Because of the high risk and uncertainty of cyber risk, it’s imperative for today’s board directors to have at least a reasonable amount of knowledge about cyber risk and other risks that tend to plague corporations. The current advanced state and sophistication of technology make it challenging even for business leaders that have some technology acumen to keep up with the pace and scope of developments. Modern board directors need to acquire education about a complex set of risks, including big data, cloud computing, cyber risk, social media and other technology-related risks.
The risks that are lurking in the corporate realm and the cyber world are serious enough that the weakest of them can compromise sensitive information and become major disruptors in a company’s business processes. In considering the many hazards in failing to appropriately address risks, boards must be vigilant about protecting their financial information and strengthening internal controls to prevent the financial and reputational damage that can so easily result from negligence in this area.
It’s clear that risk oversight is a major area of board responsibility and one that necessitates being well-designed. It’s vital for boards to continue working on their risk oversight responsibilities. Senior executive leaders rely on the board, which plays a critical role in influencing their processes for monitoring risks. For risk oversight to be effective requires much collaboration between the board and management. Because boards and managers both have some responsibility for overseeing or managing risks, it’s important that they regularly discuss where to draw the line where each of them makes risk-based decisions and which are more appropriately delegated to a committee. As new risks emerge and become apparent, it’s even more crucial for boards to continually assess the risk oversight structure.
The Framework for Risk Oversight Board Structure
On a positive note, with some time and diligence, it’s possible to create a solid framework for risk oversight. The role of the board of directors in risk management isn’t always clear, and if they haven’t already done so, boards should maintain an account of risks across the enterprise and map them to various board committees for oversight.
In addition to the board setting expectations for management, the audit committee plays a major role in the oversight of financial risks. To maintain proper oversight, audit committees need to know what risks they’re responsible for. Where required, audit committees need to have the capacity for overseeing financial risks and monitoring managements’ policies and procedures. They may also be required to coordinate cyber risk initiatives, oversee management’s approach to cyber threats and ensure that the company’s cybersecurity plan is effective. Other duties that boards may delegate to the audit committee are to assess the adequacy of resources, risk oversight funding and cybersecurity risk management activities.
It’s wise for the board and management to engage in regular discussions with the CIO, CISO or other technology leaders to help them understand which issues to focus on. The audit committee chairman is often a key person who can work with other groups to communicate the expectations regarding cyber and financial risk mitigation and help to enforce them.
The full board should take the lead responsibility to discuss risks that have the potential to disrupt and impact strategy. The Securities and Exchange Commission (SEC) requires boards to oversee risk and submit disclosures accordingly. In addition, the SEC requires boards to explain whether the entire board is involved in risk oversight, or whether they delegate certain aspects of risk oversight to their committees. Also, the SEC is interested in knowing whether the employees who are responsible for risk management report to the board or to other individuals in management.
In most cases, you should be able to line up your committee charters to align with the defined risk governance structure. The audit committee typically takes responsibility for any unassigned risks.
In today’s ever-changing marketplace, audit committees are busier than ever. The rapid pace of the marketplace, along with increasing demands, are causing audit committees to face more scrutiny, more tasks and more pressure. Before adding to your audit committee’s workload, be careful not to overburden them and thus render them ineffective.
Covering All the Risk Oversight Bases
In looking at covering all the bases for risk oversight, there needs to be a clear risk governance structure. Boards must be sure that they’ve identified all board committees that have any degree of responsibility for risk governance or oversight.
One of the primary issues to review is whether the board has considered the relationship between strategy and risk and whether those risks are internal risks or external risks. Can you be sure that your board, audit committee and other committees are getting the information they need to oversee the risk management process effectively?
Your board should also be sure to line up compensation programs so that they include accountability for risks. This is an opportune time to ensure that there is a process in place to monitor emerging financial risks. Regular reviews are necessary to ensure that risk oversight is being measured and that it’s effective.
Technology probably plays a large role in your risk management program. Be sure that you have a plan to keep it updated and can continually monitor it for effectiveness.
Concluding Thoughts on Risk Oversight
The dangers that today’s companies are facing are omnipresent and getting more dangerous and difficult to overcome. Boards have many responsibilities and risk oversight is one of great importance. Most boards find it necessary to delegate some of their responsibilities to committees. At the same time, they remain ultimately responsible for risk oversight and other responsibilities. Audit committees are uniquely equipped to manage various areas of risk oversight, so they stand as a reasonable choice to take on some of the responsibility for risk. Because of increasingly complex reporting requirements and the changing regulatory landscape, the expectations for audit committees are steeper than ever in their own right. It is the responsibility of boards and audit committees to set the tone at the top for appropriate risk oversight. Moving forward, companies can expect shareholders to continue to take them to task over this.