Questions Every Board Should Ask About Risk Management
Board oversight is key to ensuring that management is accountable for risks facing the organization and is designing a strategy that aligns the appropriate degrees of acceptable risk with organizational goals and objectives. Risk conversations, as a dedicated part of every board meeting agenda, should consider the following questions:
Risk Environment
 | Is there a common risk language spoken and understood throughout the organization and is the organization’s risk appetite reflective of the expectations of shareholders, regulators and other stakeholders? |
 | Are risk governance and management responsibilities clearly defined at all levels? |
 | Is there a process in place for identifying, collecting information about, and providing timely alerts for emerging or changing risks? |
 | How well is leadership managing risks to growth, margin, assets, and purpose? How do you know? |
 | Are risk communications, training, and reporting insightful and engaging enough to be valued by leadership, management, and employees? |
Risk Assessment
 | Has a risk assessment framework been customized to consider risk characteristics that are most critical across the organization? |
 | Are risk identification and assessment linked to the business strategy? |
 | Do existing controls and processes adequately mitigate identified risks? |
 | Has risk oversight responsibility been appropriately allocated within the board and its committees? |
 | Do our directors have the right level of expertise to oversee risks to the organization? |
 | Is capital allocation aligned with and appropriate to assessed risk significance and magnitude? |
Risk Monitoring
 | Are all identified risk metrics properly aligned with strategy objectives to serve as indicators of potential problems? |
 | Is accountability for risk reflective in executive and key management performance evaluations? |
 | Is risk management embedded in planning, communications, and training activities across all functions to ensure that we receive adequate and timely risk information? |
 | Is the dialogue and reporting of risk throughout all levels, including the boardroom, open and ongoing? |
 | Are our risk disclosures transparent and relevant to stakeholders? |
 | How do we as directors get comfortable that management is operating within risk, compliance, and ethics standards agreed to with the Board? |
 | If the organization had a catastrophic failure, what assessments, testing, or validation could the Board rely on to demonstrate its oversight? |
SHARE