15
The Role of the Board in Risk Management Oversight

John R. S. Fraser

Former Chief Risk Officer

This chapter explains the role of the board of directors in risk management oversight. It provides the context of why this is important, and in many cases why risk oversight is now a governance requirement. The challenges faced by boards of directors are explained, as are the various methodologies for approaching the process of risk management that boards may encounter. Risk can be a confusing and complex concept and this is explored, with concise approaches provided to assist boards in their oversight role. There are several ways that boards may organize to address enterprise risk management, often by using the audit committee, the full board, or increasingly by establishing a separate risk committee. These alternatives are compared. Managing risk in a consistent way across an organization—often now labeled as enterprise risk management—is explained and the board's role in the key steps is highlighted. Overall, this chapter provides a valuable resource to board members, management, assurance providers, and academics, who oversee, report on, provide independent assurance, or study this topic. It includes references to numerous supplementary readings for the serious student of this popular and evolving governance topic.

The topic of the board's involvement in, and oversight of, risk management, is a relatively recent trend and expectation. While boards have increasingly been considered accountable for the business strategy and the overall success or failure of organizations, it is only in recent years that the topic of their role in risk management has been explored in greater detail. Until approximately the turn of this century, risk was seldom linked to strategy and to the accomplishment of an organization's business objectives. Risk was usually defined and considered as bad things happening, often as events or hazards. As risk thinking has evolved, risk is now considered “the effect of uncertainty on objectives.”1 This, coupled with the obvious failures of management and boards to foresee and address organizational risk management effectively (e.g., the 2008 credit crisis and, before that, Enron, WorldCom, etc.), has placed risk management oversight clearly in the boardroom. The regulators, stock exchanges, rating agencies, and shareholder activists have all joined the clamor for better management and oversight of risk. The regulators especially have in some cases gone beyond reason and are insisting on activities by boards and management that have not been fully researched, or demonstrated as having value, and may in fact hinder sound risk management.2 The challenging part of these dynamics is that risk, risk management, and enterprise risk management3 are in many cases poorly understood or written about, and practiced in confusing or unhelpful ways. Boards are in the difficult position of being asked to oversee the implementation and execution of something that they often do not yet fully understand.

One of the earliest breakthroughs in thinking about the role of boards and risk was in 1994 when the Toronto Stock Exchange Committee on Corporate Governance in Canada issued their report “Where Were the Directors? Guidelines for Improved Corporate Governance in Canada” (also known as “The Dey Report,” after Committee Chair Peter Dey). The report included these groundbreaking guidelines:

The board of directors should explicitly assume responsibility…for the following matters:…(ii) the identification of the principal risks of the corporation's business and ensuring the implementation of appropriate systems to manage those risks;…

Needless to say, management did not embrace this suggestion enthusiastically, nor did boards, and five years later there were still some 40 percent of companies reporting no board involvement in risk management (as reported by subsequent studies).4

In referring to the lack of governance leading up to the 2008 financial crisis, the Financial Stability Board had this to say about financial institutions worldwide:

…many boards did not pay sufficient attention to risk management or set up effective structures, such as a dedicated risk committee, to facilitate meaningful analysis of the firm's risk exposures and to constructively challenge management's assumptions, proposals and decisions. The risk committees that did exist were often staffed by directors short on both experience and independence from management. The information provided to the board was voluminous and not easily understood, which hampered the ability of directors to fulfill their responsibilities.5

Increasingly, regulators are requiring greater involvement of and disclosure related to board activities concerning risk oversight. The Dodd–Frank Wall Street Reform and Consumer Protection Act (2010) has had many of its recommendations established, including foreign bank holding companies and U.S. bank holding companies (over a certain size) must establish a risk committee of the board, among other risk-related requirements.6 As the NACD Blue Ribbon Commission paper, “Risk Governance: Balancing Risk and Reward,” states so succinctly, “The board should satisfy itself that management has developed a process that is effective and efficient. Additionally, boards must play an important oversight role and supplement this process by identifying how the risks interrelate with each other.”7

The U.S. Securities and Exchange Commission (SEC) in 2010 brought in new rules stating:

…disclosure about the board's involvement in the oversight of the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company. This disclosure requirement gives companies the flexibility to describe how the board administers its risk oversight function, such as through the whole board, or through a separate risk committee or the audit committee, for example.8

The U.K.'s Financial Reporting Council in its September 2014 publication, The UK Corporate Governance Code, stipulates: “The board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal controls systems.”

The ASX Corporate Governance Principle 7 requires management to create and maintain a soundly based framework for risk management and the board is to review that each year.9 Framework is defined in terms of ISO 31000.10

The conclusion to be drawn from these typical regulatory pronouncements is that the topic of risk, and the expectation that boards must play a vital and explicit role in overseeing risk management, is now considered a key governance requirement. A glossary of terms relating to risk management is provided as Exhibit 15.1.

Exhibit 15.1 Glossary of Terms

Term Definition
Risk The effect of uncertainty on objectives.(a)
Risk management Coordinated activities to direct and control an organization with regard to risk.(a) ISO 31000 regards managing risk as being at both the enterprise level and the individual areas of risk, so does not use the term enterprise risk management.
Enterprise risk management (ERM) The term ERM is used to refer to managing risks at an enterprise level, to distinguish this process from merely managing risk in specific areas of the organization; e.g., in many companies there are areas called risk management that merely buy insurance and do not act on noninsurable risks. ERM requires identifying, assessing, and treating uncertainty that could affect the outcomes of an organization's objectives in a holistic manner as opposed to just in specific silos.
Risk management framework Set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the organization.
Risk criteria Terms of reference against which the significance of a risk is evaluated. Risk criteria are based on organizational objectives, and external and internal context.(a) Examples of risk criteria would be scales used to assess and rank risks, such as for impact, probability, and controls.
Inherent risk COSO defines inherent risk as the risk to an entity in the absence of any actions management might take to alter either the risk's likelihood or impact. This term (as defined) should be avoided. It does not work in practice as there are few, if any, situations where there are no actions already in place to mitigate a risk. Better terms to use would be “largest possible risk” or “potential exposure.”
Risk appetite Amount and type of risk that an organization is willing to pursue or retain.(a) Note that due to the excessive confusion surrounding this term, ISO 31000 Risk Management—Principles and Guidelines decided not to use the term as it was not required and only caused confusion. The concept of risk criteria is used instead as a practical means of assessing and ranking risks.
Risk tolerance Organization's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives.(a)
Residual risk Risk remaining after risk treatment.(a)
Risk profile Description of any set of risks.(a) Risk profiles are often presented in graphic forms, such as risk maps or lists of the top risks (e.g., top ten risks).
Risk treatment Process to modify risk. Risk treatment can involve:
  • Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk.
  • Taking or increasing risks in order to pursue an opportunity.
  • Removing the risk source.
  • Changing the likelihood.
  • Changing the consequences.
  • Sharing the risk with another party or parties (including contracts and risk financing).
  • Retaining the risk by informed decision.(a)
(a)ISO Guide 73 Risk management—Vocabulary

