NACD Provides Some Excellent Advice From a Prominent Director on Risk Oversight

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


I just listened to an excellent video presentation from NACD featuring Reatha Clark King talking about risk oversight by the board.

I recommend this to boards, especially board chairs, governance committee members, as well as members of the audit and risk committees. It is also useful for executives, general counsel, and practitioners.

What I like: she advises that:

  • Boards should step up and insist they receive the information they want, when they want it, how they want it.
  • The CEO is the primary risk owner and is responsible for the implementation of the enterprise risk management system.
  • If there is a CRO, he should be among those presenting on risk to the board.
  • But, the CRO should not be the only person presenting. The business leads should be among those sharing information.
  • The discussion of risk should be intertwined with discussion on strategy and compliance.
  • The full board should take the lead role on risk oversight, with each standing committee responsible for oversight of risk in its area.
  • The structure for risk oversight should be carefully thought through and tailored to each board’s needs.

What I didn’t like:

  • The presentation was on board oversight of risk. I believe it should instead provide oversight on the management of risk, making it clear that management is responsible for the identification, assessment, and treatment of risk.
  • There was no discussion of oversight of management’s risk management process, ensuring through questioning of management that it is effective and suitable for the organization’s business needs — every day.
  • The board, in my view, should not be the ones assessing risk or deciding treatment of risk. Instead, they should be asking questions and challenging management’s assessment and treatment of risk.
  • There was no mention of internal audit providing assurance on the effectiveness of risk management processes.

The management of risk and consideration of risk in decisions is a daily, even hourly, even every minute requirement. Relying on the board’s occasional meetings to obtain assurance that risk is managed effectively is misguided in my view.

What do you think? 

Posted on May 31, 2013 by Norman Marks

Share This Article:    

  1. Internal Audit not recognized yet as a player in the ERM advisory or  assurance space.  Saw a stat that 4% plan to look at in 2012.  We are helping with this by first helping management evaluate their current state and SWOT's and developing improvement roadmaps with specific action plans.  Internal Audit can use this information to provide assurance that required changes are actually in place and operating effectively.  I would rather a management assertion on the ERM program first with independent assurance validation.  No one talks about Internal Audit's advisory role any more.  Almost pure assurance from the IIA research. Sad!

  1.  Mike,  In Australia we certainly talk about it, and in the Australian Institute of Company Directors the role of internal audit in their risk modules for training of company directors is gaining traction.

Leave a Reply