2 people on laptop

Board Risk Oversight

“Risk oversight” describes the role of the board of directors in the risk management process. The risk oversight process is the means by which ​the board determines that the company has in place a robust process for identifying, prioritizing, sourcing, managing and monitoring its critical risks and that that process is improved continuously as the business environment changes. By contrast, “risk management” is what management does, which includes appropriate oversight and monitoring to ensure policies are carried out and processes are executed in accordance with management’s selected performance goals and risk tolerances. Through the risk oversight process, the board:
  1. obtains an understanding of the risks inherent in the corporate strategy and the risk appetite of management in executing that strategy,
  2. accesses useful information from internal and external sources about the critical assumptions underlying the strategy,
  3. is alert for organizational dysfunctional behavior that can lead to excessive risk taking, and
  4. provides input to executive management regarding critical risk issues on a timely basis. 

Risk oversight is a high priority for today’s boards of directors. Because the risk oversight playbook is likely to evolve over several years, emphasis on refining the risk oversight process can be expected to continue into 2010 and beyond. Our Board Perspectives: Risk Oversight series is intended to provide short discussions of topics germane to the risk oversight dialogue.

Jim DeLoach video on board responsibilites in managing risk 

See Protiviti Managing Director Jim DeLoach discuss the board's responsibilities in managing risk.

Current Topic

Issue 75 - Ten Principles for Risk Oversight Revisited: This issue revisits 10 timeless principles for boards to use to evaluate their risk oversight process as it stands today.

Previous Topics

Issue 74 - Facing Change with Confidence: This issue discusses the what, why, when and how underlying “facing change with confidence.”

Issue 73 - Ensuring Risk Management Success: This issue discusses five interrelated principles that underlie effective risk management within all organizations in both good times and bad: integrity to the discipline of risk management, constructive board engagement, effective risk positioning, strong risk culture, and appropriate incentives.

Issue 72 - Should the Board Have a Separate Risk Committee?: This article discusses the circumstances in which it may be appropriate to have a separate risk committee, what value it contributes to the board’s overall risk oversight responsibilities, how it should be organized, and other related topics. 

Issue 71 - How Mature Are Our Risk Management Capabilities?: This article focuses on the five stages of a capability maturity framework: the initial state, the repeatable state, the defined state, the managed state, and the optimizing state.

Issue 70 - Identifying Emerging Risks: A Long-Term Perspective: This article discusses the World Economic Forum’s annual update on global risks and considers whether risk assessment processes use a time or planning horizon that looks out far enough.

Issue 69 - Sooner or Later, Your Fundamentals Will Change: This article discusses why facing change with confidence is the ability to recognize the vital signs and act on them decisvely.

Issue 68 - Ensuring Internal Audit is Doing What Really Matters: This issue considers 10 ways the future auditor can contribute value to the organization.

Issue 67 - Briefing the Board on IT Matters: This issue discusses three contexts for conducting IT briefings with the board.

Issue 66 - Managing Cyber Threats with Confidence: This issue discusses why it is important to focus on protecting an organization’s most important information assets and systems by understanding the changing threat landscape and preparing for the inevitable incidents.​

Issue 65 - Positioning Compliance for Effectiveness: This issue explores different views regarding the responsibilities expected of the compliance function and their implications to positioning.

Issue 64 - The Most Important Risks for 2015: The top 10 risks for 2015 reflect some marked differences compared to 2014 and provide insight as to what’s on the minds of senior executives and directors.

Issue 63 - Focusing the Board's Risk Oversight on What Matters: While each board must decide for itself whether such a language is useful given the nature of the enterprise’s operations, this issue explores five risk categories directors may want to consider.

Issue 62 - Effective Use of Executive Sessions When Overseeing Risk: Used appropriately, executive sessions can be an important part of a board’s risk oversight process.

Issue 61 - A Value-Based Approach to Risk Oversight: Executive management is expected to take risks in the pursuit of building enterprise value. At the same time, those risks must be well managed. But can the risk management process itself contribute value?

Issue 60 - Overcoming Bias in Risk Management: Issue 60 discusses how overcoming bias in risk management is all about improving risk/reward decision-making processes.

Issue 59 - To Manage Disruption, Understand Strategic Assumptions: Issue 59 of Board Perspectives: Risk Oversight discusses why management should identify and consider the key assumptions underlying the drivers that shape the organization’s strategy.

Issue 58 - COSO 2013: Why Should You Care?: Issue 58 of Board Perspectives: Risk Oversight gives six reasons why the board (or one or more of its committees) should care about the updated framework and offers pertinent questions for boards to consider.

Issue 57 - Strengthening Your Risk Culture: Issue 57 of Board Perspectives: Risk Oversight discusses how the use of self-assessment techniques, internal surveys, focus groups and other methods can help an organization understand its current risk culture state.

