December 17, 2014
10 Questions Boards Should Be Asking on Risk Management
by Donna Galer
Many directors know much too little about how to oversee the issue.
Although most boards of directors are aware of risk and the need to manage it, many board members do not actually know much about risk management or how to oversee it. This article reviews a list of questions that may help board members execute their mandate. The list is not comprehensive but is illustrative of important points a board member would want to know about how an organization is managing its risk.
- Who is responsible for the enterprise risk management or risk management process?
Without assigning someone clear accountability for the process of risk management, it is unlikely that risks would be identified, prioritized and mitigated across an organization on a periodic basis and in a thorough way. In addition, it is unlikely risk would be given the focus that is required to achieve a reasonable degree of control over the many uncertainties facing organizations in today’s highly dynamic marketplace.
Less important are such details as the title of the individual with the accountability or how large a budget or staff the individual is provided. A named, accountable person is key to ensuring that a sound process is in operating.
- What are the most significant risks to the strategy, and what is being done to address these?
Given that failures are generally caused by a strategic risk that has not been addressed rather than by a catastrophic storm or single cyber attack, for example, it is vital for organizations to know and deal with their strategic risks.
Strategic risks typically involve aspects of the business such as:
- What is the organization’s vision of the future – does it take into account where technology, science and other dynamic forces are going?
- What is the mission – what does the organization make or sell, to whom and in which geographies?
- What are the goals and objectives – how much does the organization want to grow, at what margins, keeping what capital and debt levels?
- What are the values – how does the organization want to behave and be perceived in the marketplace?
- What is the position with strategic partners, investors and vendors?
- Is there a single risk register that collates all significant risks (strategic and non-strategic), with action plans to mitigate them?
Strategic and non-strategic risks of a certain magnitude should be combined into one risk register that allows management and the board to see:
- all the major risks
- what is being done to mitigate them
- what is the progress against the risk mitigation plan
The board should expect to see such a report or ask for one, if it is not already being created.
- What are the top 10 risks overall?
These should be top of mind for the organization’s senior team at all times and be a familiar topic of discussion with the board. Board members should consider if these make sense based on all the information they have been privy to about the organization.
- Do individual performance plans include risk management?
If managing risk is really important to the organization, the individual performance plans of a large number of employees at different levels of the organization should include a specific objective or task related to risk management. Thus, the performance against these would be evaluated at regular intervals. It is well-known that what gets measured gets managed, and what gets rewarded gets attention.
- Who is responsible for information technology security?
Clear accountability for the task of ensuring IT security is also critical. With the risk of cyber breaches, demands for service, extortion and stealing of bank accounts and intellectual property so high, an organization needs to ensure it has the necessary expertise to create a secure technological platform. This can be in the form of hired staff or expert contractors.
In the case of some recent, high-profile breaches, it appears that the role of chief information security officer (CISO) was either non-existent or that the individual filling the role was brand new. An inference can be drawn that a seasoned CISO who understood the organization might have made a difference.
Of course, having the role filled does not guarantee never having a security risk come to fruition. But it does reduce the risk to some extent, and having a CISO makes the discovery and recovery from a breach or attack quicker and more efficient when one does occur.
- Do all employees get some information and training on identifying and reporting a risk? Is there a risk reporting “hot-line”?
The answer to this question will give the board insight into several things. If there is a hot-line, it shows that the organization is seriously interested in identifying risks and that the topic of risk is being handled fairly transparently within the organization. If there is not one, the board may wonder why there is no channel for the rank and file to alert management about risks.
- Have correlated risks been looked for, and what are they?
Large and small organizations, alike, have the potential to harbor correlated risks. Correlated risks are a group of risks that might occur at the same time because there is a relationship of some sort among them. The aspect at play could be:
- a geography in common
- a single source with multiple ties. For example, a company that has call centers, data processing and manufacturing plants in a single Southeast Asia country has the potential for correlated risk if that country is hit by a natural catastrophe, political upheaval or some other turbulence. Another example is, if different product units of a manufacturing company use the same supplier for raw materials or OEM parts, there is the potential for correlated risk if that supplier is unable to deliver on its orders.
A correlation might also be in terms of chain reactions. One risk event may give rise to other risks, which is often true in the case of natural disasters such as earthquakes and hurricanes.
A question about correlated risks will not only elicit an answer about those risks but also provide insight as to whether risk is being discussed in depth and across organizational silos.
- Are a business continuity plan and disaster recovery plan in place?
No matter how robust a risk management process is, a company will experience catastrophes of one sort or another from time to time. There is a need for plans that deal with these because reaction speed is critically important in managing them well.
The business continuity plan has the aim of keeping all or some of the business running from another venue or with back-up systems or on-call staff, or whatever allows continuous operations. The disaster recovery plan has the mission to restore normal operations as quickly as possible after the business has been interrupted in whole or in part.
In reviewing these plans, key elements to look for include:
- a communication hierarchy for notification that is complete and up to date
- a decision tree for creating clarity around who can make which decisions
- a list of third-party resources that have been previously vetted and can be called in to assist – some will be part of any insurance policies that may be triggered by the risk/loss event.
- What risks are being transferred by insurance versus what is being mitigated internally, and what is the quality of the insurer?
Insurance can be an effective and efficient way to handle risk when it is used in a well-constructed fashion. The board will want to consider high-level issues such as:
- Is the right set of risks covered; i.e. those that are less predictable, require special expertise and are beyond the financial wherewithal of the organization to withstand?
- Are the right limits being purchased; i.e. is the value of the policy high enough to truly cover a major loss?
- How highly is the insurer rated, and what is its claims service reputation.
A way in which the board can judge the merit of the answers to these questions is to find out:
- the kind of analysis that was done to determine the insurance program
- who did the analysis
- whether there is benchmark information to look at from comparable organizations.
There are, undoubtedly, other questions that the board may need to ask. These are an excellent starting place for getting a sense of how well the organization is addressing risk.