Understanding board oversight of risk management now & for the future

Understanding board oversight of risk management now & for the future PwC writes, "The number and types of risks the board oversees continue to grow, even as their nature changes.” This has pulled board oversight of risk management — cyber, environmental, social, governance (ESG) or other risks — into the spotlight. Shareholders and stakeholders now have greater expectations for boards to take a more active role in managing ever-evolving risks.As if the increased scrutiny weren’t enough pressure for boards, the popularity of social media has caused negative, vast media attention for companies that fail to address matters associated with poor risk management. Today’s marketplace environment demands that boards take a more proactive, tactical approach to managing risk than they have historically. The volatility of risk also requires boards to re-evaluate their risk management structures and how they approach their risk efforts.

Here, we’ll unpack the relationship between board oversight and risk management, including:

• What board oversight of risk management is
• The core role of the board in risk management
• Common risks boards oversee
• Structures and committees that help boards oversee risk
• Risk oversight best practices
• A real-world example of board oversight of risk management
• The future of board oversight in a changing risk landscape

What is board oversight of risk management?

The board of directors’ oversight of risk management refers to the responsibilities and actions to support the organization in identifying, assessing, managing and mitigating risks. These risks could harm the organization’s ability to achieve its strategic goals or harm its reputation, finances, operations or stakeholders.

What does this look like in practice? The audit and risk committee may meet quarterly to review enterprise-wide risks. The Chief Risk Officer (CRO) presents a dashboard with key risks, heat maps and mitigation strategies. If the organization experienced a recent cyber attack, the meeting could also have a specific cybersecurity risk focus, with briefings from the Chief Information Security Officer (CISO).

The risk committee would then report back to the broader board, which would, together, make informed decisions about how to proceed in light of the risks before them.

The core role of the board in risk management

The board should be actively involved in overseeing risk, but it isn’t managing it; it should entrust that function to the CRO and their teams. Instead, the board is responsible for the 10,000-foot view of risk, guiding risk teams on risk management execution.

These core responsibilities include:

• Setting the organization’s risk appetite and tolerance: The board defines the level and types of risk the organization is willing to accept as it pursues its objectives. The CRO and risk teams can use this to assess and mitigate different risks.
• Approve and monitor the enterprise risk management (ERM) framework: A comprehensive, organization-wide approach to risk management starts with the board. They should break down silos to advance a more robust, proactive risk view that helps risk teams avoid threats and embrace opportunities.
• Align strategy and risk exposure: The board should weigh strategic plans alongside the ERM framework, considering whether the plan matches its pre-determined risk appetite and capacity. If it doesn’t, the board should recommend amendments.
• Oversee risk culture and internal controls: A culture of accountability should be top-down. The board should encourage transparency and ethical behaviors and push for systems and controls to manage key risks.
• Monitor emerging risks and critical areas: Boards should review top risks regularly and take steps to prepare the organization for potential disruptions or uncertainties. This can involve asking the Chief Financial Officer (CFO) to model different financial scenarios should a risk occur or directing the CRO to develop a new system of internal controls.
• Ensure clear roles and responsibilities: The boards should confirm that management has the appropriate capabilities and accountability to implement and manage risk processes.

Common types of risks boards must oversee

There’s no getting around dealing with risks; the reality is that risks can present a viable opportunity to gain an edge over the competition. Yet, there are myriad kinds of risks, each of which the board must understand to oversee effectively. These include:

• Operational risk: Those arising from failures in internal processes, people or systems, such as supply chain disruptions or IT outages.
• Strategic risk: Those related to high-level business decisions and long-term goals, like entering a new market or launching a new product.
• Political risk: Those stemming from changes in government, regulations or public policy that could affect how the organization operates.
• Reputational risk: Those that could damage the organization’s public image or stakeholder trust, often arising from scandals or miscommunication.
• Financial risk: Those related to liquidity, credit, market fluctuations or other issues that could impact the organization’s financial health.
• Cyber risk: Those associated with data breaches, system intrusions or failures of digital infrastructure.
• ESG: Those linked to sustainability, social impact and governance practices — including climate change, labor practices and board diversity.