Issue 56 - Measuring the Success of Enterprise Risk Management: "How do we measure the value of enterprise risk management?” This is a deceptively simple question for which there is no simple answer.

Issue 55 - Recognizing Emerging Risks: Issue 55 of Board Perspectives: Risk Oversight discusses techniques for identifying emerging risks.

Issue 54 - How Risk Appetite Should Impact Behavior: A risk appetite statement is a reminder to management and the board of directors of the core risk strategy arising from the strategy-setting process.​

Issue 53 - Oversight of IT Risk Management: Provides 10 suggestions for boards to consider as they enhance their risk oversight as it relates to IT matters.​

Issue 52 - The Most Important Risks for 2014: Summarizes the major business challenges identified by nearly 400 C-level executives respondents in a Protiviti and North Carolina State University’s ERM Initiative survey.

Issue 51 - The Five Lines of Defense - A Shareholder's Perspective: Discusses how an effectively designed and implemented lines-of-defense framework can provide strong safeguards against these breakdowns.

Issue 50 - Five Risk Oversight Questions Directors Should Ask: Cyberattacks are a growing problem not only for companies, but also for governments. The issue presents four considerations for managing cybersecurity risk.

Issue 49 - Gaining Traction with Enterprise Risk Management: Provides seven design principles that will help overcome ERM implementation challenges and key questions to Consider for the Risk Appetite Dialogue.​

Issue 48​ - Key Questions to Consider for the Risk Appetite Dialogue: Considers three elements of a risk appetite statement: risks that are acceptable or on-strategy; risks that are undesirable or off-strategy; and strategic, financial and operational risk parameters.​

Issue 47 - Is Your Company Exposed to the Right Risks: Risks are implicit in any organization’s strategy, whether management and the board are aware of them or not.

Issue 46 - Managing Country Risk: Provides some points for multinational companies to consider when faced with high-risk situations.

Issue 45 - Intersecting Risk Management and Crisis Management: Stresses the importance of being prepared early for a potential crisis, which can improve an organization’s ability to respond to a crisis, reduce damage to a company’s brand image and reputation, and minimize regulatory sanctions, penalties or fines.

Issue 44 - Managing Cybersecurity Risk: Cyberattacks are a growing problem not only for companies, but also for governments. The issue presents four considerations for managing cybersecurity risk.

Issue 43 - What Social Business Means to Your Risk Profile: Discusses 10 social business risks: loss of intellectual property and sensitive data, compliance violations, reputation loss, financial disclosures, effect on human resources, inability to manage the technology “knowledge divide,” safety loss, competitor risk, brand hijacking, and poor management of social business community forums.

Issue 42 - Fine-Tuning Your Corruption Risk Management: Discusses 10 lessons learned from the DoJ favorable opinion release for Morgan Stanley.

Issue 41 - Integrating Risk with Business Planning: Considers how risk should be integrated into the annual business planning process.

Issue 40 - Integrating Risk with Managing Operations: Discusses key considerations when evaluating operational risks. These risks relate to the various activities along the value chain within which the organization’s business model operates.

Issue 39 - Shaping the 2013 Risk Oversight Agenda: Provides 10 questions for boards to consider as reminders as they evaluate their risk oversight agenda for the next 12 months.

Issue 38 - Focus on the "Tone of the Organization": Explains why it is vital that the tone at the top be translated into an effective "tone in the middle" before it can reach the rest of the organization.

Issue 37 - Working Capital Management: A Tool for Optimizing Costs and Reducing Risk: Focuses on aspects of managing cash flow and why companies should also use competitive intelligence as an enterprise value protection tool.

Issue 36 - Is Your Competitive Intelligence Providing Early Warning?: Focuses on why companies should use competitive intelligence as an enterprise value protection tool.

Issue 35 - Is Your Compliance Management Making a Difference?: Describes several key elements for boards to consider: board oversight; executive management supervision; policies, standards, procedures and reporting mechanisms; risk assessment and due diligence activities; effective internal controls and monitoring; training and awareness programs; and investigatory and disciplinary mechanisms.

Issue 34 - The Evolving Risk Landscape: Discusses the World Economic Forum's report on global risks, which includes five categories: economic, environmental, geopolitical, societal and technological.

Issue 33 - The Board's Role in Overseeing Acquisitions: A discussion on how active board risk oversight can help ensure desired outcomes from a strategic standpoint are achieved with new acquisitions.

Issue 32 - Communicating Critical Enterprise Risks to the Board: Focuses on what we define as the top five to ten risks that can threaten a company’s strategy, business model or ongoing viability.

Issue 31 - Assessing Risk: An Operational Perspective: Discusses the appropriate risk assessment approach to take for operational risk, which should be directed at understanding the risk of loss of any of the key links in the value chain.
Issue 30 - Assessing Risk: A Strategic Perspective: Explains how strategic risk analysis can assist senior management with understanding the critical assumptions underlying the strategy and using contrarian analysis to challenge those assumptions.
Issue 29 – Managing Reputation Risk: Explains why a company’s reputation management is inextricably linked to its risk management and crisis management.
Issue 28 – Social Media: What It Means to Your Risk Profile: Highlights 10 business risks associated with social media.

