The role of the board in risk management

The role of the board in risk management

Although risk oversight has always been an important aspect of the board’s oversight responsibilities, the financial crisis of 2008 raised the bar even more. The role of the board of directors in enterprise-wide risk oversight has become increasingly challenging and there is heightened expectations from the public on the board’s involvement in risk.
In the aftermath of the global financial meltdown and credit crunch, risk oversight became an imperative for boards of public companies, particularly so for United States companies where the boards of listed companies took a hard look at their membership, how they operated and whether their operations and the information to which they have access are conducive to effective risk oversight.

Risk is part of everyday business and organizational strategy, however the volume and complexities of risks facing organizations has increased tremendously over the last decade due to the complexity of business transactions, technology advances, globalization, speed of product cycles, and the overall pace of change in the environment.
Boards now have a difficult task in overseeing the management of the increasingly complex and interconnected risks that are a threat to the survival of businesses. There is an increased focus on the effectiveness of board risk oversight practices from the public, government and regulatory bodies.

The New York Stock Exchange’s corporate governance rules now require audit committees of listed corporations to discuss risk assessment and risk management policies in their meetings. Credit rating agencies, such as Standard and Poor’s, are now assessing enterprise risk management processes as part of their corporate credit ratings analysis. This shows how much pressure is being exerted on the boards with regards to their risk oversight responsibilities.
To effectively exercise its risk oversight role the board should apply some of the principles discussed below.
There is a need, for the board, to build a strong risk culture in the organisation, develop a robust risk appetite framework, and increase the role of the board and board committees in risk governance. The board’s responsibilities should be to oversee organisational activities and risks while risk management will rest with senior management and ownership of risks resides in the business units.

The risk culture should be deeply embedded in the organisation, so that changes in the economic cycle, leadership, and staff turnover do not make the culture disappear.  The board should ensure that it sustains the right attitudes and behaviours through continuous training to bring awareness and through monitoring. The boards of directors should demand periodic reviews of the overall organisation to identify areas that merit a deeper look.
The board should foster an environment where people at every level manage risk as an intrinsic part of their jobs. Rather than being risk averse, the staff should understand the risks of any activity they undertake and manage them accordingly as an integral component of the activity undertaken. The concept that ‘risk is everyone’s business’ should be ingrained in the day-to-day operations of the organisation.

The next principle that the board should understand is the appreciation of the key drivers of company’s success and risks inherent in the company’s strategy. The board should understand the business model and be aware of the critical enterprise risks that threaten the execution of the company’s strategy and the business model.
The board needs then to agree with management on how to deal with these risks in line with the company’s risk appetite while pursuing enterprise value creation. In the process the board should help in defining the risk appetite of the organisation. The CEO proposes risk appetite levels, but the board approves the risk appetite level based on an evaluation of its alignment with business strategy and stakeholders’ expectations.

The other key principle is for the board and its standing committees to define its role with regard to risk oversight. The full board should have primary responsibility for risk oversight, with the board’s standing committees reviewing the risks inherent in their respective areas of oversight.
The various risks that the board will have to deal with fall into the following categories, namely governance risks, critical enterprise risks, board-approval risks, business management risks (that is the normal, ongoing day-to-day risks) and lastly emerging and non-traditional risks (such as climate change and disruptive technological innovation.)
The fourth principle is to ensure that directors are selected on the basis that they possess skills and experience that help in understanding business risk. Non-executive directors are generally chosen because they have a breadth of experience, and are of an appropriate calibre and have particular personal qualities and attributes that will help provide the board with useful insights in key related industries.

The board should therefore possess the expertise and experience needed to promote a broad perspective, open dialogue, and useful insights regarding risk. Thus the board, through the nominating and governance committee, should consider the board’s composition.
Periodically assessing each member’s expertise, experience, and perspective will enable the board to develop and implement a sound risk governance process.
The nomination committee should also assess whether, and to what extent, the establishment of committees of the board is necessary and appropriate. Director induction is also crucial in ensuring that new directors have the appropriate background and understand the business. On-going training and awareness is crucial to provide directors with both updates on technical developments as well as changes in industry and market perspectives.

