No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

10 Principles for Effective Board Risk Oversight

by Jim DeLoach
June 5, 2017
in Featured, Risk
selected book on bookshelf

Evergreen Guidance from the NACD

The National Association of Corporate Directors published an authoritative guide in 2009 on risk governance, and the principles outlined therein are as relevant today as ever. Jim DeLoach provides an analysis of each of the 10 principles, demystifying the process of evaluating board risk oversight.

While risk oversight has always been an important part of the board’s agenda, the disruptive financial crisis of 2007-2008 taught everyone a lesson about just how important it is. In the aftermath of the global financial meltdown and credit crunch, risk oversight became an imperative for boards of public companies, particularly in the United States. Boards of listed companies on U.S. stock exchanges across all industries took a hard look at their membership, how they operated and whether their operations and the information to which they have access are conducive to effective risk oversight.

In addition, since the financial crisis, regulators have taken an active interest in board risk oversight. For example, the Securities and Exchange Commission in the United States requires that proxy disclosures shine the spotlight on the board’s role in overseeing the company’s risk management process, directors’ qualifications for understanding the entity’s risks and evaluation of the entity’s various compensation arrangements by the board’s compensation committee to ensure they are not encouraging the undertaking of excessive, unacceptable risks.

As a result, the risk oversight playbook has evolved over recent years, during which time many boards formulated their respective approaches to risk oversight and organized themselves accordingly. To that end, in 2009, the National Association of Corporate Directors (NACD) published its Report of the NACD Blue Ribbon Commission – Risk Governance: Balancing Risk and Reward.[1] This report recommends 10 principles to assist boards in strengthening their oversight of the company’s risk management.

According to the report, “The Commission believes that [the 10] principles provide a foundation that boards can use to build a more comprehensive risk oversight system tailored to the specific needs of their respective companies.” We agree. Offered as guidance to directors, they provide a context for understanding the risk oversight process, as well as offer an outstanding framework for a board to use when evaluating its current risk oversight process.

Because these principles stand as relevant today as they did eight years ago, we review them below:

  1. Understand the company’s key drivers of success; and
  2. Assess the risks in the company’s strategy.

These two interrelated principles are especially important, because they focus on understanding what makes the business model work and the risks inherent in the corporate strategy. This understanding provides the foundation for identifying the risks that truly matter – the critical enterprise risks that threaten the execution of the company’s strategy and business model – versus the ongoing risks of managing the business. It is vital that directors understand the risks inherent in the business model, including the key assumptions underlying the continued viability of the business model, and agree with executive management on the company’s risk appetite in the pursuit of enterprise value creation.

  1. Define the role of the full board and its standing committees with regard to risk oversight.

This principle is important, as directors collaborate in clarifying risk oversight responsibilities for the full board and the various standing committees. The NACD Blue Ribbon Commission (BRC) asserts, “… as a general rule, the full board should have primary responsibility for risk oversight, with the board’s standing committees supporting the risks inherent in their respective areas of oversight.” Our experience is that the vast majority of directors agree with this general rule, recognizing there are always outliers due to unique circumstances. To that end, the NACD BRC discusses five categories of risks facing each board – governance risks, critical enterprise risks (as discussed above), board-approval risks, business management risks (i.e., the normal, ongoing day-to-day risks) and emerging and nontraditional risks (e.g., climate change, slowdown in foreign markets, disruptive technological innovation) – and delineates between management’s and the board’s responsibilities.

  1. Consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources.

This principle is important, because, too often, risk is an afterthought to strategy and risk management is an appendage to performance management (i.e., risk management is often what the NACD BRC describes as a “side activity”). This principle addresses such issues as positioning of the chief risk officer – or an equivalent executive – for success and looking beyond mere risk identification to consider the adequacy of other dimensions of managing risk (e.g., sourcing, measuring and monitoring risk, as well as mitigating risk through appropriate elements of infrastructure, including policies, processes, people, reporting, methodologies and systems and data).

  1. Work with management to understand and agree on the types (and format) of risk information the board requires.

This principle remains a common issue for many boards. We often hear directors complaining of being overwhelmed with reports while being underwhelmed with insightful information for decision-making. This issue leads to a cry for less and a sharper focus on actionable information (e.g., “tell me what I need to know and recommend what I need to do”). Whether or not there is reliance on quantitative models, reporting should provide different perspectives on a given risk as well as more leading, forward-looking risk indicators.

