Board risk assessment: Where’s the focus?
Risk. Such a broad topic, and one that can keep board members awake at night. After all, boards are ultimately responsible to investors and others for the all-encompassing task of risk oversight.
For decades, boards and specifically their audit committees have focused on risks, but primarily on financial reporting risks. Are the financial statements materially correct? Do we have controls in place to prevent fraud? The financial reporting process, however, is basically a summarization of the results of managing all of the risks that impact a company.
The risks that companies face today span a broad range, including financial risks, but also competitive, environmental, legal, operational, regulatory, strategic, technological, and employee-retention risks, among others. And, risks are constantly changing due to internal and external circumstances. Effective risk oversight consists of regularly evaluating the risks and the adequacy and timeliness of risk management systems. With such an extensive and shifting assortment of risks, and the importance of risk management, how should the board focus its risk-oversight role?
Oversight is not supervision of day-to-day activities. Management must implement appropriate systems that effectively manage risks. However, Board oversight does involve a certain level of commitment in order to set the appropriate “tone at the top,” and to thoroughly evaluate the nature and extent of risks confronting the company, the company’s risk “appetite,” its ability to reduce risk and the relative cost of risk mitigation. This sounds complicated and perhaps overwhelming. It may help to focus the board’s responsibilities through the lens of understanding.
To fully understand a company’s particular enterprise and operating risks, regular updates from management are critical.
First, it is important to understand the scope of potential risks. Board members can’t effectively oversee what they don’t understand. To accomplish its risk oversight responsibilities, members must first understand the company’s business, its industry and the external factors that affect it, such as legislation, the changing regulatory environment, cybersecurity, operational risks, the economy, legal actions, etc.
It is impractical to expect any one board member to have this breadth of understanding. Fortunately, the board can draw upon its collective strength and diversity. Directors with different strengths, competencies (e.g., law, accounting, economics, human resources, IT), industry experiences and risk appetite will naturally gravitate to deepening their understanding of company-specific matters in their areas of expertise.
To fully understand a company’s particular enterprise and operating risks, regular updates from management are critical. Effective risk management involves a dynamic and iterative process for identifying and assessing risks, and thus the board should periodically require management to review and report on significant company risks or exposures and actions needed to minimize such risks or exposures.
It also will be important for the board to understand the company’s processes and systems for the timely identification and mitigation of external and internal risks. In addition to understanding risks, the board should consider holding annual discussions with senior management and (or) internal audit regarding these processes and systems, asking questions such as:
- What is management’s process for identifying new or emerging risks not previously considered?
- When a major new risk is identified, what is management’s process for reporting the pertinent information to the board on a timely basis?
- What is the process for capturing and evaluating the input of “middle management” with regard to new or emerging risks as well as existing risks?
- How effective are the processes for identifying, evaluating and mitigating risks? How often is management reviewing and updating those processes? Is the company learning from past mistakes and best practices of industry peers?
- Have other risk-management strategies, such as transferring risk to third parties, sharing risk or making contingency plans been considered?
After obtaining an understanding of the pertinent risks and the systems used to address these risks, perhaps consider applying another lens – that of “skepticism." A questioning mindset promotes risk awareness and is fundamental to solid risk management. Too often, risk management becomes complacent. If there is anything the past year has reinforced, it is that the status quo may be fleeting and effective risk management must be prepared for the unknown.
Article originally appeared in NACD's Directorship magazine September/October 2021 issue. Phyllis Deiso is a partner and the National SEC Practice Leader for RSM US LLP.