The Challenges

There are many challenges for boards in understanding and executing their duties of overseeing risk management processes. This is often due to the confusion between the terms risk management and enterprise risk management. ISO 31000 and other authoritative sources regard having a managed approach to risk as being risk management, but because the term is often used in specialized situations, such as for buying insurance, safety, and the environment, proponents of a more systematic and enterprise-wide approach to managing all risks as a portfolio prefer to use the term enterprise risk management (ERM). Other terms that mean the same thing as ERM include: enterprise-wide risk management, integrated risk management and strategic risk management (i.e., focused on achieving the strategic objectives), among others. The following are some of the key challenges for boards in dealing with risk management.

Board Knowledge about Risk Management Processes

Most board members are not trained in ERM principles. They are usually successful business executives who have done well professionally, often following gut instinct, and by being knowledgeable in particular types of businesses. Without training in ERM or without still having access to the factors that made them successful in their managerial roles, for example, direct contact with customers, staff, suppliers, and so on, they are often unsure what ERM should look like or what principles to apply.11 As a result, they rely heavily on management's representations, which may not reflect what is actually occurring in the business at all levels. It can be argued that this is how it has always been; however, with the advent of ERM, there are now better proven ways for managers to manage the business and for directors to oversee their efforts and the attendant risks to the business. As part of my research to prepare this chapter, I referred to recent books on governance by two of the most eminent names in Canada on board governance and I could find no explicit reference to risk management or the board's role thereto, which indicates the newness of the topic. This is not to say that risks were not considered, but this was not done explicitly as part of a board's mandate and certainly not as an explicit process. Contrast that view with that of Dr. Roger Barker, a fellow coauthor within this book, head of corporate governance, Institute of Directors, England: “The board's main ongoing task is to perform risk oversight, so it needs to satisfy itself that effective risk management is being practiced at all levels of the organization.”12 This illustrates the newness and change in emphasis of this topic to the board's agenda.

Understanding Risk

There is much confusion about what risk is,13 how to define it, and how to address it.14 This confusion exists not only among managers and directors but also in academia, and with regulators and other interested parties. In many companies, there are still discrete departments titled Risk Management, whose sole function is to buy insurance for insurable risks. Not only is there confusion over the term risk, but also about ERM. Many surveys show that only about 25 percent of major companies claim to have implemented ERM. Academics prepare papers assuming that the appointment or existence of someone with a chief risk officer (CRO) title denotes that ERM is implemented.15 Closer examination and the author's research indicates that this figure is probably overstated, as what these companies have is not really ERM; for example, the CRO may focus only on some risks, or not participate fully in all risk activities.

Risk is defined by ISO 31000 as “the effect of uncertainty on objectives.” This means that the strategic objectives of the organization need to be articulated and clearly understood. Risk is not an event or necessarily a potential event (a common misconception), although potential events or events can create uncertainty and risk.

It is important to note that, in theory, all of an organization's resources are used to treat risks that could impact the objectives. Thus, risk management is not a separate, stand alone added activity but in fact is everything the organization does in order to try and meet its strategic objectives. ERM is an attempt to bring focus and an enterprise-wide view of activities that may otherwise be done in silos, in isolation from other parts of the organization. When reviewing expenditures or project plans, the board should always relate these expenditures to the risks and related objectives that are being treated (e.g., an increase in the budget for safety training should be related to a strategic objective to reduce accidents and lost time). It may even be stated that unless managers can explain the need for resources in terms of what risks to objectives are being mitigated, then the resources should not be approved.16

Risk Management versus Compliance with Regulations

In heavily regulated industries, particularly the financial industry, compliance with regulations can become a prime objective, resulting in form filling or box ticking, rather than a real focus on risk management. Boards (and even advisors or regulators) may incorrectly assume that these compliance activities, which of course must be done as a priority, constitute real risk management and thereby look no further. An example would be a regulation that reads that an organization needs to identify risks and document risk to the business. The company may comply with this by having staff fill out surveys and compile a risk register as required by regulation, but never actually discuss risks nor integrate these risk activities into real business decision making.

Other Skills and Experience

This chapter focuses on the risk-management process itself, but there are many other attributes, skills, and experiences that go into making an adequately qualified board member for risk oversight. These would include, most importantly, industry experience, as well as numerous aspects of risk management, such as crisis management, cybersecurity, reputation, human resources, and so on. These topics are dealt with in other chapters.

Risk Management Methodologies

It would be beneficial if all directors had a basic understanding of the principal (enterprise) risk management methods currently in vogue and being implemented. This would assist their understanding of what the organizations of which they are board members are doing (or not doing) in this regard and better allow them to oversee the risk processes, and the risks themselves. Where, or if, there is a designated risk expert on the board, this individual should have a much deeper knowledge of (enterprise) risk management methods and techniques, although all directors should understand the basics of ERM. The principal methodologies that directors are most likely to encounter are:

  • ISO 31000 (2009) or some adaptation.
  • COSO ERM 2004.
  • Financial institutions' regulatory requirements.

ISO 31000

Outside of the United States, ISO 31000 is probably the most well known and widely used risk management system, albeit often adapted or expanded. It is based on the Australian/New Zealand Risk Management Standard 4360,17 which was pioneered, field tested, and implemented in many industries and countries since 1995. It has been adopted as the national standard by over 25 major countries (including the United States, England, Canada, and Australia). It is relatively simple in concept and consists of three major parts: principles, framework, and process. The principles are self-evident and easily understood and embraced; for example, its definition of risk is the essence of simplicity: “Risk is the effect of uncertainty on objectives.” The framework speaks to the mandate, design, implementation, monitoring, and improving of the framework. The process deals with the actual assessing and treating of risks, together with establishing the context and communication throughout.