  1. Encourage dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions.

This principle addresses the need for constructive engagement between boards and management on risk matters. The principle’s reference to challenging assumptions is especially important in light of the financial crisis, after which many questioned whether boards really understood the key variables driving an institution’s success – including the extent of risk-taking – and exposing the institution to failure, and also understood the sensitivity of those variables to changes in markets. When an organization is making a lot of money, directors need to understand why and the risks undertaken rather than applaud as management does a victory dance.

  1. Closely monitor the potential risks to the company’s culture and its incentives structure.

As with the sixth principle, this principle points to another lesson of the financial crisis – the importance of the potential impact of a company’s culture and incentive compensation structure on behaviors, decisions and attitudes toward taking and managing risk. Culture and incentives form the glue that binds all elements of risk management infrastructure together, because they reflect the shared values, goals, practices and reinforcement mechanisms that embed risk into an organization’s decision-making processes and risk management into its operating processes. In effect, they represent a look into the soul of an organization to ascertain whether risk/reward tradeoffs really matter. One of the significant lessons of the financial crisis is the danger of “heads I win, tails you lose” compensation structures for executives whose actions or inaction could expose the organization to significant risks. Such arrangements can poison an organization’s culture.

  1. Monitor critical alignment – of strategy, risk, controls, compliance, incentives and people.

This principle speaks to the importance of aligning critical elements of infrastructure to bring everyone and everything – people, processes and the organization as a whole – on the same page, for without alignment there is likely to be a disconnect between a company’s strategy and its execution. Disconnects can be costly. That all said, alignment is hard for management to achieve. It is even harder for directors to oversee.

  1. Consider emerging and interrelated risks: What’s around the next corner?

Emerging risks are anticipatory in nature and deal with issues that are not on management’s radar. The worst kind of uncertainty is being unaware of what we don’t know; while management has knowledge from internal and external sources, do they really know what they don’t know? The fundamental question raised by this principle is an inquiry as to whether management looks out far enough, is monitoring what matters in the external environment and devotes sufficient time to “connect the dots.” Sooner or later, something fundamental in the organization’s business will change, and whenever disruptive change occurs, a company’s risk profile is likely to be altered in significant ways. Therefore, thinking about the unthinkable and response readiness preparation are key to world-class reaction.

  1. Periodically assess the board’s risk oversight processes: Do they enable the board to achieve its risk oversight objectives?

The last principle advocates applying the best practice of periodic board self-evaluations to the risk oversight process. The assessment of the risk oversight process can be integrated into the periodic assessment of board effectiveness.

In closing, directors can use these 10 timeless principles to assess their board’s risk oversight process to ascertain whether it needs refreshing or redirection. The NACD’s Report of the NACD Blue Ribbon Commission – Risk Governance: Balancing Risk and Reward is also worth a close look, as it includes other useful insights on risk governance and oversight that directors and executives may find useful.

Questions for Boards and Executives Supporting the Board

The following are some suggested questions that boards of directors and executive management may consider, based on the risks inherent in the entity’s operations:

  • Has the board articulated its risk oversight objectives? Are those objectives incorporated into the board’s charter?
  • Has the board evaluated the effectiveness of its risk oversight processes in achieving its risk oversight objectives? If so, have the board and executive management considered the NACD BRC’s 10 principles in evaluating the board’s risk oversight processes?
  • Are the board and management proactively taking steps to address any gaps that impede the board’s risk oversight effectiveness?

[1] Available at www.nacdonline.org/Store/ProductDetail.cfm?ItemNumber=675.


Tags: Board Risk OversightFinancial CrisisSEC
Previous Post

A New Resource for Corporate Counsel

Next Post

EY Revenue Recognition Survey: Many Companies Not Ready for Changes

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

call of duty activision

Activision Settlement Highlights Where Companies Often Go Wrong With Whistleblowers

by Katherine Krems
March 8, 2023

The SEC has long relied on whistleblowers to enforce securities law, often making it worth their while to the tune...

shifting sands risk

Shifting Sands: Leaders Are Feeling the Pressure of an Uncertain, Dynamic Risk Landscape

by Jim DeLoach
February 22, 2023

The global risk landscape has rarely been more unsettled over the past half-century than it is right now, and a...

board tech purchase

Directors: Don’t Approve a Tech Purchase Without Asking These Questions

by Jean Hill
January 25, 2023

Board directors don’t need to be able to fix a broken server, but they do need basic technology competence, which...

Next Post
EY Revenue Recognition Survey: Many Companies Not Ready for Changes

EY Revenue Recognition Survey: Many Companies Not Ready for Changes

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT