Can Directors Provide Effective Risk Management Oversight?

In the September 14 issue of Compliance Week[1], Stephen Davis and Jon Lukomnik wrote an interesting article on “Unsettling Questions on BP, Boards, Risk Management.”

They said:           
“Can directors really oversee risk? This is the question. Blame for recent corporate disasters—from risk-management failures at Bear Stearns and Lehman Bros. to long-term misjudgments at General Motors to the Deepwater Horizon spill and its aftermath—has tarred directors as well as executives. If only directors were doing their job, the thinking goes, disaster would have been avoided or at least mitigated.
“Against this mainstream chorus, a small but growing backlash is wondering if any part-time board can really provide risk oversight of global, complex companies. By all appearances BP boasted a gold-standard board before the Deepwater Horizon blowout. It was equipped with virtually every governance bell and whistle an investor could want, including independent staff for the outside chair.
“Whatever your opinion about the real-world ability of directors to oversee risk management at complex companies, responsibility for risk oversight is now squarely on the boardroom table. Abdicating it isn’t an option; trying even harder seems the only sensible route for directors to take. That means more of a role for internal audit and more formal risk assessments. It also means the creation of more risk committees or revisions to audit committee or other charters to make sure that risk oversight is fully integrated into board deliberations."

These are excellent questions, and I think merit examination.

As David and Lukomnik said, abdicating their responsibility for risk oversight is not an option for boards. But there are opportunities for them to lighten the load. This is what I suggest:

1.      As we know, there is a difference between auditing the financial statements (to verify that they do not contain material misstatements) and auditing the controls over the financial statement process. When you have good controls, it increases the likelihood that the financial statements are accurate. But even if the controls are deficient, you can still test the financials to validate the numbers and verify they are accurate.
Similarly, there is a difference between the risk management process and the actual identification and assessment of risks by the company.
The board should perform two assessments:
a.       Is the risk management process adequate?
b.      Are the risks identified by management complete and have they adequately assessed them?
2.      When it comes to assessing whether the risk management process is adequate, the board should look to the internal audit function. Internal audit’s primary function is not to perform audits, but to provide assurance over the organization’s governance, risk management, and related internal controls. (See Our Job Is Not to Perform Audits.) The board should require a formal, annual assessment of the risk management process from the chief audit executive.
If the risk management program is not sufficiently mature, the board should question management on how it will improve the program so it meets the needs of the organization. Internal audit may be tasked with helping, through consulting and advice.
One critical aspect of the risk management process is the ownership and responsibility for risk management in the organization. Even though internal audit should address this issue, I would encourage the board to ask:
·         Is there a chief risk officer? Does he/she report at an appropriate level within the organization, so his/her voice is heard? Does he/she have the ability to communicate directly with the CEO, CFO, and board when necessary?
·         Is risk management embedded throughout the organization and part of daily decision-making?
·         Is the consideration of risk part of how management determines strategies, objectives, and plans? Is the chief risk officer involved in strategy meetings?
·         Does the culture of the organization embrace the consideration of risk?
·         How does the executive management team ensure risks are taken at a level appropriate to the needs of the company, and the appetite set by management and the board?
3.      The board should determine how it will provide effective oversight. My opinion is that it should delegate financial risk oversight to the audit committee – but only financial risk oversight. The audit committee already has a massive workload, and I worry that giving it the responsibility for oversight of all risk management would cripple its ability to address the financial statements, SOX, management of the internal and external auditors, capital management and budgeting, treasury management, etc.
Some boards have a compliance committee, or have assigned compliance oversight to the governance committee (or similar). I would look to that committee for oversight of related risk management activities. Some boards have an IT committee or equivalent; others may have other specialized committees. I would tend to assign to each of those specialized committees oversight of related risk management, given their specialized focus and (presumably) insight.
The board should consider a risk committee (in some industries, this may be required by law or regulation) to (a) oversee risk management as a whole, across the enterprise, (b) coordinate the oversight responsibilities of other committees performing oversight of particular risk areas, and (c) lead a discussion of risk management at the board level.
The board can delegate oversight at a detailed level to committees, but must retain accountability for oversight as a whole. In particular, I would look to the full board to ask questions relating to strategic risks, executive succession, etc.
4.      The board and its committees challenge management’s risk identification and assessment through a combination of penetrating questions and the sharing of their wisdom. They need directors with a breadth and depth of experience and knowledge in the business, the industry, the regulatory and economic environment, and more. I would encourage boards to include this requirement in their self-assessment process and in the selection of new directors.
5.      Finally, on an annual basis, the board should consider whether its oversight of risk management has been effective. It should reflect on management’s assessment and whether it turned out to have defects that should have been surfaced by better questioning by the board. The board should also follow-up on any corrective actions identified by internal audit during their formal assessment.
I also recommend consideration of the following: Goldman Sachs’ 10 Principles of Effective Risk Oversight.
Do you agree with the above?
Can you share other guidance for directors?
Do you have any stories of effective risk oversight to share?

[1] My thanks to Compliance Week’s editor, Matt Kelly, for permission to quote from the article. Compliance Week is an excellent source of information relating to governance, risk management, compliance, and internal audit – and recommend subscribing.


