This issue summarizes the results of a comprehensive survey Protiviti conducted of more than 200 directors regarding the current state of board risk oversight. Sponsored by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), this study provides insight as to how the risk oversight process could be improved.
In assessing the overall results of the survey, we found there are mixed signals about the effectiveness of board risk oversight across organizations. While many directors believe their boards are performing risk oversight responsibilities diligently and achieving a high level of effectiveness, a strong majority indicate that their boards are not formally executing mature and robust risk oversight processes. The results are somewhat better among respondents from public companies; these organizations continue to believe they are proactive in their risk oversight efforts. However, responses to several questions suggest there is overall dissatisfaction among a significant number of directors in several areas.
The results of this study reveal opportunities for improving board risk oversight:
- There is an opportunity to improve the robustness of the risk oversight process – More than half of the survey participants noted the board’s risk oversight process is either “effective” or “highly effective.” However, there also is general agreement among respondents that there should be a more structured process for monitoring and reporting key risks to the board. While just over half of the respondents believe there are processes for understanding and challenging assumptions and inherent risks associated with the business strategy, and that there are processes in place to monitor the impact of changes in the environment on the strategy, fewer than 15 percent of respondents noted that the board is fully satisfied with those processes.
- There is an opportunity to enhance risk reporting to the board – Respondents reported on the types of risk reporting their boards receive at least annually, along with those that they do not receive. The most common types of risk reporting received at least annually by boards include a high-level summary of top risks for the enterprise as a whole and its operating units; a periodic overview of management’s methodologies used to assess, prioritize and measure risk; and a summary of emerging risks that warrant board attention. Among those not received annually by most boards are scenario analysis evaluating the effects of changes in key external variables impacting the organization; a summary of exceptions to management’s established policies or limits for key risks; and a summary of significant gaps in capabilities for managing key risks and the status of initiatives to address those gaps. The results show that if reports are not received at least annually, they are generally received on an as-needed basis or not at all. These findings reveal an opportunity for organizations to improve the risk reporting process and increase the regularity of reporting according to the nature of the organization’s operations and risk profile, as well as the board’s specific needs.
- There is an opportunity to improve the risk appetite dialogue – The survey results suggest that within many organizations efforts are under way to understand better the entity’s risk appetite (i.e., understanding the boundaries and limits the organization sets on behavior in executing its operating model). However, the findings show that boards and their organizations can benefit from a more rigorous process. While respondents generally indicated they have routine discussions regarding risks that are acceptable for the organization to take, just 14 percent reported that this activity is sufficient for the board’s purposes. Of note, however, responses in this part of the study were higher among directors from public companies, with the highest level of satisfaction with the risk appetite dialogue reported by directors from large public companies, underscoring the maturity of the risk oversight process in these organizations.
- There are opportunities to improve monitoring of the risk management process – Nearly two-thirds of the respondents noted that board monitoring of the organization’s risk management process is not done at all or is carried out in an ad hoc manner. About half of the respondents reported that their boards have no formal processes to assess periodically whether the organization’s risk management system is resourced sufficiently. The view is more positive among public companies, where such board monitoring is more robust (64 percent overall, with public companies having annual revenue greater than $1 billion reporting 74 percent). While most respondents reported there is a process followed by management to provide timely information to inform the board’s risk oversight process, an overwhelming majority of directors noted that this process could be improved.
- Many organizations can do more to apprise the board of other significant risk matters – Based on the survey’s findings, there are opportunities to improve processes to notify the board when the organization has exceeded its risk limits, and to ensure that emerging risk issues are addressed in an appropriate and timely manner.
- Boards can self-evaluate the risk oversight process better and more frequently – Almost one-third of respondents noted the board does not self-evaluate its risk oversight processes to determine if it is meeting its oversight responsibilities, while an additional one-third only do so on an ad hoc basis.
Less than one in 10 rate this self-evaluation to be a robust and mature activity, with the board satisfied with the supporting self-assessment process.
While many board members perceive their board’s risk oversight process is operating effectively, particularly those directors from larger publicly held organizations, there are opportunities for improvement for most organizations, as well as several noted impediments to be considered. Download a copy of the survey report, Board Risk Oversight – A Progress Report.
Board Perspectives: Risk Oversight (Issue 14)