Just as the management of risk is a dynamic, iterative process, the board needs continued assurance that management has an effective process in place.

Let’s take some of the guidance and see what is good and not so good.

COSO, in its Enterprise Risk Management – Integrated Framework, says that “through the risk oversight process, the board should:
- Understand the entity’s risk philosophy and concur with the entity’s risk appetite
- Know the extent to which management has established effective risk management of the organization
- Review the entity’s portfolio of risk and consider it against the entity’s risk appetite
- Be appraised of the most significant risks and whether management is responding appropriately

This tells some but not all the story:
- The board should have an active role in understanding and approving the entity’s taking of risk. Yes
- It should know whether management has established an effective risk management framework and process. Yes – a critical point
- But it should also know what actions are being taken to upgrade the management of risk where it is not sufficient, and understand the level of risk that deficient risk management represents to the success of the organization
- It should understand the more significant risks to the organization as a whole, and whether management has taken appropriate steps in response
- But, it is unrealistic to expect the board to “review the entity’s portfolio of risk”. Risk is dynamic and is present in every decision, every day. The board needs to be aware of the more significant risks, be involved where it can add value, and then be able to rely on the ongoing and continuous management of risk by executives and managers across the organization. If the organization feels it is able to provide a report that shows the entire “portfolio of risk”, I have to question whether they are addressing every risk that matters.

[A 2010 COSO report, Board Risk Oversight: A Progress Report from Protiviti, makes interesting reading, together with a 2009 report: Effective Enterprise Risk Oversight, The Role of the Board of Directors].

The problem with many guides from so-called thought leaders and experts on risk oversight is that they talk about the board reviewing a list of top risks from management, seeing if they agree that they are the top risks, validating management’s assessment of each risk, and discussing the actions management is taking in response.

This constitutes a periodic review of a list of risks. It may provide some level of comfort but it is limited to that list of risks and is only at that point in time.

One influential internal audit thought leader believes that internal audit should provide assurance that the board receives an accurate report of [residual] risk levels. I don’t believe that is sufficient because (a) it remains a point in time activity while risk is managed continuously, and (b) it involves internal audit second-guessing management’s assessment of risk levels. Internal audit should ensure management has effective processes for managing risk every day, which includes but is certainly not limited to periodic reporting to executives and the board.

The Canadian Institute of Chartered Accountants produced a thoughtful guide: A Framework for Board Oversight of Enterprise Risk. In the Introduction, you will find this excellent section:

“What is the appropriate role of the board in corporate risk management? Traditional governance models support the notion that boards cannot and should not be involved in day-to-day risk management. Rather, through their risk oversight role, directors should be able to satisfy themselves that effective risk management processes are in place and functioning effectively. The risk management system should allow management to bring to the board’s attention the company’s material risks and assist the board to understand and evaluate how these risks interrelate, how they may affect the company, and how these risks are being managed. To meaningfully assess those risks, directors require experience, training and knowledge of the business.”

I recommend a read of this interesting document.

I also recommend listening to my friend Jim DeLoach talk about risk oversight in this video. Note how he discusses the need for the board to satisfy itself that management has an effective risk management program in place.

The board relies on the system of internal control, with assurance from external and internal audit on its effectiveness, to produce periodic financial reports. It then reviews and asks appropriate questions of the financial statements before they are filed.

In the same way, it should seek to rely on an effective set of processes for managing risks to the achievement of objectives and creation of value. Board members should similarly review periodic risk reports and ask appropriate questions of management.

When the board knows that it can rely on management’s processes for managing risk, will be informed on a timely basis on changes in risk that merit its attention, and reviews and questions reports produced by the risk management process (not only at scheduled meetings but when the board is notified of significant changes), it is providing full-time oversight.

This is my advice for directors in discharging their responsibilities for oversight of risk management (see my prior blog):

1. The responsibility of the board is to ensure that management has appropriate processes for risk management. It is not the directors who identify and assess risk (with the exception of the point below), but management.

2. Some risks should be the remit of directors, such as:
- CEO performance
- Executive succession planning
- The effectiveness of the board and its committees
- The adequate performance of those that report to the board, such as the internal and external audit functions and, in some organizations, the chief risk and chief compliance officers

3. Directors should understand that risk management is not just about protecting value but creating it. When risk information is provided to decision-makers and considered in the making of business decisions, better decisions are likely and this will drive better performance. When we are talking about risk, we are talking about uncertainties (potential events or situations) that lie in the path to the organization’s objectives. The effect of those uncertainties can be positive, creating value (often referred to as opportunities), as well as negative, impeding progress. Risk management is, at its core, about understanding those uncertainties (both those with positive and negative effects on objectives) and taking actions to optimize outcomes.

4. Directors should also understand that it is essential that the risk management process be dynamic, iterative, and responsive to change because (a) business conditions, including risks, are changing at an accelerating pace, (b) the volatility of risk seems to be increasing, (c) the time to respond to those changes is diminishing, and (d) business decisions have to be made at speed. Assessing and responding to risk at periodic intervals is unlikely to be sufficient; the understanding and consideration of risk has to be embedded into how the business is run – every day.

5. Risk management should not be a separate activity; it should be embedded in the processes for establishing objectives and setting strategies; managing major projects; monitoring and optimizing performance; reporting of results, both financial and operational; reviewing executive compensation; and daily decision-making.

6. As business conditions change, not only external to the business but also internal – such as organization changes – management should consider updating its risk framework (including approved risk appetite or criteria) and processes

7. Reviewing the effectiveness of risk management and internal control is an essential part of the board’s responsibilities and should be performed at least annually. The board will need to form its own view on effectiveness based on the information and assurances provided to it (see #10, below), and in doing so it must exercise the standard of care generally applicable to directors in carrying out their duties. Management is accountable to the board for implementing and monitoring the system of risk management and internal control and for providing assurance to the board that it has done so.

8. Neither risk management nor internal control processes provide perfect assurance. Rather, the board should assess whether management’s processes provide reasonable assurance that the more significant risks to the company’s objectives and strategies are within levels appropriate to the company’s business and approved by the board.

9. When assessing the adequacy of risk management, the board should consider:
- CEO performance
- Executive succession planning
- The effectiveness of the board and its committees
- The adequate performance of those that report to the board, such as the internal and external audit functions and, in some organizations, the chief risk and chief compliance officers
- The processes for establishing the company’s longer and shorter-term objectives and strategies, and whether they give appropriate consideration to risk;
- The processes for determining the company’s risk appetite or criteria, and communicating them to managers and other employees as appropriate. While it can be valuable (and is required by law or regulation in some cases) to establish the organization’s overall risk appetite (the level of risk the organization is willing to accept), unless that appetite is translated into practical guidance that each manager can apply in decision-making to take the right risks, an appetite statement will be form without substance;
- The adequacy of the company’s risk policies and standards;
- The adequacy of management’s processes for identifying, analyzing, evaluating, and treating new or modified risks;
- Whether there is sufficient effective communication of risk and control information across the business;
- The processes for monitoring and optimizing performance, and whether they give sufficient consideration to risk levels;
- Whether management’s processes for monitoring the adequacy of internal control and risk management processes provide reasonable assurance that they continue to operate as intended and are modified as business conditions or risks change; and
- Management’s reporting of risk and whether it provides both senior management and the board sufficient timely visibility of risk levels across the organization and whether they are at acceptable levels.

10. The board should solicit a formal opinion on the adequacy of risk management and internal control from the head of the internal audit function at least annually, which should be considered in the board’s own assessment. The board should also solicit the observations of the independent auditor, recognizing that such observations will generally be limited to risks and controls related to the preparation of the external financial statements. If the organization has a chief risk officer, their opinion should be obtained of the adequacy of risk management processes and practices, including the organization’s risk culture, the adequacy of resources for the management of risk, and the integration of risk into strategy-setting, major project management, performance management, etc.

11. The board should ensure that its members have sufficient collective understanding of risk management practices and techniques to effectively question and assess management’s risk management framework and processes.

12. The board should ensure it receives sufficient useful, reliable, complete, timely, and current information to provide effective oversight of the organization’s performance, including risk management.

Earlier this year, I suggested 5 questions board members should ask management:
- Are you, board and management separately and together, satisfied that the organization has an effective process for identifying, assessing, and responding to risks to the achievement of the organization’s objectives? If so, please explain why you believe it is effective now and how you know it will continue to be effective as we go through the year.
- Does that process provide sufficient timely information so that you are not surprised by changes in risk conditions, including changes in risk levels as well as by emerging risks?
- Is the consideration of risk sufficiently integrated into management processes and operations, so that it impacts strategy-setting and decision-making across the organization, or is risk management performed in a silo that is separate from performance reporting and management and how the organization is run every day?
- What are the plans for improving the maturity and effectiveness of risk management in the next 12 months?
- Where is the risk management program weakest (such as incomplete, unreliable, or untimely information) and what does this mean to the management of the organization? How are you compensating for the risk that this represents?

I welcome your comments.

Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/