What should company directors and board members ask the executive team when it comes to the topic of risk?
As a board member, one of your primary responsibilities is to oversee risk.
As the business landscape evolves, you need to develop and continuously improve your risk oversight practices and know how to ask the right questions at board meetings.
Remember, it is the board’s role to influence management’s processes for monitoring risks.
Directors should clearly define what risks the board should discuss regularly and what risks should be delegated to a committee.
Risk oversight should be a continuous process
It is important to continually assess the risk governance structure as organisations face new risks every day.
A good practice is for management to maintain a list of all enterprise-wide risks, which are then assigned to specific board committees.
For example, the compensation committee may be responsible for overseeing human resources and compensation risks, while the audit committee should manage financial risks.
A board should assume direct responsibility and regularly discusses strategy-related risks that could disrupt and materially affect the company’s business strategy.
Also, clearly defined risk governance should be reflected in committee charters.
The audit committee’s role in risk oversight
Most firms outside the financial services industry don’t have a separate board risk committee, so any risks not designated to a specific committee are often delegated to the audit committee.
A board’s audit committee may also be responsible for reviewing management’s risk management policies, but boards should be careful not to overburden it.
Overseeing cyber risks
Even the most tech-savvy business leaders find it challenging to keep up with the pace and scope of developments in big data, artificial intelligence, cloud computing, digital transformation, cyber-attacks, and other tech matters.
It is important to understand that these developments carry a complex set of threats, and the most serious ones can compromise sensitive information and have significant negative effects on a business.
As cyber threats become more prevalent, it raises concerns about financial information, internal controls, and a variety of other threats, including reputational damage.
It is often the responsibility of the entire board to oversee a successful cyber threat management program. Certain organisations may delegate oversight to a risk committee or audit committee.
When the audit committee is responsible for cyber threat management, the committee should first understand the areas it is expected to oversee.
Engaging in regular contact with the CIO, CISO, and other technology-focused leaders can help the audit committee determine where its attention should be focused.
As a liaison with other groups, the audit committee chair should enforce and communicate mitigation expectations with the full board.
Questions directors can ask regarding risk
Boards or audit committees may consider the following questions when determining how effective the company’s enterprise risk management program is – in order to minimise downside risks.
- What board committees oversee risk governance?
- Does a risk governance structure exist?
- Does the audit committee give adequate attention to cyber threats?
- How does the company monitor the company’s major financial risk exposures on an enterprise-wide basis?
- Is each identified risk assigned an owner?
- Does the company’s compensation program promote an unhealthy focus on short-term financial results?
- Does the audit committee agree with the compensation committee regarding these matters?
- Who oversees risk in the various board committees?
- Do all stakeholders communicate and coordinate appropriately?
- Does the board regularly consider strategy? In what ways could the strategy fail?
- Are directors provided with the information needed to effectively oversee the risk management process?
- In terms of financial risk management, what framework has been selected by management? By what criteria was it chosen?
- How does technology play a role in risk management? If so, when was the last time it was evaluated?
- How does management monitor emerging financial risks?
- How effective are early warning mechanisms? What is the regularity of measuring them?
Today, audit committees are held to higher standards than ever before.
Despite increasingly complex financial reporting requirements and changes in the regulatory landscape, audit committees provide important oversight to shareholders.
Boards and audit committees must set the right tone from the top – as it is the role of the board when managing risk to be as transparent as possible.
It is also imperative that the audit committee develop strong relationships with the company’s internal and external stakeholders who have a direct impact on the company’s risk profile.