The board should assign oversight of the company‘s risk management function to an appropriate board committee usually the audit and risk committee. The audit and risk committee‘s charter should be clear on the scope of the committee‘s responsibilities for risk management.
There should be effective communication and coordination of the board’s oversight activities to ensure that the audit and risk committee is informed of all significant actual or potential financial and non-financial risks that may have implications on the business. The audit and risk committee should have an adequate level of comfort regarding the company‘s process for identifying, managing and reporting on risk.

The committee should also satisfy itself that the following areas have been appropriately addressed by itself, namely, the financial reporting risks, internal financial controls, fraud risk as it relates to financial reporting; and IT risks as it relates to financial reporting.
It’s important for the board to assess whether the company’s risk management system, its people and processes, is appropriate and is well resourced. The board should ensure that risk management is part of strategy and performance management.

The risk processes in operation should look beyond mere risk identification to considering the adequacy of measuring, monitoring as well as mitigating risk through appropriate policies, processes, people, reporting, methodologies and systems and data.
The board should agree with management on the type and format of risk information that will be helpful in decision-making. It’s important for management to avoid providing excessive information which results in information overload. Reports from management to the board should provide a balanced assessment of the key risks facing the company and the effectiveness of the ensuing risk responses and interventions.

Any significant risk response failings or weaknesses should be disclosed in management‘s reports to the board, including the impact that they may have had, or may have on the company, and the resultant corrective responses and interventions taken.
The board should disclose any current, imminent or envisaged risks that may threaten the long-term sustainability of the organisation. Risk reports to the board should contain meaningful information on the firm’s overall risks, risk concentrations, emerging risks, and any changes or trends in key risks.

Risk reports should also include relevant strategic information in order to facilitate the use of risk information in strategic decision-making. The board should engage in constructive risk dialogue with management challenging assumptions which have an impact on risk.
One of the lessons from the financial crisis is the potential adverse impact of a company’s culture and incentive compensation structure on behaviours, decisions and attitudes toward taking and managing risk.
The significant lesson of the financial crisis is the danger of short term compensation structures for executives on how executives take and manage risk exposing the organization to significant risks. It is therefore very critical for the board to structure compensation schemes appropriately to avoid short termism on the part of management.
It is very important that the board monitors the alignment of strategy, risk, controls, compliance, incentives and people. Properly aligning these elements will ensure that there is not likely to be a disconnect between a company’s strategy and its execution.

Lastly the board should not only be interested in the normal risks but should also consider emerging and interrelated risks, those risks that are not on management’s radar. The board should task management to monitor the external environment for those issues that will impact on the organization’s business and are likely to be disruptive to the business thereby changing a company’s risk profile.

Stewart Jakarasi is a business and financial strategist and a lecturer in business strategy, advanced performance management and entrepreneurship. For assistance in implementing some of the concepts discussed in these articles please contact him on the following contacts:, call on +266 58881062 or WhatsApp +266 62110062.

Previous Against the odds
Next Standard Bank takes on wool ‘lies’

Warning: count(): Parameter must be an array or an object that implements Countable in /home/thepostc/public_html/wp-content/themes/trendyblog-theme/includes/single/post-tags-categories.php on line 7

About author

You might also like


‘West has no interest in Africa’s development’

MASERU – THE Chinese and other Western powers have no interest in Africa’s development, according to Vickson Ncube, the Chief Executive Officer of Pan African Federation of Accountants (PAFA). Ncube was


’Mamathe park project gathers momentum

ROMA – A FEW weeks ago, the residents of Ha-’Mamathe in the Berea District woke up to a carefully planned siege. Their place had been invaded in the early hours


How to network effectively

Jakarasi Networking can be very daunting and terrifying especially if you do not enjoy meeting people. However there is no option if you have to build your business. You need