The critical role of the board in effective risk oversight
A director’s practical guide to asking the right questions at the right time
The financial crises experienced over the past few years have left most organizations with a measure of economic caution not seen in a generation, new regulations with which to comply, and a heightened appreciation for good risk management.
Directors are frustrated with the amount of time they must spend on regulatory and financial compliance matters — time that would be better spent talking about the future of the business, progress made on realizing strategic business initiatives, and proactive risk mitigation activities. The directors’ role is to balance performance and compliance by ensuring that management’s actions are consistent with corporate strategy, reflective of the culture of the business, and in line with the organization’s risk tolerance. They are expected to do their homework and be close enough to each other and the business to understand and analyze opportunities as well as risks in detail, while still maintaining enough distance to effectively challenge and assess how executives are managing performance and risk. Better-performing boards have found a balanced formula for overseeing and encouraging the management team, while constructively challenging management’s decisions as required.
At EY, our research suggests that organizations with more mature risk management practices outperform their peers financially. We believe that by applying a broad risk lens to the business, bringing to bear their experience and skills, and asking the right questions at the right time, directors can help companies realistically challenge assumptions, identify risks, understand their potential impact and manage effectively. We see and assist many boards and organizations that are striving to achieve better balance in their risk oversight activities, and we are witness to new leading practices as they emerge. In this document, we summarize and share these practices in order to help organizations reach that balance. Our objective is not to give directors more to do, but rather to share ideas on how to be more strategic and efficient in handling their responsibilities with regard to risk. We want to help organizations move from implementing a risk strategy that simply protects the business to adopting one that enables the organization.
Risk frameworks provide structure and information, but they don’t replace the board’s well-considered challenges to management’s plans and activities. This report addresses the activities that directors typically have on their agenda, and highlights leading practices that can help deepen their understanding of strategic business risks and opportunities. We suggest a structured risk focus as part of regular oversight activities, and provide key risk-related questions that can help directors be more effective decision makers throughout the business cycle. Asking the right questions will help management teams give directors what they need to optimize their contribution and fulfill their responsibilities, while allowing directors to spend less time on compliance issues and remain focused on business results and long-term success.