Board Oversight of Risk

 I want to bring two items to your attention today:

1. A recent KPMG study showed that risk management practices still have a very long way to go. In particular, boards members continue to be concerned that they have insufficient information with which to manage risk. See more here.

What can and should internal auditors do?

(a) Recognize that not having effective risk management, and that includes board oversight of risk, is perhaps the greatest risk for many organizations — whether non-profit, for profit, government, etc.

(b) Through your assurance and consulting services, press for and facilitate implementation of effective risk management. Make sure you are well-informed yourself, particularly with the global ISO standard for risk management (ISO 31000:2009) and the ISACA RiskIT framework, which is excellent

(c) Ensure that the information used to manage the business, including both performance and risk information, is available to those who need it, when they need it, in a form that is current, timely, reliable, and useful.

2. An NACD video on board oversight of risk

This short video is interesting and you might want to share it with your board members and appropriate management.

Boards have to decide how they will provide oversight. I agree with the panelist that you should use caution in assigning risk oversight to a fully-burdened audit committee.

Posted on May 30, 2011 by Norman Marks

Share This Article:    

Leave a Reply