Board oversight of risk

March 2019

Enterprise risk management (ERM) has seen a renaissance in the last 10 years, driven first by the financial crisis and then by mounting concerns over issues such as cybersecurity, privacy, and fraud. In response to demands from investors, regulators, and other stakeholders, companies and boards have strengthened their focus on the processes used to identify and mitigate the wide array of risks.

According to members of the European Audit Committee Leadership Network (EACLN), ERM systems are now considerably more mature than they were before the financial crisis. Yet they see room for improvement, especially in the board’s oversight of risk, and they are asking questions that continue to defy easy answers. For example, how should responsibility for overseeing risk be allocated among the board and its committees? How can emerging risks be spotted before they seriously threaten a company? How can the board ensure that risks are being managed effectively and in accordance with the company’s risk appetite?
Executive summary

On 5 February 2019, members of the EACLN met in London to discuss aspects of risk oversight that continue to challenge boards and audit committees:

  • Which committee should take the lead? 
    Most EACLN members, especially those on boards in industries other than financial services, reported that their audit committees are responsible for the risk oversight process. The audit committee also typically oversees some subset of specific risks, delegating the rest to appropriate committees. However, members acknowledged the benefits of a dedicated risk committee that can focus its time and effort on the complexities of risk oversight.

  • How can the board enhance the risk identification and prioritization process?
    Members reported extensive interactions with senior members of management to identify and prioritize risks. They mentioned the use of dashboards or risk maps as a way of assessing and comparing risks in a systematic way. They also noted that field trips to business units can be helpful for understanding risks. To avoid being surprised by significant emerging risks, members also suggested more imaginative scenario planning, including stress testing.

  • How are key risks managed?
    Boards review how key risks are managed, interacting with all three lines of defense—the business units, the risk management function, and internal audit. While they see value in keeping these lines separate, they acknowledged that a strict separation is not always enforced. They also see room for improvement in the articulation and application of the company’s risk appetite to determine if residual risks are acceptable. Even financial services companies sometimes struggle to specify their risk appetite for operational risks, though they tend to be further along in applying the concept of risk appetite.