Top compliance risk today

Hear how the board can help their company better master risk now and for the future.

Listen nowchevron_right

Structures and committees for board oversight of risk management

Accountability is an essential component of managing risk. Boards can assign responsibility to various committees and leaders and bear the burden for some risk-related structures. Board oversight of risk management may rely on the:

Risk committee

The risk committee is responsible for board-level risk management and oversight of management-level risk programs. One of its first responsibilities is establishing the company’s risk profile and defining its overall approach to risk management. The primary question it needs to answer is, 'What will help the company grow the most?’

Risks that the board identified in the past can help boards identify new risks and opportunities. Failures from competitors and other corporations and how they manage risks serve as a learning experience for all boards.

From there, the committee must evaluate the risks and rewards and any potential trade-offs. The committee must also consider any environmental circumstances they must monitor or manage. In addition, they’ll need to scan the internal and external environment for new threats and any new opportunities they might present.

Upfront planning lessens the possibility that the board will need to react to viable threats. Clear risk management reduces the negative impact on employees, processes, technology and the general environment.

Risk management committees must communicate the risk management profile to the board and the management team and encourage them to use it as a standard in making decisions. By practicing good oversight over the agreed-upon risk management profile, boards can minimize or avoid significant risks.

Audit committee

Other board committees should be equally aware of the company’s risk profile. The audit committee, in particular, plays a central role in risk oversight, especially with regard to financial, compliance and operational controls. It will work to ensure the organization maintains the integrity of its financial reporting processes, complies with legal and regulatory obligations and manages internal controls effectively.

The audit committee does this by regularly reviewing the organization’s risk management systems, including the ERM framework, and assessing whether these systems are sufficiently robust to address evolving risks. In addition to overseeing internal and external auditors, the audit committee often serves as the liaison between the board and the CRO.

Chief risk officer

The CRO serves as the organization’s executive leader for risk management. They are responsible for designing, implementing and maintaining the ERM framework. This includes identifying and assessing risks across departments, developing risk mitigation strategies and fostering a culture where risk awareness is embedded in daily decision-making.

The CRO also acts as a bridge between operational teams and the board. It’s through them that board oversight translates into risk management execution. Risk teams will also report up to and follow the guidance of the CRO in monitoring external threats, such as shifts in regulatory policy, cybersecurity trends and environmental or geopolitical developments.

Board composition and diversity

While not a formal risk management role, board composition, specifically diversity, is a structure that aids risk management. According to PwC, 76% of directors say that board diversity improves strategy and risk oversight.

It writes, “It is important to have some board members with deep expertise in the industry who can help anticipate what’s to come. On the other hand, it is also important to have fresh perspectives — whether it’s new directors, those with experience in different industries or different skill sets — to view risk through different lenses.”

The more industries and areas of expertise the board represents, the better prepared it is to manage a wide range of risks successfully.

Best practices for effective risk oversight

Exact risk management processes vary by organization and are, therefore, difficult to generalize. However, some practices can make any risk management strategy stronger. These include:

