Included in the inaugural edition of Board Perspectives: Risk Oversight are questions board members should ask of executive management regarding the organization’s risk management processes. In this newsletter as well as future editions, we intend to explore the right questions without suggesting standard “cookie cutter” answers.
Following are some suggested questions that boards should consider as they seek to clarify their risk oversight responsibilities:
Is there a robust process in place for identifying, prioritizing, sourcing, managing and monitoring the enterprise’s critical risks in a changing operating environment?
Do we understand the risks inherent in the corporate strategy? Is there a sufficient understanding of the significant assumptions underlying the strategy and is a process in place to monitor for changes in the environment that could alter those assumptions?
Are we and executive management on the same page with respect to the risks the entity is willing to accept and the risks the entity should avoid (i.e., the entity’s risk appetite)? Is there sufficient dialogue enabling appropriate and timely board input to executive management on the risks undertaken?
Are policies in place for managing significant financial and commodity risks on an enterprise-wide basis? Has management quantified the loss exposures involving these risks and prepared response plans to address multiple future scenarios?
If new and complex risks emerge, are the appropriate expertise, processes and information brought to bear to ensure there is an understanding of the emerging risks and their implications to the enterprise’s strategy and business model?
Is the board receiving the information it needs to foster effective risk oversight, or is it drowning in data providing little knowledge or insight? Is there sufficient agenda time for discussing the enterprise’s risks? In what areas does the organization need to improve its capabilities for managing risk?
Does the organization have a process for thinking about the “unthinkable,” i.e., the plausible scenarios that could occur over the time horizon covered by the corporate strategy and business plan? Has management considered how the entity would respond should any of these scenarios occur? Has considering these scenarios created awareness of the forces affecting the organization in the present that can make it captive to events in the future?
Are the enterprise’s “tone at the top” and culture conducive to effective risk management? For example, does the compensation structure reward short-term risk taking without taking into account the potential longer-term effects on the company? If there is a chief risk officer, does that individual have the right skills and is he or she positioned to be successful? Does he or she provide the board with timely information about the company’s risks? Is it clear that executive management will pay attention to the warning signs posted by the risk management function at the crucial moment?