Board oversight is key to ensuring that management is accountable for risks facing the organization and is designing a strategy that aligns the appropriate degrees of acceptable risk with organizational goals and objectives. Risk conversations, as a dedicated part of every board meeting agenda, should consider the following questions:
Risk Environment
| Is there a common risk language spoken and understood throughout the organization and is the organization’s risk appetite reflective of the expectations of shareholders, regulators and other stakeholders? |
| Are risk governance and management responsibilities clearly defined at all levels? |
| Is there a process in place for identifying, collecting information about, and providing timely alerts for emerging or changing risks? |
| How well is leadership managing risks to growth, margin, assets, and purpose? How do you know? |
| Are risk communications, training, and reporting insightful and engaging enough to be valued by leadership, management, and employees? |
Risk Assessment
| Has a risk assessment framework been customized to consider risk characteristics that are most critical across the organization? |
| Are risk identification and assessment linked to the business strategy? |
| Do existing controls and processes adequately mitigate identified risks? |
| Has risk oversight responsibility been appropriately allocated within the board and its committees? |
| Do our directors have the right level of expertise to oversee risks to the organization? |
| Is capital allocation aligned with and appropriate to assessed risk significance and magnitude? |
Risk Monitoring
| Are all identified risk metrics properly aligned with strategy objectives to serve as indicators of potential problems? |
| Is accountability for risk reflective in executive and key management performance evaluations? |
| Is risk management embedded in planning, communications, and training activities across all functions to ensure that we receive adequate and timely risk information? |
| Is the dialogue and reporting of risk throughout all levels, including the boardroom, open and ongoing? |
| Are our risk disclosures transparent and relevant to stakeholders? |
| How do we as directors get comfortable that management is operating within risk, compliance, and ethics standards agreed to with the Board? |
| If the organization had a catastrophic failure, what assessments, testing, or validation could the Board rely on to demonstrate its oversight? |