1. Regularly reviewing — and challenging — risk appetite and tolerance: Remaining competitive may largely depend on how well companies address their risk profiles and communicate them company-wide. But that profile and the board’s appetite for it will likely change over time. In a conversation at Diligent’s ERM Virtual Summit, BitSight Chairman and Thoughtworks and Fairwinds Board Director Bob Brennan said to look at risk as a coin with two sides. “One side enables the organization to take risk, not simply mitigate it. And too often, boards and management teams, especially when working together, focus on the mitigation of risks that pose potential danger to the company, and not enough on the risks that they should take.”
2. Clearly defining the board’s risk oversight role: It’s essential for boards not to give way to micromanaging the senior executives. Boards should be specific about their role and what it isn’t. The board isn’t responsible for eliminating risks. They’re only responsible for ensuring risks are appropriate; most other risk management tasks fall to the CRO and their team.
3. Integrate risk management with strategic planning: Risk management is at least as important as strategic planning and shouldn’t be minimized or marginalized. Embed considerations within strategic decision-making processes rather than treating them as an afterthought. This can help the board embrace the risks worth taking.
4. Articulate risk effectively: Not all board members are risk experts, but they don’t need to be. Committees, CROs and other risk leaders need to communicate with the board correctly to zero in on the three to five critical risks out of the 30 risks on their 10-K. As part of that virtual summit conversation, Moody’s Chief Strategic Development Officer David Platt said, “The job of management is to tell the board what you believe matters most and what you’re doing about it. A nice expression that I learned long ago was, ‘You tell the board what they need to know, not what you know.’”
5. Visualize risk data: Risk leaders would also do well to show the board, not just tell them. Visualizations like heat maps can reveal key facts that are difficult to understand at face value. “I think it's simple but powerful to be able to look at just a visualization of your risks. As a CEO or leader, I want to see across our organization if we have a comprehensive view of what the risks are. And I do want to see that prioritization,” said Diligent President and CEO Brian Stafford.

A real-world example of board oversight of risk management

Imagine a mid-size healthcare company that’s been growing quickly through expansion. They recently launched a new patient portal, bringing medical records, appointment scheduling and physician communications into a single online account.

Using AI-powered benchmarking, the CRO noticed that healthcare companies are at a heightened risk of cyberattacks. The CRO presents a report to the board, showing the need for a full cybersecurity risk review. Board members might ask: Are patient records vulnerable? Is the team prepared for a data breach? What’s the backup plan?

The board then delegates a deeper dive to the audit and risk committees. The committees ask for an independent cybersecurity audit and a scan of the most popular risks from SEC 10-K reports of similar companies and their industry. They also oversee the development of a crisis communication plan in case a breach does happen.

The board doesn’t micromanage, but it does make it clear that this is a top priority. The CRO, risk, IT, cybersecurity and other teams act accordingly, shoring up the patient portal. The board’s early involvement means the healthcare company is better prepared and can avoid significant damage.

The future of board oversight in a changing risk landscape

By nature, the risk environment evolves. Boards and their organizations plug gaps, and bad actors adapt to find new ones. Regulations are amended or updated, the climate continues to warm, and stakeholders of all kinds develop new expectations for board and organizational conduct. These rapid changes demand that the board take a more proactive role in overseeing risk, one that can stand up to fast-evolving challenges like:

1. Artificial intelligence: AI could radically improve efficiency and decision-making, but it also introduces new categories of risk, ranging from data privacy and bias to workforce displacement. Boards must both embrace AI’s opportunities and guard against its dangers with proper AI governance. “The whole topic of generative AI is a proxy for having your data and technology in good order. If you're not organized, you can't use these new technologies safely. You've got an issue, and you're going to fall behind,” says Platt.
2. Climate change and ESG regulations: The evolving understanding of organizations’ impact on people and the planet is reshaping how risk is defined, reported and managed. Boards must now oversee ESG considerations and integrate them into core strategy and risk management frameworks.
3. Global uncertainty and geopolitical risk: Supply chain fragility, trade disruption, migration and inflation are challenging boards to adopt a more agile and scenario-based approach to oversight. Boards must understand deeply how external shocks could impact the organization’s operations, reputation and resilience and must engage with management to prepare contingency plans.

Enhance board oversight of risk management with technology

“You can’t manage what you can’t measure,” said Stafford.

Yet, too many boards attempt to oversee risk without a clear picture of the challenges and opportunities before them. Board oversight of risk management can be made easier by implementing enterprise risk management software.

Diligent ERM, part of the Diligent One Platform, centralizes all of your risk data into a single source of truth, delivering the board the real-time reporting it needs to make better decisions. Identify strategic gaps quickly, eliminate data gaps and make risk part of the decision-making process, all in one unified platform. Learn more about Diligent ERM and request a demo today.

Still in spreadsheets and at the early stages of ERM maturity? We’ve got you covered too. AI Risk Essentials can enable you to stand up an ERM program in less than one week. As your ERM maturity develops, we can scale with you.