What questions should boards ask when considering risk?

10 December 2023

Effective risk management has never been so important. Risk processes have always been a vital part of any organisation’s strategy and performance. With the increasingly challenging nature of issues that organisations are facing, there is a growing need for a cohesive and comprehensive approach to risk at all levels. 

Boards have moved beyond simply overseeing the risk management policies and practices of their organisations. They now need to further consider how business practices are aligned with the organisation’s objectives, values and risk appetite. 

Risk management is no longer a static or one-off activity, but a dynamic and ongoing process that requires constant monitoring, evaluation and adaptation. It needs to assess different views of risk and consider how risk operates with each other.

Therefore, boards need to ask the right questions when considering risk issues. This is to not only challenge management and the risk function to provide clear and credible answers but also to consider what may be missing from the existing risk profile.

In order to challenge effectively, there are some questions which boards can ask:

  • how do we know what the key risks are?
    Risk processes can be driven from the internal identification of risk. This can lead risk registers to be too introspective and not consider wider global, societal and technological risks which affect an organisation. Boards should be horizon scanning and utilising wider experience to consider where potential risks may emerge from;
  • how do we review our risk profile?
    Boards need to ensure that they are reviewing the risk profile regularly so that they can capture those risks and issues which may prevent the organisation from reaching its goals. It also needs to consider how suitable the identified actions and mitigations are in managing the overall risk position;
  • do we understand our risk appetite?
    Agreeing a risk appetite for different types of risk, communicating this throughout the organisation and embedding it so that it can guide decision making can be complex. Organisations are moving away from an overarching risk appetite statement to a more detailed consideration of different appetites across risk themes including financial, reputational, workforce, technology and regulatory areas. Many risks considered at board level, include elements of different risk categories, so discussing risk appetite for individual risks are important; 
  • how effective is our risk culture, and how is it monitored and reinforced?
    Boards need to ensure that the processes are operating as intended and that other incentives and performance targets are not working against an effective risk culture;
  • how do we embed risk management with its business planning, strategy, business cases and performance management processes?
    Boards should ensure that risk management is not a separate bureaucratic activity, but an integral part of the organisation’s strategic planning and decision-making processes. Boards should also ensure that risk management is aligned with the organisation’s performance management framework, and that there are appropriate metrics and indicators to measure and report on risk within core business reporting; and
  • how do we discuss risks with our key stakeholders and communicate externally?
    The focus on ESG means that organisations need to ensure robust processes are in place to identify and report risk to the wider stakeholder economy.

By considering the above, boards can strengthen their risk oversight role, and provide effective guidance and support to the management and the risk function. Boards can also improve their own understanding of the organisation’s risk profile, appetite and performance, and contribute to creating value and resilience through better risk management.

For further information on effective risk management, please contact Liz Wright or your usual RSM contact.

Sign Up

Sign in to continue reading

Access all our articles and search the provider directory for free.