Posted on Sep 29, 2010 by Norman Marks

Share This Article:    

  1. I agree with your analysis, in particular the respective roles of the audit and risk committees, with both directly accountable to the board and holding specific delegated authority.

    I have worked with a governance committee which had the responsibility to oversee both quality and risk, and it was very effective as a strong holistic centre point for all risk discussions and decisions (plus as it was chaired by the CEO this sent a very strong message about the importance of governance, risk and quality). Linking risk with the quality agenda (assuming all organisations seek continuous improvement) is also I think an important part of making sure that risk is central to the organisation, and not an added task.

    One aspect of risk management that you've not mentioned is the importance of reporting incidents and reviewing both trends and all significant incidents, with reports and discussion about both (and ongoing follow up on recommendations) by the risk committee.

  1. With regard to the roles of other committees, risk can be folded into the audit committee's agenda, for a totally holistic view, but the likelihood is that discussions about risk will be severely curtailed due to time constraints. Specialist committees and groups should hold responsibility for risk in their areas, but should I think be delegated this responsibility by the risk committee, with accountability and reporting going via the risk committee to the board.

    It remains vital that the board, and in particular the chair and CEO hold ultimate responsibility for risk, and that sufficient time and energy is allocated for board risk review, preferably through at least semi annual reporting, and a scheduled annual risk review - and that this should not simply be tabling the risk report from internal audit with a thank you or two, but time for probing questions, horizon scanning and setting of future direction.

  1. Yes, if they are educated about how to do it and they make the effort. But is there agreement on what risk oversight is? And let me add that for GRC, compliance and ethics, internal audit, and risk oversight, if the board and appropriate board committees are not on board then you will have problems with getting the complete support that you need. There needs to be an ongoing effort to get boards and committees on board.

     Dave Tate, Esq. (San Francisco),

  1. After years of trying to elevate the role and importance of audit committees, isn't it dangerous for us to now start telling that their role should be reduced to financial risks only? Second, what perception would it give about internal audit? That they deal only with financial audits, because that's the only thing that the audit(!) committee is looking at?

  1. Not sure who Mike is but I agree with Mike. We are going backwards.  I think that one party should be responsible for reviewing all risks and such party can either be the entire board, the risk committee or the audit committee but do not bifurcate into financial risks, etc. because it is impossible to review this way and unfortunately it has taken us years to realize this.

    Take a simple example of an operational risk at BP related to the wells. At some point in time that operational risk morphed into compliance risk and finally has morphed into tremendous financial risk. The notion of being able to segregate these is an illusion and only contributes to the silo mentality. Now what you can do is if the Board in its entirety has an excellent handle on the entire risk portfolio, they may designate other committees to perform further oversight review but at a more detailed level.

    Now getting back to the overview topic of "Can Directors Provide Effective Oversight". If they cannot, they should not have been put in these positions to begin with and should be removed. Should they receive  training- absolutely which gets to another subject of who should provide the training.

    Ideally this could be internal audit but they themselves need training in this area and so this remains an important untapped opportunity for internal audit. The other piece is of course "providing an assessment on the adequacy of the risk management system" which is the responsibility of internal audit. I do not believe that internal audit is currently executing such responsibility particularly well and since this is critical to the organization, it is important that such skill sets be developed or the Board will find external resources to perform such  reviews.


    Arnold Schanfield




  1. Also the Board should be asking the following questions in its risk management oversight-extracted from the Canadian Institute of Chartered Accountants-booklet-see their web site for the complete text around each of these 20 critical questions. Norman has summarized a number of these in his blog above but here is the comprehensive listing for your Boards.

    1 How do we integrate risk management with the corporations's strategic direction and plan?

    2 What are our principal business risks?

    3 Are we taking the right amount of risk?

    4 How effective is our process for identifying, assessing and managing business risks?

    5 Do people in this organization have a common understanding of the term risk?

    6 How do we ensure that risk management is an integral part of the planning and day to day operations of individual business units?

    7 How do we ensure t he Board's expectations for risk management are communicated to and followed by the employees in the company?

    8 How do we ensure that our executives and employees act in the best interests of these organizations?

    9 How is risk management coordinated across t he organization?

    10 How do we ensure that the organization is performing according to the business plan and within appropriate risk tolerance limits?

    continued below

  1. continued from above

    11 How do we monitor and evaluate changes in the external environment and their impact on the organization's strategy and risk management practices?

    12 What information about the risks facing the organization does the Board get to help it fulfill its stewardship and governance responsibilities?

    13 How do we know that the information the Board gets on risk management is accurate and reliable?

    14 How do we decide what information on risks we should publish?

    15 How do we take advantage of the organizational learning that results from the risk management program and activities?

    16 What are our priorities as a board in the oversight of risk management?

    17 How does the Board handle its responsibility for the oversight of opportunities and risks?

    18 How do we as a Board, help establish the tone at the top that reinforces the organization's values and promotes a risk aware culture?

    19 How satisfied are we that Board is doing what it should in overseeing risk?

    20 How do we ensure that at least some of the Board members have the requisite knowledge and experience in risk?

Leave a Reply