What differentiates ISO 31000 from other methods is its emphasis of setting the context, the use of risk criteria, its simplicity, and its adaptability. The disadvantage of ISO 31000 is that in order to get consensus from so many countries, some additional elements had to be omitted in order to achieve consensus. In addition, because of its simplicity there is not much guidance on how to implement the standard and the various techniques.18 As a result, some countries have developed their own additional guidelines as a supplement for ISO 31000.19

COSO ERM 2004

The COSO organization20 had much success with their 1992 Internal Control Framework. This filled a void, as previously there was little accepted guidance on what constituted adequate internal control, and although it missed some of the more conceptual elements of Canada's subsequent CoCo methodology,21 it became more accepted and in fact became the de facto standard after Sarbanes–Oxley dictated the adoption of a specific internal control standard for financial reporting. It would appear that when COSO decided to produce an ERM framework, they either were not aware of the AS/NZ 4360 Standard or were aware of it but decided they could create something different and better. In either case, they produced a long,22 complex, difficult to implement, and sometimes conceptually flawed product (see below for examples) that has been popular in the United States but not in other countries.23 The overriding objective of the COSO ERM product was that it would mesh with the previously issued Internal Control Standard, as manifested in the COSO cubes that are well-known representations of the COSO frameworks.24 The COSO framework has many good concepts/techniques, such as: basing risks on objectives, doing risk assessments, taking a strategic view, and so on. However, there are some serious drawbacks, such as its complexity, use of the impractical concept (as defined) of “inherent risk,”25 not dealing with black swan scenarios, and so on, and most unfortunately creating the impractical concept of risk appetite,26 without clarifying how to use it. Boards of organizations using the COSO ERM framework will need to probe as to how it has been implemented and how the conceptual weaknesses are being dealt with. In fact, they may wish to discuss whether to switch to ISO 31000.

Financial Institutions' Regulatory Requirements

Boards of directors of financial institutions naturally must comply with the increasingly strict regulations provided by their regulators. This emphasis on compliance may override the reality of practical risk management, namely, an emphasis on ticking the boxes instead of having appropriate and critical conversations and prioritizations.27

Like COSO, the regulators28 appear to have decided that they could ignore ISO 31000 thinking and create their own version of ERM. As a result, the financial ERM world consists of an emphasis on creating a risk appetite statement, a risk appetite framework, powerful chief risk officers, having risk committees and defined limits, doing stress tests29 (a form of scenario planning), and creating centralized databases to analyze enterprise-wide credit and trading portfolio risks.30 This latter element was driven by Basel regulations and was long overdue, as many large banks had not been taking an enterprise-wide view of credit and portfolio risks. For instance, they would loan money to different divisions or subsidiaries of the same company in different parts of the world without capturing the total exposure centrally.

The concept of a risk appetite statement is not without some merit, but only where it generates meaningful conversations about risk taking among the board, executives, and line managers. Then it can be a powerful step to sound risk management. It should be noted that the same or better effect is achieved by having these parties prepare and agree on risk criteria31 as described by ISO 31000. The issue with risk appetite statements is that regulators are insisting on them, but the thinking of what they should consist of, and why, has not been fully thought through; for example, the NACD examples of risk appetite statements32 include a mixture of objectives, tolerances, and limits. This may be a helpful start but a better way might be first to decide separately on clearly defined objectives, and then clearly defined tolerances followed by limits for each objective—this is a more structured approach.

While some research has been done on the causes of the financial crisis, including some excellent analyses of why some firms fared better than others,33 much appears to have been missed, especially with regards to what chief risk officers and chief audit executives knew and reported to executives, the boards, and board committees. There is an assumption that risk management failed, but did it or was it board governance that failed? These issues do not appear to have been fully analyzed.

What Is Enterprise Risk Management?

This section will start with a simple explanation of ERM and then elaborates on several developing concepts—some helpful and some unhelpful—to those responsible for risk management and risk oversight. The topic of ERM has taken the business world by storm in the last decade. As a result, there are many who have complicated the process unintentionally or seek to make money from the volatility of ideas that it has generated. Consulting firms have seen it as a bonanza and are in no hurry to simplify it. Regulators have jumped on the ERM bandwagon in an honest attempt to protect against the next round of bankruptcies and frauds. Companies struggle with the implementation, often abandoning or restarting their ERM projects when they fail to show expected value.

ERM is a simple concept.34 Simply stated, ERM requires identifying, assessing, and treating uncertainty that could affect the outcomes of an organization's objectives. In addition, monitoring and reporting are required for management and governance purposes. Strategic planning has been around for a long time and is generally well understood. The execution of strategy is usually where organizations fail. While the use of balanced scorecards35 has also helped by monitoring progress, it is by addressing risks in a more systematic manner that new converts to ERM hope to improve business excellence.

The following description of ERM is based on the ISO 31000 concepts and seeks to describe the key elements that a board director should expect to be in place and in which to engage as part of board oversight. For additional examples of how ERM has been implemented in many different organizations, please refer to Implementing Enterprise Risk Management: Case Studies and Best Practices by John Fraser, Betty Simkins, and Kristina Narvaez (editors).36

Critical elements of an ERM methodology are as follows:

  • The ERM policy
  • The ERM framework
  • The chief risk officer role
  • Risk criteria
  • Tools and techniques for risk assessments, risk treatment, and assurance
  • Risk profiles
  • Key risk indicators
  • Black swans
  • Business planning based on risk prioritization

Each will now be defined and discussed in turn.

The ERM Policy

The board should approve the ERM policy. It is a high-level policy that sits above all the other policies, such as safety, environmental, credit, foreign exchange, and so on.37 The policy should be designed to set the stage with more frequently changing factors, such as limits being handled by subsidiary processes. The key elements of an organization's ERM policy should be:

  • Setting out the key principles. For example, that all risks will be viewed as a portfolio, that the risk management process will be integrated with strategic and business planning and all important decision making, and that managing risk is everyone's responsibility.
  • Setting out the key accountabilities for the board, the audit committee (and risk committee, if applicable), the CEO, the CFO, the CRO, internal audit, and so on.
  • Providing definitions for key terms, such as risk is the effect of uncertainty on objectives.

Note that it is good practice to have major areas of risk allocated to specific board committees (e.g., safety to the safety committee, financial matters to the audit committee, etc.), however, either the board or a delegated committee has to take a leadership role in ensuring that an enterprise view of risks is taken and nothing slips through the process. This should be a primary task for the chair to ensure coverage of all risks. Currently, in many companies there is no board committee accountable for some of the major risks—R&D, customers, assets, technology, and so on.

Other topics that are often found in an ERM policy include risk processes, such as reporting (better dealt with in an accompanying framework, see below), and limits (alternatively dealt with as part of operating procedures or setting risk tolerances).

The ERM Framework

Whereas ISO 31000 distinguishes between the risk management framework and the risk management process, many practitioners combine the two. The framework can be regarded as the procedure manual for the practice of ERM, namely, risk assessments, risk reporting, the setting of risk criteria.38 The board's risk expert should be very familiar with the framework and each director should understand it. Note that the financial regulators sometimes refer to a risk framework as a risk appetite framework (meaning the same thing, but once again reinforcing the impression that the regulators were not aware of what accepted terminology existed before they got involved).

