Request a demo

The Board's Role in Risk Oversight

Ten years ago, issues like cybersecurity, data privacy or sexual harassment were infrequently discussed at the board level. Today, these issues dominate board agendas given the material risk they pose to corporations and their financial longevity.

Risk oversight has long been a function of the board of directors. The last decade, however, has seen a significant uptick in stakeholder interest and involvement: Regulators have taken an active role in increasing transparency and monitoring risk throughout corporate financial systems. Institutional investors are pressing boards to think less mechanically and more holistically about the risks that may threaten long-term value creation. Even customers and employees are pressing companies to consider the impact of their actions on the communities in which they operate and society at large. The board’s role in risk oversight has grown increasingly complex–and it’s now a spectator sport.

In the sections below, we briefly outline best practices around the board’s role in risk oversight. We also share key resources to guide the governance and key considerations for various types of risks that are impacting today’s companies.

Best Practices

No longer is risk oversight a stand-alone item on the board agenda. Today’s high-performing boards are recognizing that discussions of strategy and risk are helplessly intertwined–and that organizational performance often depends on striking the right balance between the two.

Identify the company’s key drivers of success.

An intimate knowledge of the company business model is key. Understanding what underpins the success of the company is the first step to protecting the organization’s most valuable systems and assets. By deconstructing the business-model drivers, boards and management teams can begin to recognize the inherent risks and identify potential disruptors, both internal and external.

Establish Key Risk Indicators (KRIs).

Through this process, the board should agree on a set of key risk indicators or KRIs (i.e., metrics designed to raise red flags when key risks may be materializing). For example, if company culture has been identified as a driving force in the organization’s success, the board may use metrics around employee turnover or whistleblower complaints to indicate a crack in the culture before it becomes a flood.

Get the right data.

As boards design their system of early warning signs, the actual measurement or execution of these KRIs can be challenging. Boards should work with the corporate secretary and across management to discuss how KRI data reaches the board and establish thresholds for these red-flag indicators. By nature, these metrics will be largely quantitative; yet, boards mustn’t overlook the important role that qualitative data plays. Continuing with the example above: What can the board glean from interactions with front-line employees or exit-interview data? Could more regular meetings with business-unit leaders provide valuable insight into the “tone in the middle”?

Anticipate (and encourage) disruption.

To think about risk only in a vacuum of “present day” is misguided. This is where discussions of risk and strategy are nearly inseparable, but also where the board can add 30,000-foot value to the management’s day-to-day operations. What’s coming around the corner? How will AI advancements in supply chain or inevitable data privacy regulations impact our business? Keeping a competitive eye on the market, today’s board must also consider the risks of not innovating fast enough. Boards must set the right tone in their interactions with management–one that encourages this type of disruptive thinking from both sides, but always keeps an eye on the inherent risks. This is a topic that our new book Governing in the Digital Age explores in depth.

Assess the best structure for your board.

The full board has the responsibility for risk oversight; yet, board committees typically play an important role in the process. The audit committee has traditionally spearheaded the boards risk oversight function; yet, many boards also exploring different committee structures to ensure that risk gets the attention it needs in today’s boardrooms. Risk committees, while still the minority, are becoming a more common method for governance. Increasingly, boards are even creating committees around specific types of risk (e.g., cyber risk committee, technology risk committee). Each board should assess its own needs based on the company, industry, business model, existing committee structure, etc.

Types of Risk

Throughout this site, we frequently explore various types of risks: What should directors know about emerging risks? How are other boards approaching oversight? In the section below, we share various resources:

Emerging Technology & Cyber Risk

Corporate Culture

Reputational Risk

Mergers & Acquisitions

Globalization Risks

Key Challenges

Emerging technologies, social media, globalization—these things present vast opportunities for growth, yet they also heighten the risk environment for today’s companies. Boards must not only oversee the risk management process across the organization and communicate that process to investors, but they must ultimately determine the appropriate risk appetite for their company—because one of the greatest risks today is not innovating fast enough.

Diligent Director Network Module

Are you looking at the same data your investors are looking at?

Today’s boards must be looking at the same data today’s institutional investors and proxy advisors have access to. Quick access to information helps board members identify governance red flags raised by shareholders and activists—from skills matrices to overboarding and conflicts of interest. Learn more about Diligent’s Director Network module is driving these types of insights.

Is your board communicating securely?

Board members often possess the most sensitive company information. How secure is your board management software? What kind of information is your board sharing over email? Today’s boards can’t afford to take a chance with information security. Learn why Diligent is the most secure offering in the board software space.