Risk management, as the term suggests, is the province of management. Risk oversight, on the other hand, is the responsibility of the Board. There is an inevitable overlap as the Board sets the strategy of the organisation’s risk management and keeps an eye on management as it operationalises the management of the risks that challenge the business. This management is done through the implementation of the appropriate frameworks, systems, processes and procedures that are set in place through the risk management strategy which the Board determines. The “oversight” part comes into play as the Board monitors management’s performance.
This does not mean that the Board is constantly looking over management’s shoulder in order to find fault. Rather, it is keeping a careful eye on how strategies and systems are performing so that adjustments can be quickly made before the business is negatively impacted by the risk. Management is not so much being overseen, as it is being aided in its efforts. Running a business is often overwhelming, even for the best, most competent of managers. Risk oversight by the Board provides a level of comfort – another pair of eyes, another perspective – that management is doing the right thing.
Besides this, it also instils confidence in shareholders and stakeholders because it indicates that there are checks and balances in the firm. It is a concerted effort at transparency and good corporate governance. In today’s constantly-evolving and increasingly dynamic business environment, the Board needs to stay abreast of trends and developments to ensure that the firm maintains its competitive edge. Its members have to keep a finger on the pulse of the market to stay current. Keeping abreast of developments is crucial because of the rapidity with which situations can change. If one strategy falls short, another must rapidly replace it.
Up-to-the-minute information is crucial to decision-making. Management is able to provide such information through being hands-on with the business. With up-to-date, correct data, the Board is able to alter strategy accordingly. This goes a long way towards determining organisational agility and flexibility. But all this happens only if the Board and management understand what risk management and risk oversight entail, and are willing to work together to make it happen. Risk management and risk oversight are inextricably linked but tasks must be clearly defined for them to be truly effective. Management and Board need to be aware of the risks facing the firm, and the extent of impacts.
While both need to be aware of the current business environment, management has to ensure the integrity of the data collected. The Board discusses and analyses it, to decide if it is worth acting on. It has to decide the extent of the organisation’s risk appetite where particular risks are concerned. Not all risk is bad, and sometimes taking a risk is better than doing nothing at all. The application of oversight here is critical; the Board needs to be able to reverse its decisions or quickly restrategise if the situation indicates the possibility of a negative impact on the firm. Oversight is generally undertaken through the appointment of Board members to various Board committees.
These committees oversee various aspects of the organisation in collaboration with management. But the business landscape is increasingly complicated, and both Boards and management need all the help they can get. Management could take the approach of identifying risks in the various areas of business, departments or units, and forward these for the attention of the Board committee which has oversight of that particular area. This will give a comprehensive picture of the challenges arising in the respective areas, and identify the issues which will have to be dealt with at Board level as these could disrupt the firm’s long-term viability.
The issue of risk oversight is becoming more complex, particularly with the increase in stakeholder interest and involvement. Companies are no longer operating as they see fit; they have to take into consideration what their stakeholders – not just their shareholders – regard as “fit,” as well. Constantly-changing regulatory landscapes and increasing technological challenges add to the complexities of oversight. The risks themselves are changing. Firms used to be wary of disgruntled employees committing fraud; today, they worry about their systems being hacked and held to ransom by people they don’t even know.
Regulators are pressing for more transparency. Stakeholders are calling for better corporate governance and insisting on ethical practices. Social media has become the go-to channel of communication. Information of corporate misdeeds spreads faster than any communications department can contain it. How can all this be managed? These have become risks themselves. Amid all this uncertainty, there is only one certainty: that the Board’s role in risk oversight will not be diminishing anytime soon. While management works to identify the threats that confront the business, and searches for ways to control these, the Board should ensure that the tools to do this are available.
This means having in-depth knowledge of the business, and the challenges it faces from other players and industries. It means having to create ways of accessing what is required for this through collaboration with management, and crafting appropriate strategies. Both Boards and Management need to be vigilant; eyes need to be kept on the industry, market and competition. Emerging risks need to be identified, and mitigations put in place. Check, monitor and evaluate to ensure that the frameworks, systems, processes and procedures that have been put in place are performing as intended. Ensure that management has the resources it needs to do its job. Invite feedback; be open; accept constructive criticism and evaluation, and engage with all levels for effective oversight.
