Skip to main content
Poole College of Management
Enterprise Risk Management Initiative
ERM Leadership and Governance

Board Oversight of Risks: Strengthening ERM for Effective Risk Governance

What are boards doing to fulfill their risk governance responsibilities?

February 5, 2025 3-min. read
photo of a board room table

Effective board oversight of risk management is a crucial component of corporate governance. The board of directors plays a pivotal role in ensuring the organization’s risk management strategy aligns with stakeholder expectations and business objectives. To achieve this, boards must have a thorough understanding of enterprise risk management (ERM) processes and confirm that the organization’s risk appetite is well-articulated and aligned with its overall strategy.

The Value of How Boards Oversee Risk Management

The board of directors is ultimately responsible for the organization’s risk oversight. To fulfill this responsibility, board members must:

  • Be well-informed about management’s approach to risk identification and response.
  • Ensure that the organization’s risk-taking aligns with stakeholder expectations.
  • Regularly review risk governance processes to maintain transparency and accountability.

To understand how boards are currently overseeing ERM, we examined key processes and governance mechanisms. The following insights highlight common board practices in risk oversight.

2024 Insights from Data on Board Oversight of Risks

Our findings from the 15th edition of The State of Risk Oversight Report, which we publish annually in collaboration with AICPA, reveal key insights about processes that boards use to oversee management’s risk-taking activities.

Delegating Risk Oversight Responsibilities

  • The majority of boards delegate risk oversight to a subcommittee.
  • For most companies, this responsibility falls to the audit committee, except in financial services organizations, where it is assigned to a risk committee.
  • Over 80% of public companies discuss an aggregate risk report at a designated board meeting.

Defining Risk Oversight in Committee Charters

  • A large majority of boards explicitly document their risk oversight roles within the committee charter.
  • Clearly defined responsibilities enhance accountability and ensure a structured approach to enterprise risk management (ERM).

Defining Risk Appetite

  • Only about one-quarter of organizations, excluding financial services firms, have a formally articulated risk appetite.
  • This gap presents a challenge for aligning strategic decision-making with risk tolerance levels.

These findings highlight a need for more structured and frequent communication about risks at all levels of leadership.

View Full Insights and Report

Key Discussion Points for Boards and Management

To enhance board oversight of ERM, directors should consider the following critical questions:

  1. Understanding the Risk Management Process
    • Can individual board members consistently and accurately describe the company’s risk management framework?
    • Are directors aware of the methodologies used to assess and mitigate risks?
  2. Evaluating the Effectiveness of Risk Oversight
    • What processes does the board use to evaluate management’s risk oversight strategy?Are there measurable criteria in place to assess risk management effectiveness?
  3. Identifying Key Risks
    • Can each board member correctly identify the organization’s top risks?
    • Is risk discussion sufficiently robust, ensuring a consensus on the most critical risks facing the company?
  4. Validating Risk Assessments
    • Does the board compare management’s list of top risks with external benchmarks or industry reports?
    • How does the board verify that management has identified emerging risks effectively?
  5. Determining Risk Appetite and Stakeholder Expectations
    • How does the board assess the risk tolerance of key stakeholders?
    • Are decisions regarding risk-taking aligned with shareholder and stakeholder expectations?

These questions can serve as starting points for more robust and productive conversations about risks.

Strengthening Board Oversight for a Resilient Future

Boards play a fundamental role in ensuring risk management is embedded within corporate strategy. Effective ERM requires not only a structured risk governance framework but also active engagement between directors and management. By enhancing risk oversight, boards can better navigate uncertainties and safeguard long-term organizational success.

Interested in more articles like this one?

You can find more about board risk oversight in the ERM Resource Center.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help you and your organization lead with confidence.

This field is for validation purposes and should be left unchanged.

More From Enterprise Risk Management Initiative

Bonnie Hancock

The Role of Corporate Boards in Enterprise Risk Management
TradeTalks

How C-Suite Leaders Are Navigating Current and Future Risks
The role of Chief Risk Officers and management-level risk committees in risk management.

Chief Risk Officers and Management-Level Risk Committees