A common practice among boards of directors is to assign responsibilities for certain aspects of the board’s oversight of management to subcommittees of the board, such as the audit committee or compensation committee.  While that delegation is often appropriate and effective, there is a potential consequence to the full board in regards to its ability to have a rich understanding of the enterprise’s aggregate risk portfolio.  As boards rely on subcommittees to oversee specific types of risk, there is the potential that the board’s risk oversight reverts to a silo-based risk management, which is contrary to the objectives of enterprise risk management (ERM).  A recent article in Directorship calls attention to this concern and suggests that boards engage in “risk mapping” to ensure the board is reconciling where and by whom the entity’s most significant risks are being overseen at the board and management level. 

Concerns about Over-reliance of Board Committees

The article, authored by Herbert S. Winokur, recognizes the reality for many boards that their agendas are becoming increasingly crowded with discussion centered around compliance with the growing number of required board procedures.  With growing frequency, boards are delegating certain oversight responsibilities to its subcommittees which thereby hinders the subcommittees’ ability to identify risks that might cut across the organization.  In essence, the board is moving towards a more silo-ed approach to risk management at a time when pressure is being placed on boards to be more effective at enterprise-wide risk oversight.  Furthermore, board agendas are so full that in many cases the full board doesn’t take the time necessary to adequately think outside the box about emerging risk exposures.

Call for “Risk Mapping”

The article calls for boards to engage in “risk mapping,” which consists of an in-depth look at all types of risks that could affect the entity through a “risk mapping advisory committee.”  The purpose of the “risk mapping advisory committee” would be to periodically meet to identify as many risks as possible, assess those risks based on impact and likelihood, and then determine what organizational units are responsible for addressing and managing the risks.  The composition of this committee may not necessarily be solely from the board.  Rather, certain members of the executive team, outside consultants, and enterprise risk management specialists might serve in addition to outside directors on the board. 

The results of this risk mapping advisory committee would be reported to the full board.  The board would use this input to ensure that the most significant risks are being addressed appropriately by management and it would provide useful input about any needed changes in strategy or operational processes, or additional expertise needed by the board. 

Click below to access the article.