Home > Audit, COSO, Governance, GRC, Risk > What Boards Should Ask About Risk Management

What Boards Should Ask About Risk Management

Let’s say that you have taken your car in to your dealer for a routine service and check-up. How would you feel if the mechanic came back and gave you this report?

“Your speedometer registers zero, which is correct because the car is not moving. The compass is pointing due north, which is also correct. The engine oil is full and the tires are at the correct pressure.”

Would you prefer this report?

“The speedometer and compass are working well. The engine oil is full and there is no leak. We took the car for a test drive and checked for leaks and also for any issues with the tires, which remained at the correct pressure.”

The second report provides you with valuable information that gives you comfort that the car is safe to drive and will get you to your destination. The first report is correct but of limited value.

Let’s turn to boards and risk management oversight.

If you listen to the consultants, of whom there are many, board members should ask about the top risks facing the organization and quiz management on how they are being managed. Perhaps the board can go further and ask how these risks are being considered in strategy-setting.

In this scenario, the board members are provided a report (perhaps prepared by the risk officer) as a basis for discussion.

That is a list of the risks that management and the risk officer prepared and reviewed prior to meeting with the board.

That is a list of what used to be the risks at the time it was prepared.

That is a list of risks the organization faced when it was standing still and pointing north.

It is not necessarily the risks and risk levels facing the company at the time of the board meeting, and not necessarily the same risks and risk levels that the company will face next week.

Risks change in our dynamic business and regulatory climate.

I am not saying that it is not a valuable exercise to discuss the most significant risks facing the organization. It is.

What I am saying is that is simply not enough, for two reasons:

–  Any list of risks is a point-in-time report and is probably already out of date

–  The list of risks probably omits some of the most critical risks

Let me explain what I mean by the last bullet point.

The kind of risks that are generally included in the report to the board are “strategic” in nature. They are “big” risks affecting strategy, possibly involving litigation or the loss of key executives – they are what I would call risks on or beyond the horizon.

But the kind of risks that can cause immense damage are those that are taken every day as a normal part of running the business.

If you are focused only on the horizon, you will trip and fall as you walk.

Managers and staff are taking significant risks all the time. Think of the contracts they are entering into for the supply of critical components needed in manufacturing; comments they post on social media; decisions they make to defer or accelerate plant maintenance; and the people they hire.

So what do boards need to do?

This is what I would do as a member of a board:

  1. Ask the CEO and the CFO for their opinion, their assessment, of whether the consideration of risk is an integral part of how they, their management team, and managers at all levels run the organization.
  2. Ask them what they understand by “risk” and “risk management”, and who has responsibility for the management of risk. (This will be a real test!)
  3. Quiz the top executives on how they make decisions: how they obtain the information they need, including how they determine the risks they face (upside and downside) and the actions they ensure are taken to address them and optimize outcomes.
  4. Require the CEO and CFO to provide the board with at least an annual assessment of the adequacy of risk management. That assessment should include whether they believe that the management of risk is effective and suitable for the organization now and into the immediate future. If not, what actions are being taken to upgrade it?
  5. Require the internal audit department to provide at least an annual assessment of how well the organization manages the more significant risks to the organization; this will include consideration of the controls relied upon to manage those risks.
  6. Ask the CEO to describe the relationship between the executive leadership team and the risk function.
  7. Ask internal audit and the risk officer to describe how they work together.
  8. Ask the external auditor for any input they may have on the management of risk, not limited to financial risk, based on their interaction with leadership and management across the organization.

What do you think of the above? Are there two more questions you might ask to bring the list to 10?

  1. May 10, 2014 at 10:54 AM

    Two critical points from my side –

    1) COSO talks about 4 kind of risks – Strategic, Financial, Operational, Regulatory and each risk needs to be assessed in likelihood and impact. High risks based on assessment should be reported to board irrespective of kind of risk

    2) Monitoring of Key Risk Indicators is critical therefore baord member should ask How KRIs are identified and tracked

    Jitendra Khatri

  2. Abby Foote
    May 10, 2014 at 7:21 PM

    I’d also be asking:
    1. How the business is managing the risk of being blind-sided by an “unknown unknown” as opposed to the “known unknowns” that are likely to appear on risk registers? and
    2. How do the processes for managing risk deal with the risk of a missed opportunity for upside (rather than simply the downside risks that commonly form part of risk assessments)?

  3. Khanh Vuong
    May 11, 2014 at 2:41 AM

    I would add:

    1) What are the risks from the external environment (e.g., macroeconomic factors, political landscape, global factors across the world) and their effects on objectives?

    2) Are our objectives in need if any refinenents or tweaking?