The Chief Risk Officer Role

As stated before, the ERM policy should stipulate the key accountabilities for ERM. One of the key roles is that of the CRO or equivalent person. The board should establish to whom does this person report and what is the expectation by the board of this role. Professor Anette Mikes describes the various roles that are being applied in practice by CROs: compliance champion, modeling expert, strategic controller and strategic advisor.39 The two extremes the author has observed are the financial institution model and the facilitator model. The financial institution model, as promulgated by the regulators, has extensive authority, can go directly to the board, veto deals and products, and has what is sometimes described as a big stick. The other extreme is the CRO as facilitator. This role supports management, provides the framework and techniques, facilitates risk workshops, prepares risk profiles, and educates (some of these may also be done by the financial model). In the facilitator model, the risk criteria, risk profiles, and the accountabilities remain with management and is their product, not the CRO's.

Some of the critical touch points between the board and the CRO are listed below. Boards should expect to have these interfaces with the CRO:

  • The ERM policy and framework approval process—the CRO submits these documents annually to the board, or delegated board committee, for approval.
  • Strategic planning and business planning (objectives)—the CRO obtains agreement as to the strategic objectives that will be employed in risk assessments.
  • Risk criteria (e.g., impact scale, tolerances, etc.)—The CRO obtains agreement first as proposed by management and then from the board as to the risk criteria and risk tolerance levels (see below).
  • Formal risk profiles—The CRO presents and discusses the periodic risk profiles first with management and then with the board or delegated committee (see below).
  • Periodic updates on risks—the CRO presents periodic updates, either overall or on specific topics of interest, as required.
  • Educator (e.g., best practices, benchmarking)—the CRO provides education sessions to the board on the ERM process or on specific risks (often with the help of topic specialists).
  • Advisor (e.g., hot topics, emerging risks).
  • Board risk workshops—some boards will wish to participate in risk workshops, either by themselves or with executive management. This is beneficial, as part of the board's oversight, for better understanding the risks and the risk process that is followed by management.
  • Whistleblower—this possible role is not recommended, but should be discussed. Acting as or being perceived as a whistleblower can put the risk personnel in the role of not being trusted by line management.

Risk Criteria

This is one of the most misunderstood, underappreciated, and underused areas of ERM. ISO 31000 describes risk criteria as terms of reference against which the significance of a risk is evaluated. They provide both the means to determine and express the magnitude of a risk, and to judge its significance against predetermined levels of concern. Risk criteria represent internal procedural rules selected by the organization for analysis and for then evaluating the significance of risk, and they are also used when selecting between potential risk treatments.40

The form of risk criteria will depend on the nature of the organization's objective and the needs of decision-makers when the risk management process is applied in support of particular decisions. In all cases, the description of the organization's risk criteria has three elements:

  1. The method(s) to be used to express and measure consequence and likelihood (whether qualitative, quantitative, or combinations thereof).
  2. The method(s) to be used to combine consequences and their likelihoods and then to express the resulting aggregate level of risk, i.e., how the various risks identified throughout the organization will be summarized and reported at the corporate level.
  3. The organization's internal rules for accepting (or tolerating) particular risks as well as risks in the aggregate.41

The reasons for developing risk criteria are:

  • In order to design and run effective risk workshops.
  • In order to create a common understanding and shared language of risks by the leadership team, the board, and the managers.
  • For business planning and resource allocation prioritization (see below).

Risk criteria are often represented as ordinal scales (e.g., 1 to 5, or low to high) that allow a prioritization process in order to assign resources accordingly. The advantage of such scales is that they are usually more logical than free-form written documents, such as a risk appetite statement. The board should be familiar with and approve at least the consequence scales that set out the types of impacts that could occur and establish what is a tolerable or intolerable impact should it occur. An example of an impact scale for a source of risk (e.g., customer service) that could damage the firm's reputation might be agreed by management and the board as:

5 = Worst case = Extended negative international press coverage.
4 = Major = Extended negative national press coverage.
3 = Moderate = Extended negative local press.
2 = Minor = Letter of complaint from important person/government to the chair.
1 = Insignificant = Complaint letter that can be expedited.

Risk criteria (as defined by ISO 31000) are intended to achieve the benefits sought by users of terms such as risk appetite, i.e., a predefined written articulation of what potential consequences, tolerances, and so on will be used to identify, assess, and prioritize risks for subsequent treatment.42 One way of defining risk tolerances on a scale, such as shown above, is to regard any source of risk (in a defined time frame) that could cause a 1 or a 2 as tolerable, whereas a 3, 4, or 5 would be considered intolerable and must be reported and acted upon by management to be reduced to a 1 or 2. It needs to be recognized that some sources of risks are external to the firm and may not be capable of being reduced adequately, thus these will appear on the risk profile as residual risks.

Risk Profiles

Risk profiles come in many forms, such as a list of the top 10 risks (see Exhibit 15.2) or as risk maps (see Exhibit 15.3), also heat maps, and so on. The reason for preparing them is to engender conversations among and between management and the board as to what are the most pressing risks and what is being done to treat them. Often these profiles are produced at a specific date, even though risks vary through time and may be better represented by probability curves. Profiles should stipulate what time period is being considered, as risks one year away can be quite different as compared to 3 or 10 years hence.

Exhibit 15.2 A Simple Risk Profile Based on the “Top 10” Format

Source of Risk Current Period Prior Period Risk Trend
Regulatory uncertainty Very High Very High Stable
Cybersecurity High Very High Down
Human resources High High Up
New competitors High Medium Stable
Environmental Medium Medium Down
Product failures Medium Medium Up
Safety Medium Medium Down
The figure depicting the risk profile using the risk map format where magnitude is plotted on the y-axis ranging from 1 to 5 and probability on the x-axis ranging from 1 to 5.

Exhibit 15.3 A Risk Profile Using the Risk Map Format

Risk profiles are prepared by the CRO using risk data collected from risk workshops, risk interviews (with staff, management, and ideally with board members, although the latter is currently very rare), and key risk indicators. Each source of risk, however represented, should be explained as to the sources of the risks, the strategic objectives that are potentially impacted, and the controls or treatments that are being applied to mitigate the downside impacts or leverage the upside potential, if applicable. The CRO, or equivalent, who gathers this information, should confirm that the profile reflects the views of key stakeholders, and the understanding of the CEO and the executive team, whose report it in fact is.

Like financial statements, risk profiles by their very nature become obsolete soon after being created, but a risk profile is a very useful tool for discussion. They should be prepared periodically (e.g. quarterly), as management and the board deems appropriate for the business. Profiles should also be prepared for major projects and for specific risks that are of special concern.

A topic that has been popularized recently is “emerging risks,” often written about as a separate topic. However, if risk profiles are prepared for a specified future period and if the understanding of the business context, both internal and external, is done properly, then any emerging risks that could have an impact on the objectives will be captured as part of the risk profile. It is critical therefore that the CRO monitor internal and external trends to identify and include both well-known risks as well as those that are emerging.

Key Risk Indicators

Boards should determine to what extent the organization is using key risk indicators (KRIs). Unlike the more well-known key performance indicators (KPIs), which track historical accomplishments, KRIs are metrics that could help project impending risk situations, e.g. if there is high staff turnover in a specialized area then this may portend a risky situation arising in that function or others affected by it. Although this is still a developing concept,43 boards should expect to see this type of forward thinking being practiced by management.

Black Swans

The term black swans was popularized in the book, The Black Swan, by Nassem Talib,44 to denote rare, unexpected, high-impact events (examples might include the 2001 twin towers attack, the dissolution of the Soviet Union, the 2004 Indian Ocean tsunami, and the 2008 credit crisis). Such events need to be assessed differently than typical risks, in that they are considered highly unlikely, but should they occur they could have a disastrous impact. As a result, in discussing such potential events, it is better to assess the speed of occurrence and the organizational resilience to address them should they occur. The board should enquire as to whether such events are considered and evaluated and should also participate in these discussions and assess the adequacy of business continuity plans and crisis management preparedness.

Business Planning

Ideally, resources should be allocated according to which sources of risk are most in need of treatment (e.g., controls, insurance) in order to achieve the organization's objectives. Historically this has not been done in most companies. There are ways in which the need for resources can be risk-rated in order to prioritize the allocation of staff and funding. This leads to a purer budgeting process than individual managers competing for resources based on their individual persuasive powers. An example of an approach to ranking the relative risks relating to the need for projects is shown in Exhibit 15.4.

Exhibit 15.4 A Risk-Based Approach to Allocating Resources

Project Risk Score* for Safety Risk Score for Finance Risk Score for Customers Total Risk Score Cost to Implement Cost of Unit of Risk Reduction for Dollars Spent
A 7 2 3 12 $180,000 $15,000
B 3 8 6 17 $306,000 $18,000
*The Risk Score is derived from the risk criteria scale of potential impacts

In the above simplified model, even though Project B has a higher risk score based on specified risk criteria (17), Project A would reduce more risk per dollar spent ($15,000). Organizations might choose either to apply the principle of highest-rated risk or most-risk reduced per dollar spent.45

The board needs to understand how risk has been factored into the budgeting process. They might also ask to see the budget impacts of various hypothetical, worst-case scenarios (much like stress testing in financial institutions). This would provide assurance that management has thought through how they would handle difficult scenarios (e.g., a major drop in oil, a sudden increase in interest rates, the ban of a product line for environmental reasons).

Accountability for Board Oversight

There is an ongoing debate as to the role of the full board in risk oversight. It is now generally recognized that the board has full accountability for overseeing the approach the organization adopts to manage risk. However, exactly how boards do this in practice can vary. The important point is that risk-governance coverage by the board and/or committees must ensure that a material risk, whether financial or nonfinancial, does not get missed. How this is done is less important than that it gets done and nothing falls through the cracks. Here are some of the more popular approaches of enterprise risk oversight.

  • Delegate oversight of enterprise risk management to the audit committee.
  • Delegate oversight of enterprise risk management to the risk committee (or another existing committee such as the governance committee).
  • Have the full board engaged in the oversight of enterprise risk management.

Each of the above approaches to oversight of enterprise risk management by the board and its committees will be discussed in turn.

The Audit Committee

As ERM began to catch on, it was common for the accountability for ERM to be delegated to the audit committee. Often this was because the topic of risk only surfaced regularly at this committee, for instance, on topics such as insurance, financial risk, expense policies, and so on. As well, it was felt that the board agenda was too busy for adding another topic that was not seen as a primary one. The New York Stock Exchange Listed Company Manual, section 303A.07 (D), requires the audit committee to “discuss policies with respect to risk assessment and risk management.”46 As Carol Beaumier and Jim Deloach ask in their paper “Risk Oversight: Should Your Board Have a Separate Risk Committee?”—”Does the audit committee have the time, the skills, and the support to do the job, given everything else it is required to do?”47

In the 2013–2014 NACD Public Company Survey, “45 percent of companies assign risk oversight to the Audit Committee, and just 13 percent of companies, primarily in the financial services industry, have a board risk committee.”

Risk Committee

Some companies (primarily financial institutions), recognizing that risk is an important, albeit neglected, topic, have decided to create a separate committee to focus on risk and provide oversight to all risks. It was felt that the busy board agenda did not allow sufficient time to explore and debate the various key risks. It should be recognized, however, that a small group of directors is unlikely to have the same breadth of experience in as many risks as the full board. In some instances the committee may be comprised of the chairs of the other committees to ensure coverage of all risk areas. This helps to ensure that all key risks are either considered at the risk committee or spoken for by one of the other committee chairs. There is sound logic to this approach; however, some have suggested that this creates an elitist group of directors who are more knowledgeable than those not on this committee.

Exhibit 15.5 shows the incidence of risk committees globally in 2011. Note that because financial institutions (FIs) are often now required by regulation to have a risk committee, the ratio of FIs to non-FIs having risk committees is very high—in the United States 38 per cent of financial institutions had separate risk committees. Financial companies have historically focused on the prevalent risks to that business, such as credit, market, and liquidity. However, an ERM approach would focus on all risks, including areas such as competitors, technology, human resources, customer satisfaction, and so on.

Exhibit 15.5 The Incidence of Board Risk Committees

Source: As Risks Rise, Boards Respond. A Global View of Risk Committees (London, England: Deloitte Touche Tohmatsu Limited, 2014).

