Four main responsibilities of the board of directors regarding risk management.

Risk oversight is a primary board responsibility, and in the evolving business and risk landscape directors need to develop and continuously improve practices to establish a well-defined and effective oversight function, according to Deloitte’s 2018 Audit Committee Resource Guide.

Boards play a critical role in influencing management’s processes for monitoring risks, and as such they should clearly define which risks the full board should discuss regularly, versus risks that can generally be delegated to a board committee. While many boards have a defined risk governance structure, it is important to continually assess the structure as companies face new risks.

A leading practice is for management to maintain a list of all enterprise-wide risks, which are then mapped to specific board committees for oversight. For example, human resource and compensation risks may be delegated to the compensation committee for oversight, and the audit committee should have a key role in overseeing financial risks. In many instances, the full board takes direct responsibility for and regularly discusses the company’s most strategic risks, which include risks that could disrupt and materially impact the company’s business strategy. Committee charters should be updated to align with the defined risk governance structure.

Since many companies outside the financial services industry do not have a separate board risk committee, risks not assigned to a specific committee are often delegated to the audit committee. While it may be appropriate for the audit committee to take responsibility for reviewing management’s policies to manage risk, boards should take care not to overburden the audit committee with risk oversight responsibilities.

In addition, the SEC considers risk oversight a primary responsibility of the board and requires disclosure of its role in this area. Disclosures include whether the entire board is involved in risk oversight; whether certain aspects are executed by individual board committees; and whether the employees responsible for risk management report directly to the board. Such disclosures inform shareholders’ understanding of the board’s process for overseeing risk.

Overseeing Cyber Risk

It is often challenging for even the most tech-savvy business leaders to keep up with the scope and pace of developments related to big data, social media, cloud computing, IT implementations, cyber risk, and other technology matters. These developments carry a complex set of risks, and the most serious among them can compromise sensitive information and significantly disrupt business processes. The pervasiveness of cyber risk significantly increases concerns about financial information; internal controls; and a wide variety of risks, including the reputational risks that can result from a cyber incident.

Oversight of a successful cyber risk management program requires proactive engagement and is often the responsibility of the full board. In some organizations, a level of oversight may be delegated to a risk committee or the audit committee.

In companies where the audit committee holds some responsibility for cyber risk management, the committee should first obtain a clear understanding of the areas it is expected to oversee. In those organizations, the audit committee — in its capacity of overseeing financial risks and monitoring management’s policies and procedures — may have expertise and be asked to play a significant strategic role in monitoring management’s response to cyber threats, coordinating cyber risk management initiatives, and confirming their efficacy. Those audit committees may take the lead in monitoring cyber threat trends, regulatory developments, and major threats to the company. Other responsibilities may include setting expectations for management and assessing the adequacy of resources, funding, and focus on cyber risk management activities.

For those audit committees charged with this oversight, engaging in regular dialogue with the CIO, CISO, and other technology-focused leaders can help the committee determine where attention should be focused. Although cyber risk is frequently on the full board’s agenda, audit committees are increasingly receiving regular updates from relevant technology leaders, with some technology risk related topic on almost every meeting agenda.

The audit committee chairman can be a particularly effective liaison with other groups in enforcing and communicating expectations regarding cyber and financial risk mitigation.

Risk Oversight Questions to Consider

When the board or audit committee is considering the effectiveness of the company’s enterprise risk management — the process of planning activities to minimize the effect of downside risk on the organization — it may consider the following questions:

• Which board committees are responsible for various aspects of risk governance? Has the risk governance structure been defined?
• How do the various board committees oversee risk? Is there appropriate coordination and communication between all relevant stakeholders?
• Does the board consider the relationship between strategy and risk? What are the potential internal and external risks to the success of the strategy?
• Does management provide the board with the information needed to oversee the risk management process effectively?
• What are the company’s policies and processes for monitoring the major financial risk exposures on an enterprise-wide basis?
• Has management assigned owners for each risk that has been identified?
• How might the company’s compensation programs encourage inappropriate focus on short-term financial performance? Are the audit committee and compensation committee aligned on such risks?
• What mechanisms does management use to monitor emerging financial risks? What are the early warning mechanisms, and how effective are they? How, and how often, are they calibrated?
• Which framework has management selected for the financial risk management program? What criteria were used to select it?
• What is the role of technology in the risk management program? How was it chosen, and when was it last evaluated?
• Is cyber risk receiving adequate time and focus on the audit committee agenda?

Leading Risk Oversight Practices and Trends

Audit committees have full agendas and require careful planning to focus on critical priorities. Some audit committees implement practices to help them stay on track and execute their oversight responsibilities more effectively by, for example:

• Focusing on financial risk oversight and assessment and understanding financial risk management policies and processes
• Periodically reassessing the list of top risks, including which member of management and which board committee (or the full board) is responsible for each
• Evaluating IT projects and related risks, particularly those with financial statement impact
• Considering post-acquisition reviews to evaluate the reliability of initial acquisition assumptions and make adjustments to future acquisitions, as a way to offset merger risks
• Having appropriate business leaders periodically provide overviews of their businesses, focusing on financial risks and other factors that may influence the financial statements
• Periodically visiting company locations and meeting with local management
• Communicating the company’s financial risk story to stakeholders
• Understanding the regulatory issues raised in SEC comment letters received by the company, as well as management’s response
• Understanding the company’s strategy for managing tax risk, tax controversy, and volatility in the effective tax rate
• Considering potential reputational risks associated with tax positions

The list is not all-inclusive, and certain activities may be the responsibility of the full board or another committee.

Rising Expectations

In today’s environment, the expectations of audit committees are higher than ever. Shareholders rely on audit committees to maintain oversight while keeping up with increasingly complex financial reporting requirements and a changing regulatory landscape. Setting the appropriate tone at the top has never been more important for audit committees and boards as a whole. Moreover, it is important for the audit committee to build strong relationships with a variety of internal and external stakeholders who have an impact on the company’s risk profile and ability to create value.

— Produced by Maureen Bujno, managing director, Center for Board Effectiveness at Deloitte LLP; Consuelo Hitchcock, principal, Audit Regulatory Affairs at Deloitte & Touche LLP; Krista Parsons, managing director, Center for Board Effectiveness at Deloitte & Touche LLP; Bob Lamm, independent senior advisor, Center for Board Effectiveness at Deloitte LLP; Deborah DeHaas, vice chairman and national managing partner, Center for Board Effectiveness at Deloitte; and Henry Phillips, vice chairman and national managing partner, the Center for Board Effectiveness at Deloitte & Touche LLP.

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

PUBLISHED ON: Oct. 2, 2018 8:01 pm ET

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
About Deloitte: Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/us/about to learn more about our global network of member firms. Copyright © 2018 Deloitte Development LLC. All rights reserved.

What are the 4 key elements of risk management process?

What are the roles and responsibilities of the Board of Directors?

Why is the board responsible for risk management?

What are the 4 main goals of risk assessment?