Excellent Advice on Risk Oversight

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


The National Association of Corporate Directors (NACD) has established an advisory council on risk oversight and published a report on its second meeting that contains notable comments. It is available at http://www.nacdonline.org/Resources/Article.cfm?ItemNumber=6762.

I advise reading the publication carefully and slowly because many points are made without elaboration.

Here a some of the more interesting pieces with my elaboration.

Directors should have a “real and thorough” understanding of the business to be able to effectively discuss strategy and risk with management.

  • This is a known and significant problem. Other surveys have reported that as many as 70% of directors do not have a sufficient understanding of either the business or the strategies for delivering value. As discussed in the next quote, directors are part-time, often unable or unwilling to dedicate the time required to obtain the detailed understanding of the business and its operations to provide effective oversight of strategies, risk, or performance.
In the current era of board oversight, committee leadership demands a significant commitment of time and experience, which some directors may not have. One delegate noted that “fewer people are capable of chairing committees these days.”

As overseers of the company, it is necessary for directors to act as skeptics of management, questioning and even providing dissention if necessary. However, delegates noted that with lengthy tenures, it is possible that some committee chairs can become so comfortable with their respective management contacts that they risk losing sufficient skepticism. To promote fresh thinking and skepticism, the delegates suggested implementing methods of committee rotation, such as term limits. Additionally, conducting meaningful board and committee evaluations that consider director tenure can help to ensure that committee rotation is viewed positively by the whole board.

  • It is interesting to note that the more recent governance codes, such in Malaysia and Singapore, consider that directors with long tenure are no longer independent. 

In many cases, the board was simply unaware of the operational risks occurring at the company... The role of a director, by nature, is a part-time job. As such, directors are reliant upon the executive team to provide the information necessary to evaluate risks and corporate performance... “The definition and role of oversight has changed in the last five years... [but] management hasn’t realized that oversight has changed.” Indeed, the expanding gaps may stem from management not fully realizing the new, changed board oversight role... Directors should establish tolerance levels for the level of risk they are willing to bear, and look for signs of when this risk has become too high... Of course, communication is a two-way street. It is the responsibility of the board to communicate its expectations regarding information flow.

  • This is where the council, in my opinion, missed the most critical ingredient to effective oversight: adequate processes for risk management that include appropriate communication to the board. The board should ask more questions about the adequacy of management's processes than about individual risks. If the processes are sound, new risks or changes to existing risks are likely to be handled well.

Delegates recommended the CRO meet quarterly with the committee(s) tasked with risk oversight.
  • It is certainly desirable for the chief risk officer to have access to the board, and provide regular reports. But is that sufficient when we are living in such a turbulent world? Access should be as often as necessary. In addition, the onus for communicating changes in the risk environment should be primarily with executive management.

 Internal audit can provide feedback on the various committees’ risk oversight performance. “Internal audit looks at all of our activities for the year and makes sure we have fulfilled the fiduciary duties in our charter. Did we do for our shareholders what we told them we would?”
  • The board should require that internal audit assess and report on the quality of governance and risk management processes at least annually, using a risk-based approach. The discussion in the NACD report about comparing the internal audit plan to management's risk report is interesting; I would wonder why internal audit would work on areas not rated at the top of management's assessment, and why they decided not to address key risk areas.

Throughout the day’s discussions, the critical link between strategy and risk surfaced regularly. The board’s oversight of risk should begin with an assessment of the company’s strategy and the risks inherent in that strategy — which necessitates understanding and agreeing on the risk appetite, or the amount of risk the company is willing to accept. “Board members should not be involved in the detailed strategy setting... we need to connect management’s assertions to what the strategy is, then have them intelligently identify the risks.”
  • This is good, but the selection of objectives and strategies should be based, in part, on risks in the business environment. Risks should not be left to be an afterthought.

 Development of the risk appetite should be conducted in conjunction with management, as it should reflect the “overlay of strategy on risk.”
  • It is true that the only risks that matter are those that relate to the achievement of objectives and delivery of value.
 "We structure [risk committee meetings] so that no other committee meeting is going on so that other members can attend and hear about business unit risk."
  • The discussion of whether the full board or a committee of the board should provide risk oversight is interesting. I like this idea that if there is a risk committee, all directors should be able and encouraged to attend.
I think this is a good piece of work that merits consideration and discussion by every board, management team, and risk and audit practitioners.

Some will say that there is little new. That may be true, but the points are made well and are from a credible and authoritative source.

I welcome your comments. 

Posted on May 20, 2013 by Norman Marks

Share This Article:    

  1. Norman; Thanks for putting a spotlight on the NACD's efforts to improve board risk oversight. The NACD Blue Ribbon Commission report "Risk Governance: Balancing Risk & Rewards" the work that is behind these committee efforts is a candidate in my view for the best risk governance paper of this decade. Internal auditors, as you point out in your blog can, and should, play a key role supporting these new board risk oversight expectations. What I think needs discussion beyond the points you raise above is whether the traditional internal audit model of planning audits, completing audits, and reporting results of audits to senior management and the board on specific point in time topics where IA forms subjective views on whether IA believes "controls" are effective, or not, needs to be fully re-examined by the IIA and changes made to the IPPF standards. I believe the tradition "direct report" paradigm of internal audit is a major barrier to IA better supporting boards that accept their responsibility to oversee management's risk appetite and tolerance and better risk governance. A link to a presentation I made at the IIA GRC Conference in 2012 that outlines a business case for IA moving away from a fixation on "control evaluation" to a focus on ensuring management and the board are aware of the current residual risk status linked to key value creation and potentially value eroding objectives is below for those interested. I have been asked by the IIA to present an updated version of this session again at the IIA All Star Conference in New Orleans this fall. http://riskoversight.ca/wp-content/uploads/2011/03/Risk-Oversight-Honorably-Retiring-Controls-Promoting-Risk-Treatments-July-2012.pdf Keep up your great work supporting Richard Chambers and Paul Sobel, this year's IIA global chair lobbying for transformational change.
  1.  Norman

    Thank you.  I think this is right on point and in a succinct way you have got to many of the most critical operating issues for Board governance.  

    I was especially thinking about this today as the JP MorganChase vote came in. I think that vote will mislead many.

    In case you are interested: http://theunreasonableauditor.com/2013/05/21/its-not-about-jamie-dimon/

    Best, Anthony




  1. Anthony is right that there needs to be change - restricting IA's to an assurance plan developed 12 months ago is almost not believable in this age of constant change. IA need to be where the biggest current and emerging risks are to add real value. IA also need to be able to go to the top to audit and ask questions about the independence and effectiveness of the board and executive management. This is what the shareholders want.
  1. Norman & Tim. Glad to see that the 'control led' aspect of internal auditing is being challenged. We need to concentrate on the greatest risks to the organization, and these involve board decisions. My website looks at risk based auditing in practice and the challenges it faces. You may also find the following document 'Boards and Risks' from the UK interesting http://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/Boards-and-Risk-A-Summary-of-Discussions-with-Comp.aspx.
  1.  I thing when IA's participate in  the top management risk assesment meeting  they will control this meeting because mostly top management consider IA's better than them in this job and that will impact thier participation negativly, and if that happened risk assesment processes will be done by thier assosrs (IA's) then where is the objectivity and independancy in IA's assesments.

Leave a Reply