Home > Risk > Questions the Board should ask about Risk Management – suggestions from Protiviti and Marks

Questions the Board should ask about Risk Management – suggestions from Protiviti and Marks

February 6, 2013 Leave a comment Go to comments

Protiviti has added a new issue, number 39, to its series on Board Perspectives: Risk Oversight. The latest has the title of Shaping the Risk Oversight Agenda and includes a list of 10 questions board should ask as they consider their oversight of risk management in 2013.

The 10 questions are decent ones and I will let you review the Protiviti piece to see them and the useful discussion provided on each. They are fine as far as they go, but they are probably not the questions I would have the board ask.

Here are 5 questions I think boards should consider asking of management in formal session:

  1. Are you, board and management separately and together, satisfied that the organization has an effective process for identifying, assessing, and responding to risks to the achievement of the organization’s objectives? If so, please explain why you believe it is effective now and how you know it will continue to be effective as we go through the year.
  2. Does that process provide sufficient timely information so that you are not surprised by changes in risk conditions, including changes in risk levels as well as by emerging risks?
  3. Is the consideration of risk sufficiently integrated into management processes and operations, so that it impacts strategy-setting and decision-making across the organization, or is risk management performed in a silo that is separate from performance reporting and management and how the organization is run every day?
  4. What are the plans for improving the maturity and effectiveness of risk management in 2013?
  5. Where is the risk management program weakest (such as incomplete, unreliable, or untimely information) and what does this mean to the management of the organization? How are you compensating for the risk that this represents?

Are these questions boards should be asking? What would you ask as a board member?

    February 6, 2013 at 2:21 PM

    Not exactly the questions I would ask but your thinking is at least quite solid. I would ask

    Are we operating within the risk criteria of the company that we have established and if so please show us this?

    Are we satisfied that what we are looking at is a comprehensive summary of our risk portfolio and what is the basis for reaching this level of satisfaction?

    Are things getting better or worse in terms of the company’s management of risks.? What improvements have we seen during the course of this year and what would our overall ranking be at end of the current year and how does that compare to last year?

    Are we satisfied that the right levels of assurance are being applied to the risk portfolio and the various assurance providers are doing what they are supposed to be doing? What is the basis for this satisfaction?

    Have we adequately addressed needs of all of the company’s major stakeholders and how do we know this?

  2. John Servage
    February 11, 2013 at 8:50 AM

    These are great questions to ask the Board. I would add several things from my experience.
    My most successful approach to the Board was to first send personalized questions and keep them short and semi-formal. For example, ‘Do you know the top ten risks facing the organization today and do you agree with them? If not, why?’ I also think it is important to probe their knowledge and confidence in the assurance activities that accompany those reported risks. I would ask: ‘Do you have confidence that the information you receive is reliable and helpful to you in assessing these risks? What would you improve?’ I did not treat this as a survey; I simply left the questions in their hands. I found that Board members came to the workshop well prepared to discuss key questions about the organization’s ERM program. I find that the Board, like any other Committee, is prone to ‘Group Think’ and may not individually bring their own positions fully into the discussions, especially if they have not done any pre-meeting preparation. Also, Boards are very busy and have a minimal amount of time and attention to address these serious matters. My reaching out to them on an individual level in advance I believe greatly improved their participation in the workshop.

  3. December 7, 2015 at 4:44 PM

    I’m relatively new to the in-house risk function (new role for me) and am finding your articles and discussions very interesting indeed.
    Thank you.

  1. February 7, 2013 at 10:20 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: