Sharpening the Board’s Focus on Risk Oversight

  • Carissa Duenas
  • Published: May 19, 2022
Sharpening the Board’s Focus on Risk Oversight

Companies have to learn how to operate with some level of managed risk. An appetite for risk is often needed to capitalise on new opportunities and address complex issues (such as operational and growth requirements).

But what is the board’s role in risk oversight? What exactly are the types of risks that fall under their purview — and how should the board prioritise these?

5 Types of Risks Boards Should Be Concerned About

There a myriad of risks that boards should be made aware of. The National Association of Corporate Directors (NACD) has identified and organised these under 5 broad categories. They are:

1. Governance Risks

Governance risks pertain to directors’ decisions on board leadership, composition and structure. It also tackles board membership and CEO selection, CEO compensation  and succession, alongside other board governance matters that are crucial to the success of the company.

2. Critical Enterprise Risks

These are usually the top 5-10 risks that can impact the company’s overall strategy and business model. It requires the attention and engagement of the entire board. Some examples of these risks would be: supply chain risk, credit risk, technological obsolescence, etc.. By and large, enterprise risk deals with the effect of changes on the core assumptions that underpin company strategy.

3. Board-Approval Risks

Board-approval risks revolve around the decisions boards make when it comes to approving or providing their consent for the “implementation of policies, major strategic initiatives, acquisitions or divestitures, major investments, entry into new markets, etc.” Boards often require that management satisfactorily answer questions relating to the associated risks and rewards of the matter(s) at hand.

4. Business Management Risks

These are the risks associated with day-to-day operations, including financial, reputational and operational risks. 

For example, financial risks would include “excessive leveraging of the balance sheet.” Operational risks are tied up to internal processes, IT, intellectual property, customer service, manufacturing, cybersecurity, etc.. Reputational risks are those that arise from data breaches, health and safety issues, legal proceedings. They can affect the image of the company.

It’s important to remember that it is management’s responsibility to address these risks. But if any of these impact or threaten the strategy and business model of the company, they become critical-enterprise risks. Those risks will require the attention of the full board.

5. Emerging Risks

These are “external risks” that fall outside of the first four categories. They cover “PESTLE,” i.e., political, economic, social, technological, legal and environmental factors.

Examples of these would be the effects of climate change, demographic shifts, legislation, and natural catastrophes on the business.

Key Board Considerations for Risk Oversight

The five risk categories provide context to the scope and focus of the board when it comes to risk governance. But it is just as important to state what boards should consider when it comes to the oversight process. This paper lists some of them:

1. Risk oversight is critical to strategic considerations

Boards must place the same amount of time and focus on risk oversight as it does with strategy. Developing and executing strategies without managing inherent risk considerations is short-sighted and can lead to disastrous outcomes. In short, risk and strategic oversight go hand-in-hand. 

2. Risk oversight can be delegated to standing committee(s)

There is a distinction that needs to be made between risk oversight and risk management. Risk management, as the term suggests, falls under management. Risk oversight belongs to the board.

Boards can monitor and manage risks by delegating oversight duties to committees. This can be done in a variety of ways:

  1. Have a separate risk committee

Complex organisations and businesses can benefit from a dedicated risk committee. A separate risk committee should be able to provide the board with a comprehensive and more complete understanding of the risks assumed by the company.

  1. Widen the scope of responsibilities of the audit committee

This is the most common approach. Three caveats, though: 

  • Boards must remain cognisant that the audit committee bears responsibility for focusing on financial reporting risk. That stands to be their primary role.
  • Expanding the scope of the audit committee can present its own set of challenges, especially if the organisation has intricate and complex financial reporting requirements. Consider this question: do the members of the audit committee have the bandwidth to study the policies and processes for managing other business and operational risks?
  1. Spread out risk oversight across various committees

This seemingly offers the best chance at “covering most, if not all, bases.” However, boards need to be aware that this might lack a big-picture/cohesive perspective since it tackles risk via a siloed approach. If the oversight process is not handled carefully, risks can be overlooked or simply fall through the cracks. 

3. There is a need for qualified directors

Directors must have the necessary qualifications to assess, evaluate and strategically monitor the risk profile of the organisation, regardless of how and where risk oversight is delegated. This requires a reasonable level of expertise and industry knowledge to understand and evaluate the company’s critical risks.

4. Free-flowing access to information

Boards need to have access to information from internal and external resources to be effective in their risk oversight duties. Risk reporting from management is especially crucial. This should be presented in clear language. In some instances, a risk assessment matrix might be helpful. Boards can understand what’s at stake, the possible impacts, and the likelihood of actions occurring.  

5. Communicate the organisation’s risk story

Boards can help stakeholders understand the organisation’s risk story by using disclosures to convey the risks the organisation faces and how risk governance is being implemented and executed. The same disclosures can discuss the processes and explain the roles of the board and committees in overseeing risk. It can also be supplemented by quantitative or qualitative analyses.

Disclosures can help instill confidence in the risk governance processes and management capabilities of the board.

Conclusion

To reiterate, no organisation can operate without assuming some risk. This is not, in itself, a bad thing. However, risks should be continuously monitored and reviewed by the board.  

From an outsider’s lens, risk-taking might be perceived to simply be a “gamble.” But companies stand to gain from it if it is balanced by enough foresight and prudence. That being said, the board should identify, set, and adhere to its own risk tolerance levels, and strategic actions and considerations must be carefully weighed against these. To remove one or the other from the oversight equation can be detrimental to the organisation.


How are you securing your board’s assets and managing the business risks present in that responsibility? Schedule a demo to see how Boardlogic can help.