For the past few years, Congress, the SEC, rating agencies and even the venerable Risk Management magazine have all been harping on the need for organizations to improve their risk oversight. But as any risk professional worth his or her salt should know, all risk oversight is not good risk oversight.
It’s a very simple, logical fact — but one that is all too often overlooked.
No organization would think that just having management means it has good management. Few would think having an IT department means they inherently have optimal technology. For some reason, however, that is the way many think about risk oversight. We have it — it must be working.
Wrong.
Luckily, Boardmember.com has put together a good list of “Ten Ways Risk Oversight Can Fail” to help illustrate the difference.
Not understanding strategic risk management — the next “wave of the future” and something I wrote about in September — is one key way companies fail.
(2) Lack of understanding of, or a failure to monitor, the significant assumptions underlying the strategy – Boards should understand the critical factors that make or break the successful execution of the strategy and ensure a process is in place to monitor business or regulatory changes that could impact those factors.
Charting emerging risks, not surprisingly, were another obvious inclusion.
(4) Failure to identify and manage emerging risks – The board must satisfy itself that management brings to bear the appropriate expertise, processes and information to identify new and complex risks to the execution of the enterprise’s strategy and business model and to manage those risks effectively.
The list also featured a nice summation of what too many organizations consider an actual enterprise risk management program.
(6) The company practices “enterprise list management” – Generating lists of risks over time with no follow-up to understand and close gaps in risk management capabilities is not good practice. Risk management should impact the core management activities that matter – strategy-setting, business planning and performance management.
And, of course, the board — often a laggard on understanding the true risks of the company — can provide a critical point of risk oversight failure.
(10) The board isn’t organized effectively for risk oversight – The board may not be allocating sufficient time and resources to risk oversight. Or the board isn’t availing itself of the appropriate company officers to focus on identifying areas in which management needs to improve the organization’s capabilities and information for managing risk. Or there is insufficient coverage by the board of the enterprise’s risks.
Click through to the full article for the other six ways risks oversight can fail.
Great article and along the lines of what I’ve been saying for a number of years now.