  4. May 11, 2014 at 3:40 AM

    i would add one more question: Prove to me that you know that your top 5-10 risks are the right top 5-10.

  5. Hennie van der Watt
    May 11, 2014 at 11:21 PM

    I would also add some specific cultural questions such as “ask the board to describe the difference between the prominence of the risk function today compared to 2-3 years ago”.

    I worked with an organisation once where they had just prior to my engagement appointed a new Head of Risk. At the onset it looked like they were serious about the role and that they wanted this guy to add value, however it later transpired that they had appointed him more to “do stuff” (i.e. clear some of the risk-type backlog work) rather than guide the firm strategically through the risk minefield.

    Once this was made clear and the board was educated, this individual was seen in a completely different light. Almost like a light bulb moment!

  6. Phil H
    May 12, 2014 at 4:30 AM

    UK Government did some similar work at the ned of last year. You may also wish to use some of these questions in a more generic context:


  7. Salveo Ergonomic
    May 12, 2014 at 5:15 AM

    Thank you for this blog. It sounds like what you describe is a Board Assurance Framework. I would therefore ask the board, on what evidence is the assurance based, is it internally obtained or externally, and is the evidence directly from the risk owner or an opinion of somebody distant to the risk?

  8. May 12, 2014 at 1:46 PM

    The Board should be asking “How do you embed risk management in key business processes?” (e.g., contracting with strategic vendors; strategic decisions on entering/exiting new markets; operational controls; financial budgeting, forecasting and expense controls, compliance with legal requirements, information security, etc.). Then you can have a robust conversation about whether the organization’s leadership drives a culture of identifying and managing risk alongside opportunity.

  9. John Fraser
    May 13, 2014 at 10:08 AM

    Risk profiles should include all major sources of risks, not just some types (i.e. not only strategic risks). If not, then that is a failure of risk management and the board in not getting a full view.
    Risk Profiles should describe the potential sources of risks over a stated future period, e.g. five years. Thus, while done at a point in time, and subject to possible dramatic changes, they are still a valuable means of having risk conversations. They are very much like Balance Sheets, at a point in time, but still of value. They should be viewed together with the most recent upodated information of any significant changes since they were prepared.
    A useful source of questions for boards to ask about risks is:

  10. Helene Stoltz
    May 14, 2014 at 10:08 PM

    I believe one of the greater risks to an organisation is that executive leadership is still stuck in what I call the ISO 31000 comfort paradigm: – Yes we manage risk, We have a risk manager/function, check; We identify risk, check; We analyse risk, check, We have risk registers and we review our registers, We issue risk reports, check….etc and by continuing to check the boxes this allows a risk management stagnation to creep in creating a blindness to the real risks.
    In addition, if the Board is not knowledgeable enough and enlightened to the real benefits which risk management can add, as well as understand that the integral alignment of risk management and strategy is of vital importance, then a top 5 to 10 list of strategic risks will be another item where one can check the box.
    However by a Board asking leadership to demonstrate: how does risk management add value to your business, how do you measure the benefits, how are you prepared for the unexpected, how are you identifying emerging risks?.. etc, can you start a meaningful dialogue around risk management and gain a greater value.

  11. Larry Kowlessar
    May 16, 2014 at 7:12 AM

    Thank you Norman. I would want to add to your illustrious list, the issue of emerging risks based on new initiatives and new business strategy. What’s management take on them.

  12. Diane Halsey
    May 17, 2014 at 3:21 AM

    This has been an encouraging set of posts and I would agree with all the comments made. I would add that understanding the risk culture of the organisation is critical to avoiding a box ticking exercise. If risk is seen as the role of those with it in their title and not as everyones role then there will be little value added by the process. This culture lies at the heart of an effective and evidence based assurance regime and I would argue that good Board assurance systems (as opposed to reassurance) are of more use to a Board than top 10 risk reports. The other aspects that should be included in board questioning around risk relate to how the organisation tests aggregation of risk across complex or diverse structures and how the Boards risk appetite is factored into the evaluation of risk scoring/acceptance.

  13. William Lau
    May 20, 2014 at 2:37 AM

    It’s a great list for a Board member to do. While 10 is a nice round number, perhaps ‘less is more’ would apply here.

    First, I do wonder how far Board members themselves are willing to ask the tough questions and how open they are to hearing truly bad news.

    Second, the Board fundamentally needs to be assured that Management is maintaining a sound system of risk management and internal controls. This is predicate on first knowing what a ‘sound system of risk management and internal controls’ looks like, and having a strong enough knowledge or opinion on it.

    I do look forward to the day when more and more Board members would do as you would.

  1. May 10, 2014 at 10:49 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: