by Jim DeLoach

Risk oversight is a high priority for boards of directors. Many boards are taking a hard look at their membership, how they operate, the committee(s) to which risk oversight responsibilities have been delegated, and whether their operations and the information to which they have access are conducive to effective risk oversight.

Key Considerations

“Risk oversight” describes the board’s role in the risk management process. The risk oversight process determines that the company has in place a robust process for identifying, prioritizing, sourcing, managing and monitoring its critical risks and that that process is improved continuously as the business environment changes. Through the risk oversight process, the board (1) obtains an understanding of the risks inherent in the corporate strategy and the risk appetite of management in executing that strategy, (2) accesses useful information from internal and external sources about the critical assumptions underlying the strategy, (3) is alert for organizational dysfunctional behavior that can lead to excessive risk taking, and (4) provides input to executive management regarding critical risk issues on a timely basis. In summary, risk oversight is the process by which the board and management develop a mutual understanding regarding the obstacles the company faces as it executes its business model.

Questions for Boards

Following are some suggested questions that boards of directors may consider, as appropriate to the entity’s objectives, as they seek to clarify their risk oversight responsibilities:

· Is there a robust process in place for identifying, prioritizing, sourcing, managing and monitoring the enterprise’s critical risks in a changing operating environment?

· Do we understand the risks inherent in the corporate strategy? Is there a sufficient understanding of the significant assumptions underlying the strategy and is a process in place to monitor for changes in the environment that could alter those assumptions?

· Are we and executive management on the same page with respect to how much risk the entity is willing to accept and the risks the entity should avoid (i.e., the entity’s risk appetite)? Is there sufficient dialogue enabling appropriate and timely board input to executive management on the risks undertaken?

· Are policies in place for managing significant financial and commodity risks on an enterprisewide basis? Has management quantified the loss exposures involving these risks and prepared response plans to address multiple future scenarios?

· If new and complex risks emerge, are the appropriate expertise, processes and information brought to bear to ensure that there is an understanding of the emerging risks and their implications to the enterprise’s strategy and business model?

· Is the board receiving the information it needs to foster effective risk oversight? Is there sufficient agenda time for discussing the enterprise’s risks with the appropriate individuals? In what areas does the organization need to improve its capabilities and information for managing risk?

· Does the organization have a process for thinking about the “unthinkable”, i.e., the plausible scenarios that could occur over the time horizon covered by the corporate strategy and business plan? Has management considered how the entity would respond should any of these scenarios occur? Has considering these scenarios created awareness of the forces affecting the organization in the present that can make it captive to events in the future?

· Are the enterprise’s “tone at the top” and culture conducive to effective risk management? For example, does the compensation structure reward short-term risk-taking without taking into account the potential longer-term effects on the company? If there is a chief risk officer, does that individual have the right skills and is he or she positioned to be successful? Does he or she provide the board with timely information about the company’s risks? Does the board avail itself to the appropriate officers of the company and the requisite expertise needed to oversee the key risks the enterprise faces? Is it clear that executive management will pay attention to the warning signs posted by the risk management function at the crucial moment?

As the board organizes for, and allocates time and resources to, risk oversight, it should consider the above questions.

Jim DeLoach is Protiviti’s Managing Director responsible for the firm’s Governance Services and Enterprise-wide Risk Management. He is chair of Protiviti’s Sarbanes-Oxley Act PMO, co-author of Managing business risk: An integrated approach and of numerous articles on business risk assessment and management. His book, Enterprise-wide Risk Management: Strategies for linking risk and opportunity, was the first written on the subject of enterprise risk management. Jim served on the COSO Advisory Board on the Enterprise Risk Management – Integrated Framework, and has delivered numerous presentations on risk management to companies and groups in 26 countries. Additional information about his, and Protiviti’s, views on risk management and board risk oversight responsibilities are available at Jim can be reached at