Home > Risk > Is the goal of Risk Governance taking boards in the wrong direction?

Is the goal of Risk Governance taking boards in the wrong direction?

‘Risk governance’ or ‘risk oversight’ (I see the terms as synonymous) is a topic that comes up quite often in governance codes, regulator and investor group guidance, and (of course) in risk management frameworks.

But is it something that boards should be doing? Should they be providing oversight on risk?

Maybe they should, but perhaps not in the way that most have been doing it- and I would prefer a different description.

A 2012 article by Matteo Tonello of The Conference Board (based on an article by Tim Leech) references a National Association of Corporate Directors Blue Ribbon Commission report that talks about risk oversight in a traditional way:

While risk oversight objectives may vary from company to company, every board should be certain that:

  1. the risk appetite implicit in the company’s business model, strategy, and execution is appropriate

  2. 2. the expected risks are commensurate with the expected rewards

  3. 3. management has implemented a system to manage, monitor, and mitigate risk, and that system is appropriate given the company’s business model and strategy

  4. 4. the risk management system informs the board of the major risks facing the company

  5. 5. an appropriate culture of risk-awareness exists throughout the organization

  6. 6. there is recognition that management of risk is essential to the successful execution of the company’s strategy

This reflects the common board practice of reviewing a list of (exclusively downside) risks and challenging management’s assessment and handling of those risks. There is a focus on approving a risk appetite statement and, if we are lucky, receiving a report from the internal audit head on the effectiveness of (downside) risk management.

I would far prefer the board to be concerned with whether management is taking the right level of the right risks. Even better is whether management is making informed and intelligent decisions.

Success doesn’t come with avoiding or minimizing (downside) risk – it comes from informed and intelligent risk-taking, balancing the potentials for harms and rewards.

Some frameworks and governance codes are slowly moving in the right direction: less of a focus on managing risk (“doom management”) and more on managing the achievement of objectives (“success management”).

For example, ISO 31000:2018 says:

Oversight bodies are often expected or required to:

— ensure that risks are adequately considered when setting the organization’s objectives;

— understand the risks facing the organization in pursuit of its objectives;

— ensure that systems to manage such risks are implemented and operating effectively;

— ensure that such risks are appropriate in the context of the organization’s objectives;

— ensure that information about such risks and their management is properly communicated.

This is not very good, as it doesn’t talk about decision-making or improving the extent and likelihood of success, but at least ISO recognizes that what might happen can include good as well as bad.

COSO ERM 2017 has a principle (#1): “Exercises Board Risk Oversight”. While the language in the following section and in Appendix C (where there is a table that lists, at a very high level, board oversight activities) is not at all specific on what ‘oversight means’, I give COSO credit for the sentence that details the principle:

The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives.

They don’t say that the board should oversee risk. They say the board should oversee the achievement of strategy and objectives.

The 2016 King IV Report on Corporate Governance for South Africa has some excellent language. It starts the section on risk governance with this:

Principle 11: The governing body should govern risk in a way that supports the organization in setting and achieving its objectives.

Recommended Practices

  1. The governing body should assume responsibility for the governance of risk by setting the direction for how risk should be approached and assessed within the organization. Risk governance should encompass both:

    1. The opportunities and associated [downside] risks to be considered when developing strategy; and
    2. The potential positive and negative effects of the same risks on the achievement of organizational objectives.
  2. The governing body should treat risk as integral to the way it makes decisions and executes its duties.

It references risk appetite and other [downside] risk management practices, but is not exclusively a doom management code. It also highlights the need to create value by seizing opportunities.

Perhaps we should discard the term ‘risk governance’ in favor of strategy and performance oversight. The board should be concerned with setting the most appropriate strategy and then executing on it.

My advice for board members is to integrate discussions of strategy, risk, and performance.

Rather than reviewing a list of risks and obtaining assurance that management knows how to identify, assess, and then address things that could go wrong, the board should obtain assurance that management:

  • Is doing a good job of thinking about what could happen in the future, both those with positive and negative effects on the achievement of objectives, and whether that is acceptable or needs attention in some way
  • Is involving the right people and obtaining reliable information about what might happen when making decisions
  • Is disciplined in its decision-making (rather than making off-the-cuff decisions based on ‘experience’ or gut feeling)
  • Is monitoring the situation, both within and outside the organization, so it can respond if conditions change

Assurance should come first from the executive team, preferably the CEO. The opinion of the CRO and the assessment of the CAE should follow.

This way, the board is discharging its responsibilities to ensure stakeholders get the performance they should: value creation as well as (and not just) value protection.

The board should make sure the management team is effective in running the organization, and that is not done by focusing on a list of harms.

Effective governance of an organization is limited if the board focuses on risks.

What do you think?


  1. March 9, 2018 at 12:43 PM

    Great article, 100% agree!

  2. March 9, 2018 at 12:45 PM

    Reblogged this on RISK-ACADEMY Blog and commented:
    Great article by Norman Marks on the topic of risk governance. I’ve been talking about this for years, here is my video on board reporting and hence oversight https://youtu.be/8zrR8U0fpEA

  3. Lee Min On
    March 9, 2018 at 7:03 PM

    Would have been better and more effective to discuss a specific example to clarify the academic assertions promulgated in the COSO and ISO. For example, a company that strives to go beyond its shores to diversify its business as well as geographical locations, will have to consider risks. How does the Board oversight role come in and what the activities entail to demonstrate a discharge of the oversight responsibility?

    • Norman Marks
      March 10, 2018 at 6:47 AM

      A fair point, but difficult to handle in a blog post – so I wrote a book instead

  4. March 10, 2018 at 11:37 AM

    I agree with you Norman. as you say, the board must focus on setting clear objectives and then achieving them.
    I see the primary objectives of a board as maintaining existing operations and developing new opportunities. Maintaining existing operations requires an understanding of the risks and opportunities affecting them. Providing assurance that they are being properly managed is usually expected by rules and regulations.
    Developing the business requires a different perspective. There will (should) be much greater emphasis on identifying opportunities before considering those risks which result from pursuing them. A board focusing on risks is likely to miss opportunities.

  5. March 12, 2018 at 9:22 AM

    The only system, supported by software, that I know of is Dependency Modelling. (Mainly because I helped develop it and the OpenGroup Standard C133; for details:. https://lnkd.in/geW9a3e I am always happy to hear of other approaches or suggested improvements, but modelling from top down (what are our objectives?) does give rise to risks that can actually be attributed to the corporate (or project etc.) objectives and that makes allocation of resources to control risks so much easier. 🙂

  1. March 9, 2018 at 7:48 PM
  2. May 21, 2018 at 11:55 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

<span>%d</span> bloggers like this: