Skip to main content
Poole College of Management
Enterprise Risk Management Initiative
ERM Leadership and Governance

Taking a Fresh Look at Board Risk Oversight

November 27, 2017 5-min. read

Introduction

A company’s real value is derived from an effective Board that thoughtfully and attentively oversee all areas of their company’s risk, and directors must define and agree on the Board’s role. The Board is critical to risk oversight, because it attracts stakeholders calling for greater transparency. This article aims to discuss challenges that boards are facing currently and ways to combat these challenges.

Challenge: How can a board reassure investors that it is overseeing risk effectively?

Shareholders care about the Board’s relationship with risk oversight, because business risks affect the company’s bottom line; which in turn, effects the shareholder’s opinion and cashflow. As more companies have experienced cyberattacks, supply chain disruptions, and allegations of wrongdoing, shareholders have started to wonder what the Board is doing to mitigate these risks. Since 2010, the SEC has required that companies include in their proxy what the board’s responsibility towards risk oversight is; however, the disclosures are very basic and give shareholders no peace of mind. PwC conducted a survey which revealed that only 30% of directors indicated that their board enhances the proxy disclosure.

Board Action

Directors can take several steps to improve risk oversight. Some of the most robust disclosures included making it clear the full board is engaged in discussing all risks, even specific committee risks; describing how the board oversees key risks, as well as, the board’s full role; describing the board’s approach to allocating risk oversight; and describing the nature and frequency of reporting to the board. At the very least directors can take two actions to improve risk oversight. Management should benchmark the company’s disclosure about the board’s oversight of risk with those of peers and competitors. Directors should ask those who prepare the proxy statement to draft a sample disclosure that includes additional information on the board’s practices; considers insights drawn from management’s review of other companies’ disclosures; and incorporates the elements of robust disclosures described earlier. These actions can improve risk oversight by identifying changes that could improve the board’s oversight and could illuminate issues in management’s process.

Challenge: Do directors’ backgrounds support effective risk oversight?

Diverse backgrounds and specialization expertise produce a more effective Board, because they bring unique experiences to the table. Many of the key risks a company faces are linked to its strategy and industry. It’s hard for boards to have in depth understanding of the key risks that management hasn’t already identified, because antitrust regulations make it a challenge to have many directors with deep industry knowledge on a company’s board.

Directors with risk management expertise a huge asset to an organization. The Dodd Frank Act mandates that each organization has at least one risk management expert on a risk committee. However, there is no widely accepted definition of what a risk management expert looks like.

Board Action: Rethink board composition

An appropriate composition includes a board that has a deep understanding of the company’s industry, a variety of director backgrounds, and one or more directors with risk management expertise. Directors with knowledge of the industry are helpful, because they can accurately assess risks and their implications. A company’s changing strategy means there is a need for directors with certain expertise and diverse backgrounds, since they are in a better position understand the risks in that field. The right board composition allows you to drive more effective discussions and helps ensure management has identified all relevant risks.

Challenge: Are any key risks falling through the cracks and not being overseen anywhere at the board level?

Companies have many risks and they can easily get lost or be overshadowed. There can be confusion on who oversees risk management for certain risks. Specifically, directors may think a committee is responsible for a risk when they are truly not.

Board Action: Clearly allocate risk oversight among the board and its committees. Ensure that the chairs share their committees’ insights about those risks with the full board.

The board and committee chairs must collaborate to ensure that all key risks are being dealt with board-level oversight. Risk allocation matrices are useful to many boards. Committees who oversee specific key risks must report back to the board, because the full board needs to know how well the company is managing risks. The full board needs to discuss cross-enterprise risks even if certain board leaders do not deal with that risk.

Sometimes overseeing key risks can get messy, like when key risks overlap multiple committees. Ideas to combat this challenge could be that the committee chairs discuss the risks, attend the other committee’s meetings or even periodically hold joint committee meetings.

Challenge: Is too much of the board-level effort on risk focusing on compliance and regulatory matters?

It is easy and common for directors to get overwhelmed with compliance and regulatory risks and spend too much time overseeing those risks. The issue is that risk oversight is assigned to audit committees disproportionately. Audit committee members are usually trained on financial reporting and compliance risks. Thus, there is no creativity for business risks or risks that are also important to the company but outside their realm. Additionally, the board and the committees already have a tight schedule. There is not usually time for an in-depth discussion on strategic and operational risks.

Board Action: Preserve agenda time to focus on key risks, including big picture strategic risks.

Boards should evaluate their current approach to overseeing risk and assess whether too much time is focused on compliance risks versus strategic risks. There are several approaches you can take to include key risks discussions. Consider adding risk as a required topic to the reports from management supporting such discussions; use a facilitator or third party to drive the discussion or add insights about how broader economic, business or industry trends impact risk; or unstructured, free-flowing session to brainstorm about risks with management.

Conclusion:

Boards are crucial to risk oversight, because a solid approach to risk management can deliver value to the stakeholders of the company. Boards can disclose their risk practices in the proxy, have diverse board directors, allocate risk oversight responsibilities better, and create an agenda where operational and strategic risks are discussed.

Original Article Source:Why your board should take a fresh look at risk oversight: a practical guide for getting started“, PwC, 2017

More From Enterprise Risk Management Initiative

cover fo 2024 global risk oversight

2024 Global State of Risk Oversight: Managing the Rapidly Evolving Landscape
photo of woman with e-tablet.

Techniques to Prioritize and Monitor Risks
5 Questions to Identify Potential Risks on the Horizon

Processes to Identify Risks