Overseeing risk is one of the board’s foundational duties. However, experts question whether this duty has gotten so complex—particularly with the introduction of cyber risk—that it’s nearly impossible for boards to wrap their arms around the task of overseeing enterprise risk management (ERM).
There’s no way that a board can feel comfortable with a company’s strategy without having a serious dialogue about risk.
In this episode, Herbalife board member Michael Montelongo outlines a risk oversight roadmap for corporate boards. Acknowledging that every company has a different risk profile, Montelongo explains how an effective ERM process operates as both an internal safeguard and a shareholder engagement tool. An ERM framework (like the one from COSO) is not only a great starting point for board discussion, but it reassures investors that the company’s risk taking is being systematically analyzed and rigorously managed.
What Board Committee (if Any) Should Own Enterprise Risk Management?
While the audit committee is functionally equipped to assess risk, Montelongo warns of the dangers to siloing enterprise risk management—a responsibility that the whole board should be managing. Kerstetter and Montelongo outline key considerations regarding the delegation of ERM. Ultimately, the company’s risk profile must determine how that responsibility should be assigned, whether as its own committee, within an existing committee, or as a function of the whole board.
How Can Boards Begin to Lay the Framework for an ERM Program?
According to Montelongo, directors must begin by engaging with management on the current ERM process. He outlines several questions, including:
- Does the company have a risk management vision, along with goals and objectives?
- Is there a GAAP analysis that’s being performed with current and desired risk management capabilities?
- Is there an on-going and structured process to update a company’s risk profile / appetite / tolerances as new changes enter the marketplace?
- How effectively are these changes communicated to internal and external stakeholders?