Enterprise Risk Management Initiative, Poole College of Management, North Carolina State University

Providing Thought Leadership, Education and Training on the Subjects of Enterprise Risk Management

Recent Developments to the Board’s Role in Risk Management

Authored by

Continued Awareness of Risk Management and Emerging Developments

The Board of Directors (“the Board”) plays an integral role to the risk management function of a corporation starting with setting the “Tone at the Top” or cultural foundation for risk management. Risk has been at the forefront of debated topics over the years, more so in the recent years due to the financial crisis that drew the ire of the public, legislators, and the media over compensation of executives. When considered with the ongoing global economic instability and increasing regulatory requirements, the development of rigorous risk management procedures will continue to change as emerging risks develop.

Functions of the Board in Risk Oversight

From monitoring risks to establishing compensation policies, there are numerous new responsibilities placed upon the Board in the risk oversight function of a business, but those responsibilities originate from three sources:

  • Fiduciary duties: Legal liabilities (Caremark cases)
  • Federal laws and regulations: Dodd-Frank Act and SEC proxy rules
  • Industry-specific guidance and general best practices manuals: Committee of Sponsoring Organizations (COSO) and National Association of Corporate Directors (NACD) – Blue Ribbon Commission on Risk Governance 

The article, which is authored by Martin Lipton, Daniel A. Neff, Andrew R. Brownstein, Steven A. Rosenblum, Adam O. Emmerich, Sebastian L. Fain, and David J. Cohen, mentions that while the sources do provide additional responsibilities for the Board; companies should view them as a minimum and not design the risk management policies to solely meet a requirement for the Board function.

Suggested Practices to Improve Risk Oversight

While every company should customize its risk management procedures, the core of any framework or system put in place should accomplish four critical goals:

  • Provide timely identification of material risks to the company
  • Implement risk management strategies that are responsive to the portfolio of risks, business strategies, and risk thresholds
  • Align risk management into the business decision making 
  • Communicate pertinent risk information to the senior executives, the board, or board committees

Core goals of risk management procedures provide a high-level direction for those responsible for the risk oversight function; however, those core goals alone do not provide guidance on how to accomplish them. The article highlights 13 examples of actions that the risk oversight functions could perform to achieve the core goals with an emphasis on management dialogue and accountability. In addition to these examples, the article provides discusses areas that address specific areas to improve the overall risk management oversight function.

Who should perform risk oversight?

Each company can assign the responsibility of risk oversight to different groups or committees, but depending upon the type of organization, there may be guidance. Whether it is the responsibility of the audit committee for stocks listed on the NYSE or a dedicated risk management committee for financial institutions subject to the Dodd-Frank Act, the overall Board should be satisfied that any of the committees conducting the risk management oversight is adequately conducted.

Communication is key

Decision makers rely on information to make appropriate strategic decisions. The key to the process is to understand the risks that may materially impact any of the decisions, which means that high-quality timely information needs to be communicated between the people who make them – the Board, senior management, and risk managers.

Continuous risk management

Improving risk management needs not only involves the aforementioned improvements in this section, but understanding that risk management is not a project. Risk management should be a cycle that is continuously performed. This allows the companies to not only remain abreast of emerging risks, but to reassess the previously identified risks and how they may have changed.


Risk management oversight is a rapid developing area that garners a lot of attention, particularly for the Board with pressure from regulators, public, media outlets, amongst others to control the risky behavior of senior executives. As the field continues to change, it is imperative that the Board remains abreast of the additional required and recommended responsibilities revolving around the central topic of risk management. Regardless, the Board should recognize that these responsibilities placed on them through fiduciary duties, regulations, or best practices should not be approached as a “satisfy the requirement” task, but to improve the risk management process task. The article presents updates to the changing risk environment and how a company can change along with it by assigning risk oversight functions, communicating risk information, maintaining legal compliance, and assessing risk continuously.

Link: Bank and Corporate Governance Law Reporter

Categorized Under: Boards, Audit Committees, and ERM / Enterprise Risk Management Basics / Risk Management (ERM) Basics / Risk Management Leadership / Risk Leaders (Chief Risk Officers) / Risk Management & Boards / 
ERM Enterprise Risk Management Initiative 2014-01-14