Have a separate risk committee of the board Have risk as part of another hybrid board committee No specific risk committee
Australia 22 54 24
Brazil 26 18 56
China 30 18 52
Mexico 18 0 82
Netherlands 8 4 88
Singapore 42 10 48
United Kingdom 20 18 62
United States 8 6 86

There is a growing recognition that directors who are to play a role in advancing the benefits of sound risk management will need to be appropriately qualified, and that this will mean more than merely bringing their personal business experience to the tasks at hand.48

The Full Board

Although there continue to be concerns about the lack of time to properly review and discuss risks at board meetings, there is an acceptance that risk oversight is critical to the business and should be a board accountability. Boards are now beginning to allocate time at each meeting to discuss risks and risk management or have separate sessions for that purpose. One approach is to allocate each major source of risk (e.g., from the risk profile) to a board committee and hold the chair of that subcommittee accountable to present their assigned risks during board discussions of the risk profile or when those risks are the subject. The challenge with this approach is where any of the major risk sources are not assigned to any committee; examples might include those risks related to: customers, assets, research and development, technology, and so on. This should lead to a rethink as to whether the existing committee structure is adequate to address all of the types of major risks faced by the organization.

It is the accountability of the board to ask questions in order to conduct due diligence for risk oversight. Exhibit 15.6 provides suggestions for questions that boards can ask related to risk management.

Exhibit 15.6 Questions that Directors Should Ask About Risk

Source: 20 Questions Directors Should Ask about Risk, 2nd ed., Canadian Institute of Chartered Accountants, 2006.

Questions That Directors Should Ask About Risk
  1. How do we integrate risk management with the corporation's strategic direction and plan?
  2. What are our principal business risks?
  3. Are we taking the right amount of risk?
  4. How effective is our process for identifying, assessing, and managing business risks?
  5. Do people in this organization have a common understanding of the term risk?
  6. How do we ensure that risk management is an integral part of the planning and day-to-day operations of individual business units?
  7. How do we ensure that the board's expectations for risk management are communicated to and followed by the employees in the company?
  8. How do we ensure that our executives and employees act in the best interests of this organization?
  9. How is risk management coordinated across the organization?
  10. How do we ensure that the organization is performing according to the business plan and within appropriate risk-tolerance limits?
  11. How do we monitor and evaluate changes in the external environment and their impact on the organization's strategy and risk management practices?
  12. What information about the risks facing the organization does the board get to help in order to fulfill its stewardship and governance responsibilities?
  13. How do we know that the information the board gets on risk management is accurate and reliable?
  14. How do we decide what information on risks we should publish?
  15. How do we take advantage of the organizational learning that results from the risk management program and activities?
  16. What are our priorities as a board in the oversight of risk management?
  17. How does the board handle its responsibility for the oversight of opportunities and risks?
  18. How does the board ensure that at least some of its members have the requisite knowledge and experience in risk?
  19. How do we, as a board, help establish the “tone at the top” that reinforces the organization's values and promotes a “risk aware culture”?
  20. How satisfied are we that the board is doing what it should in overseeing risk?

It is also important that the board or compensation committee (by whatever name) understand and review the compensation scheme to assess whether it could provide undue rewards to employees who generate risks that may not be appropriate for the business, such as commissions on sales to customers who are not credit worthy without a clawback on any bad debts arising therefrom.

Overview of the Board's Role

The following summarizes the key activities that the board should perform to oversee risk management:

  1. Understand how the organization has implemented risk management processes (either as required by regulation or by best practice).
  2. Ensure that risk discussions are built into the strategic planning process, for example, by use of SWOT analysis, and by understanding the change in the risk profile as the strategy is changed.
  3. Review and approve the ERM policy and framework, the risk criteria, and risk tolerances.
  4. Review and discuss the risk profile(s). Understand how these have been prepared: how deep in the organization the workshops have been conducted, and how widely the interviews that generate the profiles have been conducted. Obtain periodic updates for important changes to risks between profiles.
  5. Ensure that risks are evaluated as part of all major capital project approvals and throughout the duration of critical projects.
  6. Obtain assurance that the ERM process is robust, based on factors such as: the quality of the CRO or equivalent, the quality of responses from management to probing questions regarding specific risks that the board enquires about (there should be no surprises), as well as audits of the process—either by the internal audit function or by external experts (see the section “The Board and Internal Audit” that follows).

In a recent research study, “Directors and Risk: Whither the Best Practices—Evidence from Canada,”49 Professors David Kunsch and Christopher Bart state that “(Our) survey analysis revealed in nearly all instances a significant positive difference in the good risk practices adoption rate between those that adhered to 20 Questions and those that did not.” This study evaluated the results of the board's role according to the framework provided by the questions in Exhibit 15.6.

It should also be noted that some regulators now specifically require that risk management expertise be identified for one or more board members. OSFI (Office of the Superintendent of Financial Institutions) in Canada stipulates: “Relevant financial industry and risk management expertise are key competencies for the FRFI [Federally Regulated Financial Institutions] board. There should be reasonable representation of these skills at the board and board committee levels.”

The Board and Internal Audit

A key ingredient to effective enterprise risk management is having an independent assessment conducted of the process periodically. This assurance to the board can be provided by an internal audit function50 and/or by external experts. Boards of medium to larger organizations should assess the need for and benefits of an internal audit function. Internal auditors have been described as the eyes and ears of the board. The Basel Committee on Banking Supervision provides 20 principles for the internal audit function,51 with principle one stating:

An effective internal audit function provides independent assurance to the board of directors and senior management on the quality and effectiveness of a bank's internal control, risk management and governance systems and processes, thereby helping the board and senior management protect their organization and its reputation.

Often this may be the only source of independent and objective views on the testing and quality of risk management and internal controls, especially at the operating level. Internal auditors usually report to the audit committee, ideally reporting functionally to the chair of the audit committee, and administratively to the CEO. Boards or audit committees should ensure that the internal audit function is adequately staffed, funded, and truly independent of management. For an overview of questions that boards should ask about internal audit see “20 Questions Directors Should Ask about Internal Audit.

Boards should understand the difference in the roles of internal audit and the chief risk officer. The internal auditor provides expert opinions on the adequacy of internal controls in areas of high risk and provides recommendations to improve controls, including efficiency and effectiveness. The chief risk officer provides guidance and support, and assists management in addressing risks and reporting thereon, including developing risk profiles and other forms of reporting. Ideally, management should be held accountable for these risk reports, since the CRO acts as a facilitator but does not own the risk management role. The professional guidance for internal auditors spells out what roles relating to risk management are permissible and those that should not be undertaken by auditors.52 Chapter 16 provides an explanation of the board's role relating to internal audit in “Board Oversight of Internal Audit: How to Maximize Internal Audit Value.”

Conclusion

As described, boards historically have not focused on risk management as a process or taken an enterprise view of risks. The reason was often due to a belief that risk management was a management accountability only. Also, there was a lack of knowledge as to the role of the board in relating risk to the achievement of the organization's goals and objectives. This has changed dramatically in the last few years and is expected to escalate. The methods and theories that are being generated on this topic, both good and bad, are mushrooming. Unfortunately, this has led to confusion at both the management and board level. It is hoped that this chapter has minimized confusion and clarified and enhanced understanding. It is incumbent on executives and board members to develop a better understanding of the theory and practice of ERM and to ensure sound risk management and governance processes are in place in their organizations—that is their accountability and regulators are starting to emphasize this.

