkers say this is not enough, and for business to keep its license to operate and for capitalism to work for society, then we need to move to BCM (business continuity management).

    Here are 2 references which you/your readers might be interested in:


    Power, Michael (2009) The risk management of nothing. Accounting, organizations and society, 34 (6-7). pp. 849-855. ISSN 0361-3682

    I’d be interested to hear what this sounds like from you side of the pond. Are there parallel debates?

    Best wishes


  6. Norman Marks
    December 14, 2011 at 5:17 PM

    Joe, why do you believe the board should engage a third party instead of using internal audit?

  7. January 19, 2012 at 11:07 PM

    This was quite an interesting Blog on risk management. If you are from the famous LA, then feel free to contact Riskwise.biz at http://riskwise.biz/.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: