Risk management goes hand in hand with strategic planning—it is impossible to make informed decisions about the company’s strategic direction without a full understanding of the risks involved. An increasingly interconnected world economy continues to spawn newer and more-complex risks that challenge even the best-managed companies. According to one survey, reputational risk and cybersecurity/IT risk are the leading concerns among board members. How boards respond to these risks is critical, particularly with the increased scrutiny being placed on boards by regulators, shareholders and the media.
Proper oversight of risk management encompasses the full panoply of risks that a company may face, including operational, financial, strategic, compliance and reputational risks. Enterprise risk management not only focuses on reducing risk, but also assesses both upside and downside risks, and thus, helps inform the strategic planning process. Boards of directors of all companies should be evaluating the adequacy of their risk management oversight procedures. Among other things, directors should address —
- Director education.All directors need to have a good understanding of their company’s business and the major risks it faces. Without a good grasp of both the upside and downside risks, directors cannot properly oversee the company’s strategic direction. Indeed, as part of its oversight function, a board needs to be satisfied that the company’s risk appetite, that is, the amount of risk the company is willing to accept in pursuit of stakeholder value, is appropriate for the company.i As discussed more fully in the topic on board composition, boards should ensure they have directors with sufficient experience and expertise to effectively oversee the risks the company faces, particularly with respect to data security and information technology.
- Oversight structure. The board should evaluate the manner in which it oversees risk management. Depending on how large it is and how well it functions, a board may decide to retain overall authority for risk management oversight at the board level. Other boards may use board committees to carry out certain of their risk oversight duties.
At many companies, primary oversight responsibility for risk management is delegated to the audit committee. Of course, audit committees are already burdened with a host of other responsibilities that have increased substantially over the years. Consequently, although not widespread, the boards of some companies (primarily in the financial services and insurance industries) have set up separate risk management committees. And several hundred U.S. companies now employ a chief audit executive who reports directly to the full board, allowing the board to receive information that has not been filtered.ii
Even if primary oversight for monitoring risk management is delegated to a committee, the entire board needs to remain engaged in the risk management process and be informed of material risks that can affect the company’s strategic plans. Given the wide spectrum of risks that most companies face and the myriad board decisions that are permeated by risk considerations, many directors believe that risk management oversight should rest with the entire board. Also, if primary oversight responsibility for particular risks is assigned to different committees, collaboration among the committees is essential to ensure a complete and consistent approach to risk management oversight.
- Reporting processes. Directors need to ensure that they are getting the information they need to understand the company’s risks, as well as management’s assessment of those risks. They also may want to meet privately with the company’s principal risk officer and the internal and outside auditors to discuss risk management issues. If risk management is delegated among several committees, their activities and the sharing of information needs to be coordinated. Also, the board should re-examine how often risk management matters are discussed at board meetings.
- Risk management review. The board (or other responsible committee) should review with management the adequacy of the company’s risk management practices. In particular, the board needs to probe whether the company’s risk management processes appropriately identify, assess and manage the company’s risks to ensure that the risk exposures are consistent with the company’s appetite for risk.
- Cyber risk. As part of a board’s risk management oversight function, directors should carefully assess the adequacy of their company’s data security measures. Cyber risk is not going away, so it is imperative that boards and management do what they can to manage and minimize cyber risk, as discussed more fully in the topic on cybersecurity. This includes identifying those areas where the company is most vulnerable and understanding how they may be at risk. Boards also need to have a response plan in place if and when a cyber attack occurs and ensure they have adequate insurance coverage for data breaches. Failure to adequately oversee this risk can cause dire consequences for the company and create additional issues for directors, including lawsuits and negative voting recommendations.
This post was excerpted from our annual Top 10 Topics for Directors in 2015 alert. To read the full alert, please click here.