Board oversight is key to ensuring that management is accountable for risks facing the organization and is designing a strategy that aligns the appropriate degrees of acceptable risk with organizational goals and objectives. Risk conversations, as a dedicated part of every board meeting agenda, should consider the following questions:
Risk Environment
Is there a common risk language spoken and understood throughout the organization and is the organization’s risk appetite reflective of the expectations of shareholders, regulators and other stakeholders?
Are risk governance and management responsibilities clearly defined at all levels?
Is there a process in place for identifying, collecting information about, and providing timely alerts for emerging or changing risks?
How well is leadership managing risks to growth, margin, assets, and purpose? How do you know?
Are risk communications, training, and reporting insightful and engaging enough to be valued by leadership, management, and employees?
Risk Assessment
Has a risk assessment framework been customized to consider risk characteristics that are most critical across the organization?
Are risk identification and assessment linked to the business strategy?
Do existing controls and processes adequately mitigate identified risks?
Has risk oversight responsibility been appropriately allocated within the board and its committees?
Do our directors have the right level of expertise to oversee risks to the organization?
Is capital allocation aligned with and appropriate to assessed risk significance and magnitude?
Risk Monitoring
Are all identified risk metrics properly aligned with strategy objectives to serve as indicators of potential problems?
Is accountability for risk reflective in executive and key management performance evaluations?
Is risk management embedded in planning, communications, and training activities across all functions to ensure that we receive adequate and timely risk information?
Is the dialogue and reporting of risk throughout all levels, including the boardroom, open and ongoing?
Are our risk disclosures transparent and relevant to stakeholders?
How do we as directors get comfortable that management is operating within risk, compliance, and ethics standards agreed to with the Board?
If the organization had a catastrophic failure, what assessments, testing, or validation could the Board rely on to demonstrate its oversight?