Is Your Board Asking the Really Tough Questions about Risk?

Senior management has borne the brunt of criticism in recent memory in high-profile cases involving risk management and internal control failures. While management failures often are at the root cause of losses, penalties and reputational damage, boards of directors are increasingly being cited for significant risk governance failures. Substantial investments have been made in risk functions, including standing up dedicated risk committees (“RiskCos”), developing risk appetite statements, improving reporting and requiring board members to undergo mandatory risk-specific training. The financial services sector has long been a leader in this area, but comparable practices are emerging in other industries.

What issues do you find most challenging to oversee?
Cybersecurity/Data Privacy	59.5%
Regulatory Compliance	48.7%
Enterprise Risk Management	29.7%

How would you rate your board’s effectiveness in the following areas?
Ability to challenge management when appropriate	80.5%
Ability to oversee the risk management plan to mitigate corporate exposures	77.8%
Balance of skills and expertise	72.3%

With solid awareness and confidence in their capabilities, why are many boards still missing the mark in risk oversight and challenge? Each governance failure is unique, but several themes appear consistently, including a lack of focus on top risks, skill gaps and low-quality management information. Below, we provide tangible steps your board can take to improve in these areas.

Keeping Pace With the Evolving Landscape

For many boards, risk reporting includes reams of (sometimes stale) data in standardized templates with limited situational analyses. To stay current on market trends and top risks, boards should insist on a high-quality executive summary that explains the most critical items requiring board attention in the context of the current market.

Which of the following risks would most impact your firm’s ability to execute strategy?
Cybersecurity	78.4%
Key-Person Risk	70.3%
Privacy, Data, AI Risk	55.6%
Conduct Risk	45.9%

Boards should also require that risk reporting provides sufficient visibility into changes in the company’s risk profile and control environment. The broad purview of board members may provide a better vantage point to identify emerging risks, concentrations and aggregate impacts. Boards should confirm that risk reporting provides timely coverage of changes from both internal and external risk drivers.

Internal drivers may include:

• Changes to products, services or geographic footprint
• Rapid growth that creates new, large exposures
• Key person turnover or increased turnover across the firm

External factors may include:

• Macroeconomic shocks
• Legal, regulatory or political environment
• Disruptive technologies

Boards should challenge management’s understanding of these factors and the risk-mitigating steps taken in response. They must be proactive in formulating their own questions and presenting them to management. It’s also critical to document board review and challenge in meeting minutes. Supervisors will look for evidence of credible challenge by the board of risk reporting and risk management capabilities more broadly.

Board Risk Reporting

Lengthy risk reporting packages and a summary presentation from the Chief Risk Officer (“CRO”) are the norm for most RiskCos. The executive summary should highlight key information, including adherence to the firm’s risk appetite, top and emerging risks and notable trends in these areas. Appendices provide detail on key risk indicators and risk-specific metrics across all risk categories. The RiskCo (where one exists) reviews the full package and engages more frequently with the CRO and risk management executives. The Chair of the RiskCo will raise the most important issues to the full board.

While regulators will continue to expect high-quality risk reporting, survey responses suggest that boards should consider how management reporting fits with their preference for more dialogue and external expertise. Finding the right mix can engage more directors in the risk governance process.

Which actions would you take to optimize your board’s oversight?
Increased exposure to outside parties/experts to discuss specific issues/risks	63.9%
Less presentation and more discussion	47.2%

Many boards fail to identify and advocate for their own information needs and assume what has been provided by the RiskCo is complete. The board must identify gaps or deficiencies in the reporting given significant changes in the internal or external environment. Boards should also challenge the context and framing of issues provided by management. Are there any blind spots? Is there bias in management’s perspective?

To strengthen independent assurance, the board should ensure the audit committee’s activities and outcomes are aligned with the risk management function. It should be satisfied that the annual audit plan provides appropriate coverage of risk management, and that multiyear plans provide comprehensive coverage.

Across institutions, full board engagement in risk discussions varies widely. As operations grow increasingly complex and technology-focused, risk functions are becoming an amalgamation of highly technical and disparate subject-matter experts (“SMEs”). Their deep expertise in credit risk, anti-financial crime, cybersecurity and other risks may go unchallenged. In board discussions, the CRO may demonstrate an impressive command of the firm’s risks and controls. Combined with a detailed risk reporting package, the CRO’s presentation may leave the board with a sense that everything is under control. Boards may become more passive in their risk oversight, with too much deference to the experts. Standards of independent review and challenge, however, require boards to take an active role in risk governance.

Addressing Gaps in Skills and Knowledge

The volume and complexity of risk management topics facing boards requires a wide range of specialized knowledge and the ability to pivot quickly in response to new risks. Boards must self-identify knowledge gaps and ensure they consult with relevant SMEs. If the company has ongoing exposure to a specific risk, the board should include it in its skills matrix and consider adding a relevant SME to the board.

Quantitative outputs also require board challenge, both in terms of interpretation and management response. The board must consider whether the reporting conveys a false sense of accuracy (e.g., in some cases, discrete model outputs should be presented as confidence intervals). Separately, the planned business response to model outputs may lack the appropriate margin of conservatism, such as the use of multipliers or financial buffers. Key model assumptions and underlying scenario designs should be subject to challenge.

Which criteria would you prioritize in selecting a new director?
Financial Expertise	40.5%
Industry and Customer Experience	40.5%
C-suite Experience	27.0%
Cybersecurity Experience	24.3%
Legal, Compliance and Risk Management Experience	21.6%

Some respondents have addressed risk and compliance skill gaps already, but they should consider adding bench strength in emerging risks, given the preponderance of financial and strategic risk SMEs on many boards. The board’s skills matrix and committee memberships should include careful consideration of transferable skills and experience. A wealth of knowledge from outside industry CEOs and CFOs can be leveraged for risk identification and mitigation. All board members should consider company/industry-specific risks and risk management practices in the context of their own experience. This diversity of skills and experience is achieved intentionally, so it’s incumbent on the board and RiskCo chairs to tap such knowledge.

Conclusion

With heightened expectations from both regulators and investors, boards must ensure they provide diligent oversight and effective challenge of risk management. Some actions your board can take to improve risk governance include:

• Stay current on the evolving internal and external factors driving risk across the enterprise and ensure risk reporting addresses them.
• Define reporting requirements for the depth and breadth of information and relevant context in risk reporting.
• Identify knowledge gaps the board has and implement both short- and long-term plans to close them.

Boards must demonstrate a thorough understanding of the organization’s risk profile, which entails acquiring relevant knowledge, or bringing in outside experts on specific topics. Only then can they ask the right questions and fulfill their role in the risk management process.

Richer dialogue and more informed challenge of the risk function might have prevented many of the high-profile failures in recent years. Risk officers and board members must stay focused on the ultimate goal of enterprise risk management: to foster more responsible growth and innovation though deeper integration of the risk lens into strategic planning and performance management.