Digging deeper into the concerns about risk management, key factors were identified that the audit committee and board members found to be below their expectations in regards to risk management practices of their company.

This paper, published by KPMG, notes some of the questions and the participant responses:

Q: How satisfied are you that your board has in place effective processes to oversee the company’s risk management activities?
12%‐Very satisfied; 35%‐Satisfied; 36%‐Somewhat satisfied; 17%‐Not Satisfied

Q: How satisfied are you that your board/audit committee understands and tests management’s core risk assumptions?
9%‐Very satisfied; 32%‐Satisfied; 36%‐Somewhat satisfied; 23%‐Not Satisfied

Q: How satisfied are you that your board exercises an appropriate degree of skepticism regarding management’s risk assumptions and perceptions?
7%‐Very satisfied; 40%‐Satisfied; 40%‐Somewhat satisfied; 13%‐Not Satisfied

Q: How involved is your audit committee in helping to address the risks associated with the company’s incentive compensation plans?
7%‐Very involved; 29%‐Somewhat involved; 61%‐Not involved

The discussions during the conference defined some broadly applicable solutions. These best practices are listed under three topics: a more focused and intense oversight role, overseeing risk in the current environment, and a changing regulatory environment.

Risk in the Current Environment

The recommendations for risk oversight centered on the board and audit committee’s interaction with management. It is crucial for these bodies to fully understand management’s actions and motivations in order to be vigilant in ensuring a holistic risk management approach. The best practices were divided in five topics:

Ask the basic questions

  • How rigorously does management stress‐test key risk assumptions?
  • Are the board’s information sources significantly varied and objective?

Insist on a robust conversation about risk; create a dynamic interchange between management and directors

  • Directors should understand, question, and test management’s core risk assumptions and perceptions
  • Be sensitive to the effect of compensation/incentives on the company’s strategy and risk culture

Understand risk culture

  • Be aware of the dynamic between management and the board; watch for “spin”
  • Directors should talk to the heads of operations and “walk the halls” of more remote locations to get a true sense of risk culture

Consider nontraditional risks

  • Management may be unwilling or unable to perform
  • The board and audit committee may not be performing its duties effectively

Prepare for Crisis

  • Have a written plan, possibly include external talent to develop
  • Consider the entire range of issues that could cause a crisis

An emphasis was also placed on the need for boards to be more involved in management compensation. While they might not help define it, they should be very knowledgeable about incentives and how they may create risk.


Boards and audit committees must help guide their companies through the current crisis and towards and unknown future. Their success rests on a dynamic, effective relationship with management. Boards must be knowledgeable and diligent in their role to ensure management not only stays in line with the company’s risk profile, but is prepared for the next big crisis.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2009-02-01