A conversational example of how a chair might explain the ways the board would oversee and be involved in the implementation of ERM, is: “We will begin to have regular, more structured and explicit conversations with management on risks, that is what risks we are taking, and how we are identifying, analyzing, evaluating, and treating these risks. Time will be set aside at each board meeting to hear what is uppermost on management's mind regarding the risks to achieving our strategic and tactical objectives, as well as issues that are evolving that could impact us in the future.”53

Notes

References

  1. ASX Corporate Governance Council. 2013. “Corporate Governance Principles and Recommendations.” Sydney, Australia.
  2. Bart, Christopher, and David Kunsch.“Directors and Risk: Whither the Best Practices—Evidence from Canada” (forthcoming). The Directors College, Toronto, Ontario, and St John Fisher College, Rochester, NY.
  3. The Basel Committee on Banking Supervision. 2012. The Internal Audit Function in Banks.
  4. Beasley, Mark, Bruce Branson, and Bonnie Hancock. 2015. 2015 Report on the Current State of Enterprise Risk Oversight. AICPO and North Carolina State University.
  5. Beaumier, Carol, and Jim DeLoach. 2012. “Risk Oversight: Should Your Board Have a Separate Risk Committee?” Director Notes. New York, NY: The Conference Board.
  6. Canadian Institute of Chartered Accountants (now Chartered Professional Accountants). 1995. The Criteria of Control (CoCo) Internal Control Framework, published as Guidance on Control. Toronto, Canada.
  7. COSO. 2004. “Enterprise Risk Management—Integrated Framework.” Committee of Sponsoring Organizations of the Treadway Commission.
  8. Currie, Lysanne (editor). 2012. Business Risk: A Practical Guide for Board Members. London, England: Institute of Directors and others.
  9. Deloitte Touche Tohmatsu Limited. 2014. “As Risks Rise, Boards Respond. A Global View Of Risk Committees.” London, England.
  10. Directors and Chief Risk Officers Group. 2013. “Qualified Risk Director Guidelines.” The Governance Fund. Northfield, MN.
  11. Financial Reporting Council. 2014. The UK Corporate Governance Code.
  12. Financial Stability Board. 2013. “Thematic Review on Risk Governance: Peer Review Report.” Basel, Switzerland.
  13. Fraser, John, Karen Schoening-Thiessen, and Betty Simkins. 2008. “Who Reads What Most Often? A Survey of Enterprise Risk Management Literature Read by Risk Executives.” Journal of Applied Finance. April 1.
  14. Fraser, J. 2013. “Message from a Chair on Introducing Enterprise Risk Management (ERM) to a Company.” International Journal of Disclosure and Governance 10.
  15. Fraser, J. 2014. “Building Enterprise Risk Management into Agency Processes and Culture.” In Managing Risk and Performance—A Guide for Government Leaders, edited by Thomas Stanton and Douglas Webster. Hoboken, NJ: John Wiley & Sons.
  16. Fraser, J., and H. Lindsay, 2004. 20 Questions Directors Should Ask about Internal Audit. Toronto, Canada. Canadian Institute of Chartered Accountants.
  17. Fraser, J., and B. J. Simkins, (eds.). 2010. Enterprise Risk Management—Today's Leading Research and Best Practices for Tomorrow's Executives. Hoboken, NJ: John Wiley & Sons.
  18. Fraser, John, and B. J. Simkins, 2007. “Ten Common Misconceptions About Enterprise Risk Management.” Journal of Applied Corporate Finance 19 (4): 75–81.
  19. Gupta, Pavreen P., and Tim J. Leech, 2014. Risk Oversight: Evolving Expectations for Boards. New York: The Conference Board.
  20. Hurt, Christine. 2013. The Duty to Manage Risk (draft). Urbana-Champaign, Illinois.
  21. The Institute of Director's Guide. 2012. Business Risk: A Practical Guide for Board Members. London, England: Director Publications Ltd.
  22. IEC/ISO International Standard. 2009. IEC/ISO 31010 Risk Management—Risk Assessment Techniques. Geneva, Switzerland. International Electrotechnical Commission and International Organization for Standardization.
  23. The Institute of Internal Auditors UK and Ireland. 2004. “The Role of Internal Audit in Enterprise-wide Risk Management.” London, England.
  24. International Organization for Standardization. 2009. ISO 31000 Risk Management—Principles and Guidelines.
  25. Kaplan, Robert, and David Norton. 1996. The Balanced Scorecard: Translating Strategy into Action. Cambridge, MA: Harvard Business Press Books.
  26. The Korn/Ferry Institute. 2011. “Calculated Risk? The View from the Boardroom.”
  27. Leblanc, Richard, and James Gillies. 2005. Inside the Boardroom: How Boards Really Work and the Coming Revolution in Corporate Governance. Mississauga, Ontario: John Wiley & Sons Canada Ltd.
  28. Lindsay, H. et al. 2006. 20 Questions Directors Should Ask about Risk— Second Edition. Toronto: Canadian Institute of Chartered Accountants.
  29. Lipton, Martin. 2014. Risk Management and the Board of Directors—An Update for 2014. The Harvard Law School Forum on Corporate Governance and Financial Regulation.
  30. National Association of Corporate Directors. 2009. Report on the NACD Blue Ribbon Commission on Risk Governance: Balancing Risk and Reward.
  31. Nottingham, Lucy. 2014. Risk Communication: Aligning the Board and C-Suite. Oliver Wyman. www.oliverwyman.com/insights/publications/2014/feb/risk-communication-2014.html#.VrFY6TYrKEI.
  32. Office of the Superintendent of Financial Institutions. 2013. Corporate Governance Guidelines. Toronto, Canada.
  33. Purdy, Grant. 2011. “Risk Appetite—Is Using This Concept Worth The Risk?” RiskPost. The New Zealand Society for Risk Management Inc.
  34. Purdy, Grant. 2011. “Demystifying Risk Appetite.” RiskPost. The New Zealand Society for Risk Management Inc.
  35. Purdy, Grant. 2014. “Cutting Through.” RM Professional. Institute of Risk Management.
  36. Quail, Rob. 2012. “What's Your Risk Appetite? A How-To Guide for Aligning your Company's Risk-Taking Philosophy with Its Strategic Objectives.” Corporate Risk Canada.
  37. Schwartz, Peter. 1996. The Art of the Long View. New York: Crown Publishing Group.
  38. Standards Australia and Standards New Zealand. 2004. Australian/New Zealand Standard: Risk Management: AS/NZS 4360:2004.
  39. Taleb, Nassim. 2007. The Black Swan: The Impact of the Highly Improbable. New York: Random House.
  40. Tarullo, Daniel. 2014. Memo to the Board of Governors of the Federal Reserve System. Washington, DC. http://www.federalreserve.gov/aboutthefed/boardmeetings/memo_20140218.pdf.
  41. Tonello, Matteo. 2013. Risk in the Boardroom. New York: The Conference Board.
  42. The Toronto Stock Exchange Committee on Corporate Governance in Canada. 1994. “Where Were the Directors?” Guidelines for Improved Corporate Governance in Canada.
  43. The Toronto Stock Exchange Committee. 1999. Report on Corporate Governance, 1999: Five Years to the Dey.
  44. The Toronto Stock Exchange with the Chartered Accountants of Canada. 2001. Beyond Compliance: Building a Governance Culture.
  45. U.S. Securities and Exchange Commission. 2010. Final Rule on Proxy Disclosure Enhancements Release Nos. 33–9089 and 34–61175.
  46. Van Der Elst, Christoph. 2013. The Risk Management Duties of the Board of Directors. Ghent University, Belgium: Financial Law Institute.

Additional Readings for the Serious Researcher

  1. Bergman, Mark S. 2009. Adapting to Regulatory Developments and Emerging Practices. New York: The Conference Board.
  2. Caldwell, John E. 2012. A Framework for Board Oversight of Enterprise Risk. Toronto, Canada: Canadian Institute of Chartered Accountants.
  3. Chartered Global Management Accountants. 2015. Global State of Enterprise Risk Oversight, 2nd Edition. New York and London.
  4. Connelly, Kevin M., Valerie R. Harper, and Carolyn C. Eadie. 2010. “The Growing Role of the Board in Risk Oversight. A World of Insight.” Spencer Stuart. www.spencerstuart.com/∼/media/pdf%20files/research%20and%20insight%20pdfs/the-growing-role-of-the-board-in-risk-oversight_06dec2010.pdf.
  5. Corporate Governance Council. 2012. Risk Governance Guidance for Listed Boards. Singapore.
  6. Deloitte. 2011. Risk Intelligent Proxy Disclosures—2011: Have Risk-Oversight Practices Improved? Deloitte.
  7. Deloitte. 2012. Risk Committee Resource Guide for Boards. www2.deloitte.com/us/en/pages/risk/articles/risk-committee-resource-guide-for-boards.html.
  8. Deloitte 2014. Risk Intelligent Governance: Lessons from State-Of-The-Art Board Practices.
  9. Financial Reporting Council. 2011. Boards and Risk: A Summary of Discussions with Companies, Investors and Advisers. London, England.
  10. Glover, Steven M., and Douglas F. Prawitt, et al. 2012. Enhancing Board Oversight: Avoiding Judgment Traps and Biases. COSO.
  11. Goldberg, Louis L and Mutya F. Harsch. 2010. “The Role of the Board in Risk Oversight.” New York: The Conference Board.
  12. Gupta, Parveen P., and Tim J. Leech. 2015. The Next Frontier for Boards: Oversight of Risk Culture. New York: The Conference Board.
  13. Hurt, Christine. 2013. “The Duty to Manage Risk.” Illinois Program in Law, Behavior, and Social Science Paper No. LBSS14–09. http://ssrn.com/abstract=2308007 or http://dx.doi.org/10.2139/ssrn.2308007.
  14. Ittner, Christopher D. 2014. The Determinants and Implications of Board of Directors' Risk Oversight Practices. University of Pennsylvania and Social Science Research Network.
  15. Ittner, Christopher D., and Thomas Keusch. 2015. The Influence of Board of Directors' Risk Oversight on Risk Management Maturity and Firm Risk-Taking. Social Science Research Network. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2482791.
  16. Jones, Vanessa, and Ely Razin. 2013. “The Emerging Importance of Managing Risk in the Boardroom.” New York: Thomson Reuters.
  17. King Report on Corporate Governance. 2009. South Africa.
  18. Leech, Tim. 2011. Risk Oversight: Is It broken? What Are the New Expectations? Toronto, Canada: Risk Oversight Inc.
  19. Leech, Tim. 2012. Board Oversight of Management's Risk Appetite and Tolerance. New York: The Conference Board.
  20. Moody's Investors Service. 2006. Best Practices for a Board's Role in Risk Oversight. New York.
  21. Moore, Marc T. 2010. “The Evolving Contours of the Board's Risk Management Function in UK Corporate Governance.” Journal of Corporate Law Studies 10: 279–308.
  22. National Association of Corporate Directors. 2008. Key Agreed Principles to Strengthen Corporate Governance for U.S. Publicly Traded Companies. Washington, DC.
  23. National Association of Corporate Directors. 2009. Risk Governance: Balancing Risk and Reward. Washington, DC.
  24. Orsagh, Matthew. 2012. “Visionary Board Leadership: Stewardship for the Long Term.” New York: CFA Institute.
  25. Protiviti COSO. 2010. Board Risk Oversight: A Progress Report—Where Boards of Directors Currently Stand in Executing Their Risk Oversight Responsibilities. Durham, North Carolina: AICPA.
  26. Salter, Josh. 2015. Exploring the Risk Committee Advantage. New York: Risk and Insurance Management Society, Inc.
  27. Slagmulder, Regine, and Maria Boicova. 2012. Integrating Risk Into Performance: Reporting to the Board of Directors. Durham, NC: CGMA.
  28. Tomorrow's Good Governance Forum. 2013. The Boardroom and Risk. London, England: Centre for Tomorrow's Company.
  29. Van Der Elst, Christoph. 2013. The Risk Management Duties of the Board of Directors. Ghent, Belgium. Financial Law Institute. Ghent University.
  30. Walker, Sir David. 2009. “A Review of Corporate Governance in Banks and Other Financial Industry Entities: Final Recommendations.” London, England. http://webarchive.nationalarchives.gov.uk/+/http:/www.hm-treasury.gov.uk/d/walker_review_261109.pdf.
  31. Walker, Paul L., William G. Shenkir, and Thomas L. Barton. 2011. Improving Board Risk Oversight Through Best Practices. Orlando, FL: The Institute of Internal Auditors Foundation.
  32. Ward, Jeanette. 2006. “ERM: The New Standard and Practice in Good Corporate Governance.” Standard & Poor's Financial Services LLC.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.192.247