Risks to corporations can range from financial to reputational loss, as well as cyber crime, supply chain disruptions, macroeconomic developments, and energy crises — all of which have accounted for most of the risk to businesses worldwide in the last five-year span.
One of the chief roles of a board of directors is managing risks to the corporation. In this article, we’ll take a look at the various risk management elements of corporate governance, what the different kinds of risks are, and how board members can go about managing risks.
Read on to learn a little more about concepts such as risk awareness, digital risk management, and corporate risk frameworks.
Discover effective management tool for your board
Rely on our choice – iDeals BoardVisit Website
Role of the board in risk management
As the body charged with providing guidance and direction to the company, the board of directors is also tasked with risk oversight. This includes identifying, predicting, and working to prevent potential risks to the corporation.
The role of board of directors in risk management includes:
- Setting up a risk management framework for the entire organization, including relevant policies and procedures
- Working to identify and assess risks facing the organization, as well as potential loss areas
- Approving strategies and risk management systems to mitigate and counter potential risks
- Reviewing board of directors risk management procedures and correcting course as needed
The board will often create a separate risk committee to address specific risks, with members chosen according to their professional qualification in each of the several areas of risk, including financial and legal risk management.
Priorities of a risk management board
One of the key issues a risk management committee has to address is which specific risks to prepare against.
For it to be effective, a risk management system needs to take several factors into account, the three main ones being:
- Impact — how much potential damage specific risks pose to the organization
- Probability — how likely a risk event is to happen
- Urgency — what is the time frame available for preparation against the risks envisioned
The board’s risk management policies should also feature a clear understanding of the company’s risk culture and tolerance. The overall risk appetite of a company — that is, how much risk it is prepared to take in the pursuit of its objectives — is another determining factor for approaching risk management issues.
Impact of the board in risk management
An important question in corporate governance is how boards can best identify risks and assess their likelihood, as well as the success or failure of risk management policies.
Strategies for assessing potential risks and the effectiveness of risk management include:
- Setting up a separate risk committee charged with presenting the board with risk overviews
- Carrying out scenario analysis to evaluate the main risks to the company on a short and long-term basis
- Establishing an internal audit function for gauging the effectiveness of managing the board risk
- Setting up external reviews with auditors, consultants, insurance brokers, and risk management experts to work on and improve the company’s ability to manage risk
To determine which risks threaten a company the most, the audit committee should identify the company’s value proposition — which is to say, the core elements that define and propel the organization forward. Risks to this value proposition should then be established: financial risks, risks to reputation, market transformation risks, and so on.
Risk oversight and the board’s role in it
It’s useful to carry out risk assessment alongside a broad spectrum of potential issues as board members face rising threats in strategic, operational, and financial management of the organization. Key risk areas include:
- Strategic risk. These are risks that affect the organization’s ability to achieve its objectives and meet its obligations to stakeholders. Strategic risks include market changes, adaptation to technology, innovative competition, and regulatory changes.
- Operational risk. Includes risks related to the day-to-day operations of the organization, such as risks associated with processes, systems, people, and external events.
- Compliance risk. Compliance relates to legal, regulatory, and ethical standards and obligations; risks here can range from factors such as data privacy to anti-corruption and anti-money laundering legislation.
- Financial risk. Market shocks, issues of credit, liquidity, and currency fluctuations are some of the aspects of financial risk, which is obviously a main field of risk assessment for financial institutions.
- Reputational risk. A brand’s image is often more valuable than its short-term earning prospects. As such, board members should scrutinize potential risks to the company’s reputation and public image. Negative publicity, scandals, and stakeholder engagement are all factors of consideration here.
- Information security risk. A rising issue in risk management, this aspect takes into consideration risks related to the confidentiality, availability, and integrity of information and information systems. Cyber risk management and prevention of breaches and system failures all go under this heading.
- Physical security risk. This includes risks related to the physical security of the organization’s assets, employees, customers, and information. Physical security risk management takes into consideration risks to the physical supply chain and facilities, including factors such natural disasters, fires, and crime.
Board risk management: Taking and managing risks
An important part of defining a company’s risk appetite is establishing the main loss areas for a company. One of the key subsets of risk management, loss management requires the company to look at potential sources of damage to its short- and long-term prospects.
Loss areas include:
Key risks of financial loss will vary according to the nature of the organization. They can include:
- Market shifts or upsets and macro-economic tendencies
- Outside factors such as major economic crises, pandemics, and natural disasters
- Innovations in technology that present a risk to the company’s business strategies
- New competition threatening to take over clients or users of the company’s services
Anything that damages a company’s standing before the public can be seen as a loss in reputation. Often, a financial loss can be compounded by an even more catastrophic loss in reputation — an example was Disney’s 1990s failed Disneyland Paris, which not only led to huge financial losses, but also damaged the company’s reputation well into the 2000s.
Loss in reputation can come from mismanagement in corporate governance, inside scandals or leaks, corruption problems, or negative publicity such as public boycotts.
Operational risk management seeks to identify and prevent business specific risks to the company’s everyday business processes. Operating risk includes system failures and breakdowns, as well as simple employee error.
Risk management systems should also look at areas of legal risk to the company. Common legal issues tackled by risk oversight include:
- Litigation issues — lawsuits from individuals or regulatory bodies
- Regulation issues — failure to comply to ethical or regulatory standards, leading to fines and other penalties
An important aspect of business risk management is the information sphere. Here the risk audit committee should look at countering potential leaks, theft, or breaches of confidential company information.
