Board Membership 101: Risk Management

Decades ago, the notion of “risk management” boiled down to the simple act of buying insurance. These days, however, board members are expected to be much more involved in overseeing and evaluating their company’s level of risk.
Board Membership 101: Risk Management

According to PwC, risk management includes “the identification, assessment, and prioritization of risks and the application of resources to minimize, control, and mitigate the impact of unfortunate events on a business.

It is the job of a board to oversee that their management teams have adequate risk management policies and procedures in place.”

Overseeing risk isn’t a job that falls solely on outside directors, though. According to the Harvard Law School Forum, internal executives are expected to handle the day-to-day risks of their business operations, but directors should, “through their risk oversight role, satisfy themselves that the risk management policies and procedures designed and implemented by the company’s senior executives and risk managers are consistent with the company’s strategy and risk appetite.”

In other words, it’s the job of the board to ensure that the CEO and senior executives are completely engaged in systematic risk management behaviors.

In the wake of so many high profile cases related to cyber security and IT failures, boards are under more pressure than ever to take action to combat risk. Here are some ways board members can become better risk managers:

Set the tone

Board members should set the tone for company leadership by putting risk management near the forefront of their governance priorities. The CEO should be made aware that the board expects that sensible risk mitigation be integrated in all business decision-making. Great boards “establish a clear framework for holding the CEO accountable for building and maintaining an effective risk appetite framework and providing the board with regular, periodic reports on the company’s residual risk status.”

Don’t be risk-avoidant

Being good at risk management doesn’t mean avoiding risk altogether. As PwC writes, “A major part of any risk oversight plan is determining a company’s risk appetite: the amount of risk an organization is willing to accept in pursuit of strategic objectives. When done right, it is a robust process that can help management and the board understand exposures and make appropriate risk-based strategic decisions.”

For example, Fortune 500 companies haven’t reached that coveted status by running away from risk; the most successful organizations know how to make risk-taking work in their favor.

Take a “stress test”

No, we’re not talking about physical fitness tests for board members; we’re referring to a hypothetical risk stress test for the company they serve. For this exercise, board members (and outside experts if deemed necessary) analyze how their organization would be affected by an assortment of small to large catastrophic events—be it a shift in regulations or a major natural disaster.

This practice gives board members some training in what it would be like to respond quickly to an unforeseen challenge. More importantly, though, it gives them a way to identify the holes in their current risk management policies.

Posted in Risk Management and tagged , , , .