Questions Every Board Should Ask About Risk Management

Board oversight is key to ensuring that management is accountable for risks facing the organization and is designing a strategy that aligns the appropriate degrees of acceptable risk with organizational goals and objectives. Risk conversations, as a dedicated part of every board meeting agenda, should consider the following questions:

Risk Environment

  • Is there a common risk language spoken and understood throughout the organization and is the organization’s risk appetite reflective of the expectations of shareholders, regulators and other stakeholders?
  • Are risk governance and management responsibilities clearly defined at all levels?
  • Is there a process in place for identifying, collecting information about, and providing timely alerts for emerging or changing risks?
  • How well is leadership managing risks to growth, margin, assets, and purpose? How do you know
  • Are risk communications, training, and reporting insightful and engaging enough to be valued by leadership, management, and employees?

Risk Assesment

  • Has a risk assessment framework been customized to consider risk characteristics that are most critical across the organization?
  • Are risk identification and assessment linked to the business strategy?
  • Do existing controls and processes adequately mitigate identified risks?
  • Has risk oversight responsibility been appropriately allocated within the board and its committees?
  • Do our directors have the right level of expertise to oversee risks to the organization?
  • Is capital allocation aligned with and appropriate to assessed risk significance and magnitude?

Risk Monitoring

  • Are all identified risk metrics properly aligned with strategy objectives to serve as indicators of potential problems?
  • Is accountability for risk reflective in executive and key management performance evaluations?
  • Is risk management embedded in planning, communications, and training activities across all functions to ensure that we receive adequate and timely risk information?
  • Is the dialogue and reporting of risk throughout all levels, including the boardroom, open and ongoing?
  • Are our risk disclosures transparent and relevant to stakeholders?
  • How do we as directors get comfortable that management is operating within risk, compliance, and ethics standards agreed to with the Board?
  • If the organization had a catastrophic failure, what assessments, testing, or validation could the Board rely on to demonstrate its oversight?