Guidance for directors on oversight of risk management – the good and the bad
I wouldn’t blame directors if they are confused. There are many sources of guidance and they don’t necessarily take directors in the same – or always appropriate – direction.
In this post, I review the latest effort from the UK, point to some good sources, and provide guidance of my own for review and comment.
The latest UK guidance
I have been reading a lengthy tome from the Institute of Directors (UK) that incorporates pieces from PwC and others. Titled Business Risk: A Practical Guide for Board Members, it includes nuggets of wisdom in a collection of disjointed articles that also includes nuggets of fools’ gold.
For a start, it fails the straightforward tests of simplicity and clarity. While I don’t like the Canadian Institute of Chartered Accountant’s Framework for Board Oversight of Enterprise Risk, it at least has the merit of being a cohesive, single document that tries to get to the point and give directors straight-forward guidance.
So here are a few nuggets of wisdom from the Institute of Directors’ piece:
- “A common problem is for non-executive or supervisory board members to face major challenges in securing adequate flows of objective information about the performance of the business. In particular, a ‘glass ceiling’ that hinders communication between internal monitoring departments (such as risk management, internal audit or compliance) and the board can prove a fatal flaw.”
- A “charismatic or overbearing CEO may dominate the boardroom conversation. Even a period of corporate success can, ironically, often prove to be a source of danger. It may make it difficult for the board to challenge or criticise the status quo. The board may fall victim to the delusions of ‘groupthink’ or overconfidence.”
- “The board is well-placed to play a meaningful role in identifying risks to the organisation that the chief executive – for a variety of reasons – may have overlooked or discounted.”
- “The board [has] a key role to play in the ‘oversight’ of these risk management activities. It should regularly satisfy itself that the company has effective risk management and control systems in place. Furthermore, directors should take steps to establish direct communication with relevant risk management units and external sources of information (including possible access to whistleblowers) in order to ensure that the board does not become insulated from the reality of the company’s situation.”
- “Discharging the board’s duties and responsibilities around risk oversight presents tough challenges. These include ensuring adequate ability to understand key risks, creating the time necessary to debate properly, and having the courage to stand up to management.”
- “These challenges are further compounded by the variable quality of risk information reaching the board, the increasingly complex nature of organisations leading to complicated risk issues, and management’s potential conflict between managing or reducing risk and striving for improved performance.”
- “The external perception of risk is also changing with the speed of risk impacts and the contagion between operational, financial and reputational consequences demanding increased agility from the board.”
Useful guidance from other sources
One of the best guidance, in my opinion, comes from Singapore – reviewed and summarized here. It’s not perfect, but provides clear and simple guidance that will definitely enhance board oversight of risk management. (Directors should also refer to Chapter 4 of the King Report on Corporate Governance for South Africa from the Institute of Directors, South Africa, part of that nation’s excellent corporate governance code.)
A truly excellent source is 20 Questions Directors Should Ask About Risk from the Canadian Institute of Chartered Accountants. It is far superior to that organization’s more recent Framework for Board Oversight of Enterprise Risk.
My advice to boards on oversight of risk management
Having criticized several and praised few, I think I should put my guidance out there for criticism and comment. This is my advice for directors in discharging their responsibilities for oversight of risk management:
1. The responsibility of the board is to ensure that management has appropriate processes for risk management. It is not the directors who identify and assess risk (with the exception of the point below), but management.
2. Some risks should be the remit of directors, such as:
- CEO performance
- Executive succession planning
- The effectiveness of the board and its committees
- The adequate performance of those that report to the board, such as the internal and external audit functions and, in some organizations, the chief risk and chief compliance officers
3. Directors should understand that risk management is not just about protecting value but creating it. When risk information is provided to decision-makers and considered in the making of business decisions, better decisions are likely and this will drive better performance. When we are talking about risk, we are talking about uncertainties (potential events or situations) that lie in the path to the organization’s objectives. The effect of those uncertainties can be positive, creating value (often referred to as opportunities), as well as negative, impeding progress. Risk management is, at its core, about understanding those uncertainties (both those with positive and negative effects on objectives) and taking actions to optimize outcomes.
4. Directors should also understand that it is essential that the risk management process be dynamic, iterative, and responsive to change because (a) business conditions, including risks, are changing at an accelerating pace, (b) the volatility of risk seems to be increasing, (c) the time to respond to those changes is diminishing, and (d) business decisions have to be made at speed. Assessing and responding to risk at periodic intervals is unlikely to be sufficient; the understanding and consideration of risk has to be embedded into how the business is run – every day.
5. Risk management should not be a separate activity; it should be embedded in the processes for establishing objectives and setting strategies; managing major projects; monitoring and optimizing performance; reporting of results, both financial and operational; reviewing executive compensation; and daily decision-making.
6. As business conditions change, not only external to the business but also internal – such as organization changes – management should consider updating its risk framework (including approved risk appetite or criteria) and processes
7. Reviewing the effectiveness of risk management and internal control is an essential part of the board’s responsibilities and should be performed at least annually. The board will need to form its own view on effectiveness based on the information and assurances provided to it, and in doing so, it must exercise the standard of care generally applicable to directors in carrying out their duties. Management is accountable to the board for implementing and monitoring the system of risk management and internal control and for providing assurance to the board that it has done so.
8. Neither risk management nor internal control processes provide perfect assurance. Rather, the board should assess whether management’s processes provide reasonable assurance that the more significant risks to the company’s objectives and strategies are within levels appropriate to the company’s business and approved by the board.
9. When assessing the adequacy of risk management, the board should consider:
- The processes for establishing the company’s longer and shorter-term objectives and strategies, and whether they give appropriate consideration to risk;
- The processes for determining the company’s risk appetite or criteria, and communicating them to managers and other employees as appropriate. While it can be valuable (and is required by law or regulation in some cases) to establish the organization’s overall risk appetite (the level of risk the organization is willing to accept), unless that appetite is translated into practical guidance that each manager can apply in decision-making to take the right risks, an appetite statement will be form without substance;
- The adequacy of the company’s risk policies and standards;
- The adequacy of management’s processes for identifying, analysing, evaluating, and treating new or modified risks;
- Whether there is sufficient effective communication of risk and control information across the business;
- The processes for monitoring and optimizing performance, and whether they give sufficient consideration to risk levels;
- Whether management’s processes for monitoring the adequacy of internal control and risk management processes provide reasonable assurance that they continue to operate as intended and are modified as business conditions or risks change; and
- Management’s reporting of risk and whether it provides both senior management and the board sufficient visibility of risk levels across the organization and whether they are at acceptable levels.
10. The board should solicit a formal opinion on the adequacy of risk management and internal control from the head of the internal audit function at least annually, which should be considered in the board’s own assessment. The board should also solicit the observations of the independent auditor, recognizing that such observations will generally be limited to risks and controls related to the preparation of the external financial statements.
11. The board should ensure that its members have sufficient collective understanding of risk management practices and techniques to effectively question and assess management’s risk management framework and processes.
12. The board should ensure it receives sufficient useful, reliable, complete, timely, and current information to provide effective oversight of the organization’s performance, including risk management.