Law & Governance
The Board's Role in Risk Management
Potential profit often corresponds to the potential risk.... Stockholders' investment interests will be advanced if corporate directors and managers honestly assess risk and reward, cost and benefit
- Hon. E. Norman Veasey
Risk management is the process by which management, subject to
Board oversight, assesses the nature and scope of risks applicable
to a company; designs and applies appropriate controls to minimize
the risks; and monitors the controls to ensure that they are
working effectively. The Committee of Sponsoring Organizations of
the Treadway Commission suggests that companies evaluate their
risks using the components of risk management described in its
model, the Enterprise Risk Management Integrated Framework (ERM).
This model emphasizes that, because risks will not always fall
clearly into one category, a company should develop a comprehensive
risk management plan in which the approaches to the various
components of risk interact with and influence one another. The
eight components of ERM are:
- Internal Environment: The tone of an organization is set
by its leaders. Does the company have a large appetite for risk, or
are its leaders more risk-averse? Does the company's culture
support the risk management and internal controls
- Objective Setting: A company may set goals on many
levels: strategic, operating, financial. By clearly identifying its
goals, management and the Board can more clearly perceive the risks
that the company may encounter.
- Event Identification: The Board should ask management
how the company identifies new risks and opportunities. What risks
and trends exist in the company's industry? What risks are
associated with new products, services or acquisitions? With new
competitors? How are the company's risks interrelated? The Board
should also consider legal, ethical and compliance risks that the
company may encounter.
- Risk Assessment: After identifying potential risks,
management and the Board should analyze and prioritize the risks in
light of their likelihood and potential impact. Each business unit
should be involved in the process. What adverse events has the
company encountered in the past and what lessons were
- Risk Response: Companies may chose to respond to risks
by avoiding them, or by accepting them and working to reduce their
impact or dilute their severity by sharing risk with other parties.
What are the costs of these alternatives? Has management allocated
sufficient resources to respond appropriately? Is the company
adequately insured for its insurable risks?
- Control Activities: The Board should work with
management to develop and implement well-structured policies and
procedures in response to the company's primary risks to ensure
that responsive actions are carried out at all levels of the
- Information and Communication: Relevant information
should be well-documented and communicated on a timely basis -
vertically, up and down the chain of management, and horizontally,
across divisions of a company - to ensure that all members of the
organization carry out their responsibilities with respect to the
company's risk management policies.
- Monitoring: The Board should help management establish testing and evaluation procedures to monitor the company's risk management system. Modifications to the risk management system should be made as needed in response to these evaluations.
Board committees should incorporate risk management into their regular responsibilities. A company's governance committee can ensure that the company is prepared to deal with risks and crises by evaluating the individual capabilities of the directors, nominating directors with crisis management experience and considering the time each director and nominee has to devote to the company. The governance committee should also work with management to establish an orientation program for new directors and succession plans for key executive officers.
While some companies prefer to involve the Board as a whole in the risk management process, corporate governance guidelines and charters of audit committees may delegate this responsibility to the Audit Committee. Alternatively, a company may appoint a risk management officer, form a risk management committee or assign responsibility to a finance or compliance committee of the Board. The responsible committee or group should meet regularly with the company's internal auditor, the chief financial officer, the general counsel and the head of compliance and individual business units to discuss specific risks and assess the effectiveness of the company's risk management systems.
In a recent survey by PricewaterhouseCoopers, only 20% of U.S. CEOs responding believed they had enough information to manage the risks facing their companies. In many companies, the Board may have to take the lead to ensure adequate risk management procedures are in place.
AcknowledgmentReprinted with permission
This article first appeared in the June 2005 issue of the Corporate Board Member.
Be the first to comment on this!
Personal Subscriber? Sign In
Note: Please enter a display name. Your email address will not be publically displayed