A Framework for Board Oversight of Enterprise Risk

A Framework for Board Oversight of Enterprise RiskChartered Professional Accountants Canada

Overview: Board oversight of enterprise risk continues to be a topical issue for board deliberation and for most boards, it remains as one of the top priorities.
What is the role of the board in enterprise risk management? Traditional governance models support the notion that boards cannot and should not be involved in day-to-day risk management.
Rather, in their risk oversight role, directors should be able to satisfy themselves that effective risk management processes are in place and functioning effectively. The risk management system should allow management to bring to the board’s attention the company’s material risks and assist the board to understand and evaluate how these risks interrelate, how they may impact the enterprise, and how these risks are being managed. To meaningfully assess those risks, directors require experience, training and knowledge of the business.
In our view, boards must take a more active and direct role in risk assessment well beyond traditional oversight of typical risk management processes. In particular, risks associated with leadership and strategy are prime examples of areas where a board must assert itself more directly since management cannot be expected to objectively assess from a risk perspective its own performance, capabilities and strategy. Unlike other embedded responsibilities of boards and committees, such as the oversight of financial reporting and disclosure, there are no standards for risk oversight and few, if any, authoritative sources on which boards may rely.
The number of well publicized distressed situations or even bankruptcies each year — both unforeseen and anticipated – shows that over-reliance on or absence of effective, management led enterprise risk processes and models can have unexpected or even catastrophic results. These high-profile disasters are often cited as extreme examples of failure of enterprise risk management systems and board oversight.
The reality is that it is unlikely for most enterprises to encounter significant distress. So why should management and boards focus attention on risk? Because the consequences of ineffective risk management and related board oversight are underperformance and destruction of asset or shareholder and stakeholder value. It is in this context that this document is written.
Effective risk management and board oversight should not be premised on risk avoidance. Every corporation is exposed to and takes risks daily. What is important is to manage the balance of risk and reward and to identify and minimize the consequences of a negative occurrence to the extent possible.

Download