No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

5 Risk Categories for Focusing the Board’s Risk Oversight

by Jim DeLoach
March 27, 2014
in Risk
5 Risk Categories for Focusing the Board’s Risk Oversight

Many companies have adopted a risk language to facilitate dialogue within the organization regarding their risks. While we are not aware of an authoritative risk language or model, there are a number of risk models in the public domain that can be useful to ensure the completeness of the event categorization and risk assessment processes.

The central purpose of a common language is to avoid the problem of beginning a risk assessment with a blank sheet of paper with all of the start-up activity that entails. Simply stated, a common language enables busy people with diverse backgrounds and experience to communicate more effectively with each other and identify relevant issues more quickly regarding the sources of uncertainty in a business.

As the Board of Directors engages executive management in conjunction with exercising its risk oversight responsibilities, the question arises as to whether there is a simple “risk language” the Board should adopt to focus its dialogue properly and ensure the bases are covered. While each Board must decide for itself whether or not a risk language is useful given the nature of the enterprise’s operations, we explore five broad risk categories directors may want to consider as a way of focusing their dialogue with executive management.

We like the five broad risk categories recommended by the National Association of Corporate Directors (NACD). They are: governance risks, critical enterprise risks, Board-approval risks, business management risks and emerging risks. These categories are sufficiently broad to apply to every company, regardless of its industry, organizational strategy and unique risks. More importantly, they provide a context for Boards and management to understand the scope of the Board’s risk oversight, as well as the delineation of the Board’s oversight responsibilities and management’s responsibilities for identifying, evaluating, managing and monitoring risk.[1]

Each of these categories of risk is discussed below.

Governance Risks

These risks relate to directors’ decisions regarding Board leadership, composition and structure; director and CEO selection; CEO compensation and succession and other important governance matters critical to the enterprise’s success. Often, these decisions require directors to weigh the pros and cons associated with alternative courses of action. While Boards can periodically benchmark their processes for evaluating these matters by considering best practices employed by other Boards weighing similar decisions, they often must rely on their collective business judgment, knowledge of the business and information provided by third-party advisers, including search firms, compensation consultants and legal counsel.

Key point: These matters are exclusively within the Board’s domain.

Critical Enterprise Risks

These risks are the ones that really matter, the top five to 10 risks that can threaten the viability of the company’s strategy and business model. Certain risks require directors to have the necessary information that will prepare them for substantive discussions with management about how these risks are managed. The criticality of these risks – such as credit risk in a financial institution or supply chain risk in a manufacturer – may require full Board engagement as well as an ongoing oversight process.

While management is responsible for addressing these risks, the Board should consider its own information requirements for understanding management’s effectiveness in addressing them. For example, the Board might require management to report on the impact and likelihood of the risk on key strategic goals as compared to other enterprise risks, as well as the status of risk mitigation efforts with input from the executives responsible for managing specific risks. Other examples of relevant information useful to the Board might include the effects of technological obsolescence, changes in the overall assessment of risk over time, the effect of changes in the environment on the core assumptions underlying the company’s strategy and interrelationships with other enterprise risks.

Key point: These risks should command a prominent place on the Board’s risk oversight agenda. The Board should satisfy itself that management has in place an effective process for identifying the organization’s critical enterprise risks so that the Board’s risk oversight is properly focused.

Board-Approval Risks

These risks relate to decisions the Board must make with respect to approving important policies, major strategic initiatives, acquisitions or divestitures, major investments, entry into new markets, etc. Through careful consideration and timely due diligence, directors must satisfy themselves that management’s recommendations regarding these matters are appropriate to the enterprise before approving them. Therefore, such matters may prompt the Board to ask questions regarding the associated rewards and risks and even request further analysis before approving management’s recommended actions.

Key point: The matters requiring Board approval are often specified in the corporate bylaws and various charters of the Board and its respective committees. That said, changes in the business may necessitate that the Board and executive management remain on the same page as to what requires Board approval. It is important that the Board approve major strategic and policy issues on a before-the-fact basis.

Business Management Risks

These are the risks associated with normal, ongoing day-to-day business operations. Every business has myriad operational, financial and compliance risks embedded within its day-to-day operations. Because the Board simply does not have sufficient time to consider every risk individually, it should identify specific categories of business risks that pose threats warranting attention and determine whether to oversee each category at the Board level or delegate oversight responsibility to an appropriate committee.

For example, the audit committee traditionally oversees financial reporting risks. Other business risks might include: operational risks associated with internal processes, IT, intellectual property, customer service, obsolescence, manufacturing and the environment, financial risks such as excessive leveraging of the balance sheet, compliance risks such as non-compliance with a new complex law and reputational risks such as those that threaten the company’s brand image. With respect to all of these risks, it is management’s responsibility to address them. If any of them are critical enterprise risks, they warrant the Board’s full attention (as noted earlier).

Key point: The Board’s committees may oversee many of these risks in accordance with their chartered activities. Typically, periodic reporting coupled with escalation of unusual developments requiring Board attention will suffice.

Emerging Risks

These are the external risks outside the scope of the first four categories. While management is responsible for addressing these risks, directors may need to understand them. The effects on the business of demographic shifts, climate change, catastrophic events and new cybersecurity threats are examples.

Key point: The Board needs to satisfy itself that management has processes in place to identify and communicate emerging risks on a timely basis. Such processes enable management and the Board to be proactive.

The above risk categories provide a useful context for Boards and executive management to ensure the scope of the risk oversight process is sufficiently comprehensive and focused.


[1] Source: Report of the NACD Blue Ribbon Commission – Risk Governance: Balancing Risk and Reward, National Association of Corporate Directors, October 2009, Appendix A, pages 22-23.


Tags: Data Governance
Previous Post

FCPA Year in Review 2013, Part 2

Next Post

The Value of an Ethical Culture

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

banks information sharing_f

Sharing Is Caring? Lessons From Dutch Banks’ Data-Sharing Program

by Sukirt Singh
March 22, 2023

With federal investigations pending, the autopsy of Silicon Valley Bank and resulting cascade of bank failures is only just beginning....

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

Next Post
The Value of an Ethical Culture

The Value of an Ethical Culture

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT