Leading practices in enterprise risk management

Board risk oversight

Audit Committee Leadership Network, April 2015

On March 10-11, 2015, members of the Audit Committee Leadership Network (ACLN) convened in New York for their 29th stand-alone meeting. On March 11, one session focused on leading practices in enterprise risk management (ERM). The goal of this session was to share examples of ERM practices that ACLN members have found to be innovative or especially effective.

This ViewPoints presents a summary of the key points, along with background information and selected perspectives that members and subject matter experts shared before and after the meeting.

ACLN members shared ideas and practices on three main topics in their discussion of ERM:

  • Leadership and organization
    Members noted that effective ERM requires an engaged CEO who establishes priorities and galvanizes action on critical cross-company risks, such as cybersecurity. At the same time, accountability for ERM should extend through the business, with managers of the various business lines taking responsibility, supported by the staff of the risk function. Internal audit can assist the risk function with thought leadership and skills related to the ERM process, or it can provide independent assurance on the ERM system, though allowing it to perform both these roles could compromise objectivity.

  • Tools and techniques
    ACLN members brought up the benefits of desktop exercises to evaluate how the company would respond if certain risks materialized. In pre-meeting discussions, they described the use of broad-based company surveys to identify risks, which can then be analyzed and prioritized Recognizing that business opportunities often entail risks, however, members also argued that the ERM system should enable risk taking by both mitigating risks and evaluating residual risks against the company’s risk appetite.

  • Board and audit committee practices
    In order to be effective, the board must work with the CEO to prioritize the risks it focuses on. It should also get out into the field, spending time with business leaders and their employees, and it should conduct deep dives on key risks. Delegating some oversight of specific risks to committees other than the audit committee may make these responsibilities more manageable, and paying attention to the mix of experience and skills on the board may also be helpful.