Risk is a critical consideration for all companies, particularly in difficult financial times. As the industry moves into an even more risk-conscious era, risk oversight is a top-of-mind issue. Companies have struggled in their efforts to navigate the most recent financial crisis, and many are looking to their boards of directors for ways to avoid having to contend with another crisis. A global business consulting and internal audit firm called Protiviti, which is a made up of experts specializing in risk, advisory, and transaction services, has published a list of ten things that can contribute to failure of a board’s risk oversight process. The ten considerations are: (1) Lack of a robust process for prioritizing, managing and monitoring critical risks. According to Protiviti, directors are asking many questions of managers that often fall into three categories: What are our inherent risks, and what risks are we planning to accept? Do we have the capability to manage these risks? To both of these questions: How do we know? (2) Lack of understanding of, or a failure to monitor, the significant assumptions underlying the strategy. Boards should understand the critical factors that make or break the successful execution of the strategy and ensure a process is in place to monitor changes in the business or regulatory environment that could impact those factors. (3) Executive management and the board are not on the same page with respect to risk appetite. There has to be a common understanding regarding how much risk is acceptable as well as the risks the company should avoid. (4) Failure to identify and manage emerging risks. The board must satisfy itself that management brings to bear the appropriate expertise, processes, and information to identify and manage new risks and the impact they might have on the execution of the strategy and business model. (5) Insufficient time to think about the future. Does the organization have a process to consider the “unthinkable” (extreme scenarios)? Has management considered how to respond to these scenarios? (6) The company practices “enterprise list management,” generating lists of risks over time with no follow-up to understand and close gaps in risk management. (7) Drowning in data with little knowledge or insight. In some companies, fragmented technology systems frustrate efforts to keep management and the board informed on important issues. (8) Deficiencies in the enterprise’s “tone at the top” and culture. A short-term focus on making the numbers can result in disastrous consequences when warning signs are ignored. The question for the board is: “Will the CEO and executive management team heed the warning signs at the crucial moment?” (9) Lack of an effective chief risk officer. Often, despite the need for a senior risk executive, there is no one in this role. (10) The board isn’t organized effectively for risk oversight. Protiviti provides some questions for boards to consider in the context of risks inherent to operations: “Has the board articulated its risk oversight objectives and evaluated the effectiveness of its risk oversight processes in achieving these objectives?” “Is the board proactively taking steps to address any gaps that may impede its risk oversight effectiveness?” Protiviti asserts that boards and executive management groups need help assessing and managing risks. To access the full report, click here.