Performing effective risk oversight

The increasing complexity of the risk universe and expectations towards corporate governance puts additional pressure on boards of many organizations to fulfill their risk oversight function.

There are a number of critical challenges and pitfalls for organizations looking to implement a proper Governance, Risk & Compliance (GRC) system. For starters, many organizations struggle to find the right balance between a too-intuitive and informal GRC approach, which stimulates entrepreneurship but does not sufficiently allow for the proper management of risks and compliance requirements, and a too heavy bureaucratic set-up, which can be an administrative burden that kills entrepreneurship.

Other pitfalls include a GRC operating model that is not thought through holistically but is the result of fragmented decisions and initiatives, leading to uncoordinated efforts between the three lines of defense, inefficiencies and a lack of clear risk oversight. Meanwhile, insufficient attention to the cultural part of GRC can result in the failure of soft controls, nullifying the efforts made on hard controls.

With this level of complexity, there’s a lot to consider, and some important questions must be asked to help guide Boards as they carry out their risk oversight responsibilities.

• Do we have a view of the global risk landscape of the organization (completeness)?
• How do we evaluate risks, and do we have a good mix of quantitative and qualitative risk assessment methods in place?
• What is the company’s risk appetite?
• Which mechanisms are in place to ensure that risks are managed in accordance with the company’s risk appetite?
• How do we ensure that the activities of the three lines of defense are properly coordinated to maximize the efficiency of assurance, to avoid gaps and overlaps in the risk landscape, and to ensure integrated risk reporting?
• Do we have the necessary competences and experience for Governance, Risk & Compliance available in the organization and the audit/risk committee?
• How are our risk and strategy processes aligned, and which mechanisms do we have in place to identify emerging risks and signals of change?
• How do we deal with interconnectivity or interdependencies of risks?
• Does the organization’s culture, code of conduct, human resource policies and performance reward system support the risk management and internal control system?
• Which internal audit activities and processes are in place to provide independent and objective assurance for risk management activities and the organization’s key controls?
• If disruptive events occur, how are we organized to deal with these in terms of Business Continuity Management, Crisis Management and Disaster Recovery?
• What and how do we learn from previous incidents?
• Do we have the right risk culture in place and what is being done to promote this?

There is not a one size fits all model for effective risk oversight; the context the organization operates in as well the risk and assurance appetite are important drivers on how risk oversight should best be defined. However, the following 11 principles are useful considerations for risk oversight:

1. Require that (risk) management drafts the company’s complete risk universe (including strategic and operational risks).
2. Perform a (or ask for an independent) critical analysis of the risk assessment processes set up by the company.
3. Based on the risk universe, prepare an assurance map, indicating the activities of the second- and third-line functions that contribute to achieving reasonable assurance that the risks are under control. This will help to identify gaps and overlaps and to define a proper audit plan based on the board’s assurance appetite.
4. Request that management have a specific reflection on the Governance, Risk and Compliance target operating model during business transformations. Ask how the three lines of defense are working together in an optimized manner (i.e., with sufficient coverage and in a cost-efficient manner). Challenge whether the right governance model is put in place for effective risk oversight, including committees at board and management level, roles and responsibilities as well as reporting lines and escalation mechanisms.
5. Request that management provides integrated risk reports, combining the insights of all risk and audit professionals overseeing specific risk categories.
6. Ask structural questions on how risks and controls are being managed and how emerging trends/signals of change are being identified.
7. Request that management explain how they align the company’s culture with the risk appetite.
8. Ensure that sufficient GRC knowledge and experience (besides financial expertise) is present in the competence set of the board and/or the audit committee.
9. Periodically re-assess the Risk Management and Internal Control process, organization and performance.
10. Periodically re-assess the internal audit function process, organization (including its size, composition and sourcing model) and performance.
11. Periodically evaluate the board’s effectiveness in particular on its risk oversight duty. 

About the Board Leadership Center

KPMG’s Board Leadership Center (BLC) offers non-executive and executive board members – and those working closely with them – a place within a community of board-level peers. Through an array of insights, perspectives and events – including topical seminars and more technical Board Academy sessions – the BLC promotes continuous education around the critical issues driving board agendas.