Board risk assessment: Where’s the focus?
Authored by RSM US LLP
Risk. Such a broad topic, and one that can keep board members awake at night. After all, boards are ultimately responsible to investors and others for the all-encompassing task of risk oversight.
For decades, boards and specifically their audit committees have focused on risks, but primarily on financial reporting risks. Are the financial statements materially correct? Do we have controls in place to prevent fraud? The financial reporting process, however, is basically a summarization of the results of managing all of the risks that impact a company.
The risks that companies face today span a broad range, including financial risks, but also competitive, environmental, legal, operational, regulatory, strategic, technological, and employee-retention risks, among others. And, risks are constantly changing due to internal and external circumstances. Effective risk oversight consists of regularly evaluating the risks and the adequacy and timeliness of risk management systems. With such an extensive and shifting assortment of risks, and the importance of risk management, how should the board focus its risk-oversight role?
Oversight is not supervision of day-to-day activities. Management must implement appropriate systems that effectively manage risks. However, Board oversight does involve a certain level of commitment in order to set the appropriate “tone at the top,” and to thoroughly evaluate the nature and extent of risks confronting the company, the company’s risk “appetite,” its ability to reduce risk and the relative cost of risk mitigation. This sounds complicated and perhaps overwhelming. It may help to focus the board’s responsibilities through the lens of understanding.
To fully understand a company’s particular enterprise and operating risks, regular updates from management are critical.
First, it is important to understand the scope of potential risks. Board members can’t effectively oversee what they don’t understand. To accomplish its risk oversight responsibilities, members must first understand the company’s business, its industry and the external factors that affect it, such as legislation, the changing regulatory environment, cybersecurity, operational risks, the economy, legal actions, etc.
It is impractical to expect any one board member to have this breadth of understanding. Fortunately, the board can draw upon its collective strength and diversity. Directors with different strengths, competencies (e.g., law, accounting, economics, human resources, IT), industry experiences and risk appetite will naturally gravitate to deepening their understanding of company-specific matters in their areas of expertise.
To fully understand a company’s particular enterprise and operating risks, regular updates from management are critical. Effective risk management involves a dynamic and iterative process for identifying and assessing risks, and thus the board should periodically require management to review and report on significant company risks or exposures and actions needed to minimize such risks or exposures.
It also will be important for the board to understand the company’s processes and systems for the timely identification and mitigation of external and internal risks. In addition to understanding risks, the board should consider holding annual discussions with senior management and (or) internal audit regarding these processes and systems, asking questions such as:
- What is management’s process for identifying new or emerging risks not previously considered?
- When a major new risk is identified, what is management’s process for reporting the pertinent information to the board on a timely basis?
- What is the process for capturing and evaluating the input of “middle management” with regard to new or emerging risks as well as existing risks?
- How effective are the processes for identifying, evaluating and mitigating risks? How often is management reviewing and updating those processes? Is the company learning from past mistakes and best practices of industry peers?
- Have other risk-management strategies, such as transferring risk to third parties, sharing risk or making contingency plans been considered?
After obtaining an understanding of the pertinent risks and the systems used to address these risks, perhaps consider applying another lens – that of “skepticism." A questioning mindset promotes risk awareness and is fundamental to solid risk management. Too often, risk management becomes complacent. If there is anything the past year has reinforced, it is that the status quo may be fleeting and effective risk management must be prepared for the unknown.
Article originally appeared in NACD's Directorship magazine September/October 2021 issue. Phyllis Deiso is a partner and the National SEC Practice Leader for RSM US LLP.
Call us at (325) 677-6251 or fill out the form below and we'll contact you to discuss your specific situation.
This article was written by Phyllis Deiso and originally appeared on 2021-10-21.
2021 RSM US LLP. All rights reserved.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
Condley and Company, LLP is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.
For more information on how Condley and Company can assist you, please call (325) 677-6251.