Issue 27 – Oversight of Information Technology Risk: Offers suggestions for boards to consider to help them enhance their IT risk oversight.

Issue 26 – Ten Questions the Board Should Ask: Discusses 10 key questions for boards to consider as they plan their 2012 risk oversight agendas.

Issue 25 – Reducing the Risk of Rogue Trading: Focuses on “tone at the top” and effective internal controls, as well as some important questions for boards and senior executives to consider.

Issue 24 – Should the Board Have a Separate Risk Committee?: Weighs the pros and cons for establishing a separate board risk committee and discusses appropriate roles for the potential risk committee.

Issue 23 – Identifying Emerging Risks: Discusses how to identify emerging risks, which may affect the long-term viability of an organization’s strategy.

Issue 22 – Is Your Organization an Early Mover?: Offers insights on why organizations should be early movers when it comes to identifying and acting on opportunities and risks.

Issue 21 - Managing Corruption Risk: Shares how a robust anti-corruption program can save companies from the expensive consequences of corruption violations.

Issue 20 - Formulating an Initial Risk Appetite Statement: Suggests what to include when formulating assertions for a risk appetite statement.

Issue 19 - Managing Supply Chain Disruption Risk: Provides key considerations regarding supply chain disruption risk and how to manage it.
Listen to our podcast discussing the results of the COSO/Protiviti survey on board risk oversight.

Issue 18 - Staying Engaged in the Risk Oversight Process: Considers how boards can make risk oversight an ongoing and integral part of their responsibilities.

Issue 17 - Finding the Right Chief Risk Officer: Considers what qualifications a company should look for when evaluating CRO candidates.

Issue 16 - Five Risk Categories for Focusing Risk Oversight: Discusses governance risks, critical enterprise risks, board-approval risks, business management risks and emerging risks.

Issue 15 - Recommendations from Protiviti's Board Risk Oversight Survey: Provides recommendations based on the results of a survey that COSO and Protiviti conducted regarding the current state of board risk oversight.

Issue 14 - Survey Results Provide Baseline for Board Risk Oversight: Summarizes the results of a survey that COSO and Protiviti conducted regarding the current state of board risk oversight.

Issue 13 - When Insolvency Issues Arise: Focuses on personal liability risks and responsibilities for independent directors in times of financial distress.

Issue 12 - Preparing for a Black Swan: Understanding, preparing for and managing risks related to unexpected, high-impact events.

Issue 11 - Ten Ways Risk Oversight Can Fail: Reviewing 10 reasons that can contribute to failure of the board’s risk oversight process.

Issue 10 - Aligning Strategy Setting and Performance Management with Risk: Discussing the importance of integrating risk management with strategy setting and performance management, and the board's role in this process.

Issue 9 - The Importance of Tone at the Top to Risk Management: A review of 10 key indicators that collectively provide red flags that potential issues may exist within the organization.

Issue 8 - Four Foundational Elements of Risk Management: A look at four elements that define what executives should assess when evaluating the role and effectiveness of risk management.

Issue 7 - Ten Risk Oversight Principles: A review of 10 key principles that will assist boards in strengthening their risk oversight.

Issue 6 - Positioning the CRO for Success: This issue details the factors that enable the CRO to be successful.

Issue 5 - Organizing for Risk Oversight: This issue reviews some of the factors directors should consider as they organize their board for risk oversight.

Issue 4 - The Risk Appetite Dialogue: This issue defines risk appetite and reviews ways in which the board and management should discuss it on an ongoing basis.

Issue 3 - Knowing What You Don't Know: This issue addresses the reality that, in today’s environment, management and the board can never be certain they know everything they need to know. Nonetheless, there are eight steps they can take to manage uncertainty.

Issue 2 - The Enterprise Risk Assessment Process: The first question the risk oversight process seeks to answer is, “What are our most critical risks?”  An effective risk assessment process lays the foundation for management to respond to this question with confidence and instills confidence in the board that management has a substantive basis for answering the question.

Issue 1 – Risk Oversight: A Board Imperative: This issue provides suggested questions that boards of directors may consider, as appropriate to the entity's operations, as they seek to clarify their risk oversight responsibilities. 

Future Topics

Future issues will be influenced by market developments and feedback from board members. Topics currently under consideration include Thinking Strategically in Managing Risk, Drawing the Line Between the Board’s Role and Management’s Role, and Driving Transparency Through Sourcing Risk Information.  If you have a topic that you would like to add to the conversation or feedback on the topics under consideration, please share it with us.

View Additional Resources and Updates for Board Members

​ ​​​​​


Contact Protiviti
Find the nearest Protiviti office