‘Risk governance’ or ‘risk oversight’ (I see the terms as synonymous) is a topic that comes up quite often in governance codes, regulator and investor group guidance, and (of course) in risk management frameworks.
But is it something that boards should be doing? Should they be providing oversight on risk?
Maybe they should, but perhaps not in the way that most have been doing it- and I would prefer a different description.
A 2012 article by Matteo Tonello of The Conference Board (based on an article by Tim Leech) references a National Association of Corporate Directors Blue Ribbon Commission report that talks about risk oversight in a traditional way:
While risk oversight objectives may vary from company to company, every board should be certain that:
- the risk appetite implicit in the company’s business model, strategy, and execution is appropriate
- the expected risks are commensurate with the expected rewards
- management has implemented a system to manage, monitor, and mitigate risk, and that system is appropriate given the company’s business model and strategy
- the risk management system informs the board of the major risks facing the company
- an appropriate culture of risk-awareness exists throughout the organization
- there is recognition that management of risk is essential to the successful execution of the company’s strategy
This reflects the common board practice of reviewing a list of (exclusively downside) risks and challenging management’s assessment and handling of those risks. There is a focus on approving a risk appetite statement and, if we are lucky, receiving a report from the internal audit head on the effectiveness of (downside) risk management.
I would far prefer the board to be concerned with whether management is taking the right level of the right risks. Even better is whether management is making informed and intelligent decisions.
Success doesn’t come with avoiding or minimizing (downside) risk – it comes from informed and intelligent risk-taking, balancing the potentials for harms and rewards.
Some frameworks and governance codes are slowly moving in the right direction: less of a focus on managing risk (“doom management”) and more on managing the achievement of objectives (“success management”).
For example, ISO 31000:2018 says:
Oversight bodies are often expected or required to:
— ensure that risks are adequately considered when setting the organization’s objectives;
— understand the risks facing the organization in pursuit of its objectives;
— ensure that systems to manage such risks are implemented and operating effectively;
— ensure that such risks are appropriate in the context of the organization’s objectives;
— ensure that information about such risks and their management is properly communicated.
This is not very good, as it doesn’t talk about decision-making or improving the extent and likelihood of success, but at least ISO recognizes that what might happen can include good as well as bad.
COSO ERM 2017 has a principle (#1): “Exercises Board Risk Oversight”. While the language in the following section and in Appendix C (where there is a table that lists, at a very high level, board oversight activities) is not at all specific on what ‘oversight means’, I give COSO credit for the sentence that details the principle:
The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives.
They don’t say that the board should oversee risk. They say the board should oversee the achievement of strategy and objectives.
The 2016 King IV Report on Corporate Governance for South Africa has some excellent language. It starts the section on risk governance with this:
Principle 11: The governing body should govern risk in a way that supports the organization in setting and achieving its objectives.
1. The governing body should assume responsibility for the governance of risk by setting the direction for how risk should be approached and assessed within the organization. Risk governance should encompass both:
- The opportunities and associated [downside] risks to be considered when developing strategy; and
- The potential positive and negative effects of the same risks on the achievement of organizational objectives.
2. The governing body should treat risk as integral to the way it makes decisions and executes its duties.
It references risk appetite and other [downside] risk management practices, but is not exclusively a doom management code. It also highlights the need to create value by seizing opportunities.
Perhaps we should discard the term ‘risk governance’ in favor of strategy and performance oversight. The board should be concerned with setting the most appropriate strategy and then executing on it.
My advice for board members is to integrate discussions of strategy, risk, and performance.
Rather than reviewing a list of risks and obtaining assurance that management knows how to identify, assess, and then address things that could go wrong, the board should obtain assurance that management:
- Is doing a good job of thinking about what could happen in the future, both those with positive and negative effects on the achievement of objectives, and whether that is acceptable or needs attention in some way
- Is involving the right people and obtaining reliable information about what might happen when making decisions
- Is disciplined in its decision-making (rather than making off-the-cuff decisions based on ‘experience’ or gut feeling)
- Is monitoring the situation, both within and outside the organization, so it can respond if conditions change
Assurance should come first from the executive team, preferably the CEO. The opinion of the CRO and the assessment of the CAE should follow.
This way, the board is discharging its responsibilities to ensure stakeholders get the performance they should: value creation as well as (and not just) value protection.
The board should make sure the management team is effective in running the organization, and that is not done by focusing on a list of harms.
Effective governance of an organization is limited if the board focuses on risks.
What do you think?
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021