Potential information hazards include cyber risk, with such risks as ransomware attacks featuring prominently, as well as internal leaks by disgruntled employees, whistleblowers, and other internal threats to the company.
This explains why board of directors cybersecurity should be an essential element of a risk management plan, and risk management training for board members should be the first step in it.
Quantitative risk assessment: Evaluation of board performance in risk management
A special audit committee is often set up to evaluate the board members’ performance and the correct implementation of risk management systems. Alternatively to the company’s internal audit function, the board can also use external auditors or consultants to conduct an independent assessment of the company’s risk management oversight.
Evaluation of board risk management take into account several elements of risk and loss, and the audit committee will often include a variety of methods such as:
- Risk metrics such as risk exposure and loss frequency and severity
- Data analysis over an extended period of time
- Stakeholder feedback, including that of customers, employees, and suppliers
Areas of risk management oversight: Risk management board questions
To ensure risk management systems are correctly implemented and bring about the desired results, the audit committee can integrate a few questions into its performance reviews.
Key questions can include:
- What are the key risks facing the organization and how are they being managed?
- How do board members ensure that the risk management framework is aligned with the organization’s overall strategy of corporate governance?
- How can the company provide adequate resources, including personnel, technology, and processes, to manage risks effectively?
- Are there appropriate risk oversight systems, processes, and contingency plans in place to identify, assess, monitor, and report on risks?
- Is there an internal audit function to ensure the compliance with relevant laws, regulations, and ethical standards?
- Are there regular reviews of the risk oversight process?
- Does corporate governance as a whole fit in with the risk management process?
- Is the organization’s risk appetite well defined and correctly accounted for in its risk oversight?
- Are relevant technologies employed to help minimize operating risk, as well as cyber risk?
- Is managing risk duly prioritized as part of the board’s oversight role?
Recommendations for improving board oversight of risk management
To manage risk, there are a few measures companies can take to improve oversight over board risk management practices.
- Develop a comprehensive risk management framework outlining the processes and risk policies established by senior management to prevent or mitigate company’s risks, factoring in risk appetite, exposure risk, and company resiliency.
- Establish clear risk management responsibilities. Board directors should provide internal controls for clear board responsibility for risk management, as well accountability.
- Take the appropriate measures to regularly review and assess the organization’s success in dealing with the multiple risks facing the company, as well as drawing conclusions from past mistakes and effecting changes as required.
- Improve risk reporting and communication and make it a central part of the company culture.
- Conduct frequent reviews of the risk oversight process, establishing an audit committee and potentially hiring internal auditors to annually review company approaches to business risk and risk taking.
Predicting risk, although an inherently limited approach, is also a core duty for the risk audit committee. Here it’s important to:
- Monitor the external environment. Regularly assessing dangers posed by the external environment (including economic, political, and regulatory events) can help identify potential risks and take the necessary measures beforehand.
- Utilize predictive analytics. Data modeling techniques and predictive analytics draw into historical data to predict potential risks.
- Engage stakeholders. An often overlooked aspect of risk prediction and mitigation, companies should engage stakeholders — including employees, customers, suppliers, and regulators — to gather their perspectives on potential risks.
- Conduct scenario planning. Planning for different risk scenarios will allow the company to react faster and more efficiently in the event of a crisis.
However, it’s worth bearing in mind that some of the most potentially disastrous events threatening an organization often cannot be anticipated at all — black swans, such as the 2008 economic crisis or the Covid-19 pandemic are all the more dangerous for being unforeseen.
How to deal with unpredictable risks? The answer lies in building up organizational resiliency, something that can be implemented on a range of spheres — from fostering a mentality of adaptation and innovation in your culture to providing ample redundancies and contingency plans.
Risk management: Board portals as a key technology
With the explosion in cybercrime, forecasted to cost businesses worldwide a whopping $27 trillion by 2027, mitigation strategies for cyber risks are in demand more than ever. And one of the many solutions available for business is the use of board management software and virtual data rooms.
What are board portals? Put simply, they are digital platforms where teams of board members and independent directors can work together, hosting paperless board meetings, conducting an annual review, presentations or votes, and preparing minutes, memos, and company policies, and more.
Besides improving overall effectiveness in communication and performance, board portals are a key security improvement, offering important protections such as:
- Encrypted data storage and messaging, preventing breaches and hacks
- Critical data backups, increasing resilience against ransomware attacks
- Account protection features that counter phishing and other account hacking techniques
- Document protection technology, including remote shredding and dynamic watermarking, which help prevent internal leaks
Board portals are increasingly a mandatory tool for organizations big and small to optimize processes and counter cyber risks. iDeals Boards remain a popular virtual board meeting choice among seasoned professionals — and a top recommendation of our experts worldwide.
Time to use the modern board management software!
iDeals Board serves board of directors, committee members with a comprehensive suite for governance toolsVisit Website
What role does a board play in ensuring effective risk management?
The board of directors is in charge of identifying risk scenarios that can affect the organization, drafting a framework for detecting, mitigating, and countering risks in an efficient and timely manner.
What is a risk management board?
A risk management board is a board tasked with addressing potential threats to a company’s stability and proper functioning. While this is usually a task for the board of directors, companies can also choose to form separate risk management boards comprised of risk professionals and various company stakeholders.