The Role of the Board in Risk Management: Risk Governance and Oversight

The board of an organisation holds the ultimate responsibility for risk management and internal, making its role one of risk governance and oversight. But what exactly is risk governance and oversight? While various definitions exist, the core of risk governance and oversight lies in the actions, processes, and structures through which authority is exercised, and decisions are made and executed on risk management as well as the process of overseeing the effectiveness of the risk management practices through regular review and assessment.

The board’s role in risk governance and oversight is crucial as effective risk management can yield significant benefits for the organisation (Hopkin and Thompson, 6th Ed, pg 53), including the following:

• Supports improved risk-based decision-making;
• Enables effective and efficient core processes to achieve organisational objectives and meet stakeholder expectations;
• Provides assurance regarding the effectiveness of risk management and internal control; and
• Supports compliance with applicable laws, regulations, and internal policies.

The fundamental components of the board's risk governance and oversight role encompass defining the roles of all employees, segregating duties, and delegating authority to individuals, committees, and the board for the approval of risks, risk limits, risk reports, and general oversight of risk management.

In delineating the board's role in risk management, it is crucial to define key risk management roles, responsibilities, and accountabilities organisation-wide, as depicted in Figure 1 below:

• The board is responsible for risk governance and oversight;
• Executive management is responsible for risk oversight and infrastructure; and
• Business unit management, support functions, and assurance functions carry the responsibility for risk management and ownership of risks and controls.

Now, let us delve into the board's risk governance and oversight role further:

• Setting the overall direction for risk management in a board-approved risk management policy which also articulates leadership’s commitment to risk management including the allocation of resources to risk management;
• Risk governance includes the structures in place within an organisation, such as the board and the risk or audit committee. These structures require transparency and visibility into the organisation's risk management practices to fulfil their risk governance and oversight responsibilities. These risk governance structures need to have clearly defined risk management roles and responsibilities, as defined in the charter and or terms of reference;
• Clearly defining key risk management roles and responsibilities and ensuring that they are well-understood. Clarity among all employees regarding their risk management roles is imperative. Continuous training and awareness sessions enhance understanding and contribute to a risk-aware culture;
• Setting the tone for a risk-aware culture falls within the board's purview, requiring consistency throughout the organisation;
• Approval of the organisation's risk appetite and risk-bearing capacity is a crucial task for the board;
• Oversight of significant enterprise-wide risks and ensuring management has implemented controls to manage them are key tasks for the board; and
• Ensuring an effective risk management process and a common risk framework are in use organisation-wide, to support strategy-setting and the achievement of objectives, is a board responsibility.

Risk monitoring and reporting are pivotal elements of the risk management process. Board reports on significant risks should be prepared quarterly and submitted to the risk/audit committee. Based on our experiences with clients across various sectors, maintaining high-quality board risk reporting involves striking the right balance between staying strategic and high-level, while offering sufficient detail for the board to fully comprehend critical risk issues.

Utilizing risk dashboards and other visual aids often enhances the quality of board reports. Excessively detailed reports, however, can impede the board's effectiveness in fulfilling its risk governance and oversight responsibilities.

Risk communication, including risk escalation processes, significantly aids the board in making informed decisions and fulfilling its risk governance and oversight role. While communicating risk information to the board is widespread practice, establishing ample channels for the reciprocal flow of risk feedback from the board back to the business is equally crucial, an area often needing development among the clients we work with.

Management, support, and assurance functions play a vital role in enabling the board to fulfil its risk governance and oversight responsibilities. Functions as such risk management, IT, and internal audit, amongst others, provide assurance on the effectiveness of risk management and internal control systems. External auditors also play a critical role in providing independent, objective assurance to the board.

In conclusion, the board bears ultimate responsibility for risk management and internal control within the organisation. Risk governance and oversight are at the heart of the board's role, supported by delegated roles and responsibilities managed by executive management and others within the organisation. For the organisation to truly benefit from effective risk management, everyone within it must fulfil their risk management roles and responsibilities, fostering a culture of risk awareness.

In fulfilling its risk governance and oversight role, the board should focus on:

• Setting the direction for risk management and allocating resources to risk management in a board-approved risk management policy;
• Ensuring appropriate risk governance structures are in place and remain appropriate for the organisation;
• Setting a tone for a risk-aware culture;
• Clarifying key risk management roles and responsibilities through the risk management policy, board charter and board committee terms of reference;
• Approving the organisation's risk appetite and risk-bearing capacity;?
• Monitoring significant risks and key controls and monitoring whether key risks are within the risk appetite of the organisation; and
• Ensuring an effective risk management and internal control system.

Risk management reports should enable the board to gauge the management of significant risks, while management, support and assurance functions provide assurance to the board on the effectiveness of the risk management and internal control systems.