Skip to main content

      The accelerating complexity of the risk landscape, combined with rising regulatory expectations and stakeholder scrutiny, places growing pressure on boards to exercise meaningful and informed risk oversight. This goes beyond passive monitoring: boards are increasingly expected to actively challenge management's risk posture and ensure that governance structures are fit for purpose. The emergence of cyber threats, geopolitical instability, AI-driven disruption, and ESG accountability has expanded the risk universe well beyond traditional financial and operational boundaries.

      Organizations implementing a GRC framework face recurring structural tension. Firstly, many struggle to find the right balance between extremes: an overly informal approach may preserve agility but leaves risk exposure poorly managed, while an excessively process-heavy model creates compliance fatigue and stifles the entrepreneurial behaviors that drive performance. Neither extreme delivers sustainable governance.

      A second category of failure arises when GRC operating models evolve organically rather than by design. When the three lines of defense are built through successive, uncoordinated decisions, gaps and overlaps multiply, assurance efforts duplicate, and the board loses a coherent view of risk exposure.

      Equally critical - and often underestimated - is the cultural dimension: where tone-from-the-top and behavioral incentives are misaligned with stated risk appetite, soft controls break down and even robust formal frameworks will underperform.

      Against this backdrop, effective board-level oversight requires disciplined, structured inquiry. The following questions provide a practical framework for boards seeking to assess the maturity and coherence of their organization's risk management capabilities.

      • Do we have a complete and current view of the organization's full risk universe, covering strategic, operational, financial, compliance, and emerging risks?
      • How do we assess risks and do we apply an appropriate mix of quantitative and qualitative methods - including stress testing and scenario analysis?
      • What is the organization's risk appetite and has it been formally approved and communicated across the business?
      • Which mechanisms ensure that risks are actively managed within the boundaries of the approved risk appetite and how are breaches escalated?
      • How do we ensure that the three lines of defense operate in a coordinated manner - avoiding gaps and overlaps, maximizing assurance efficiency, and producing integrated risk reporting to the board?
      • Do we have the necessary GRC competences and experience within the organization, the audit committee, and the board itself - beyond financial expertise?
      • How are risk management and strategic planning processes aligned, and which mechanisms are in place to identify emerging risks and weak signals of change before they materialize?
      • How do we assess and manage the interconnectivity and cascading effects between risks, particularly under stress scenarios?
      • Do the organization's culture, code of conduct, HR policies, and performance and reward systems actively reinforce the desired risk management behaviors?
      • What independent and objective assurance does internal audit provide over risk management activities and key controls, and is its scope aligned with the board's assurance appetite?
      • How are we organized to respond to disruptive events - in terms of Business Continuity Management, Crisis Management, and Disaster Recovery - and have these arrangements been tested?
      • How do we systematically capture and act on lessons learned from incidents, near-misses, and audit findings?
      • Do we have the right risk culture in place, how is it measured, and what concrete actions are being taken to strengthen it?

      There is not a one-size-fits-all model for effective risk oversight; the context the organization operates in, as well as its risk appetite, regulatory environment, and assurance maturity, are key determinants of how risk oversight should be structured. That said, the following twelve principles offer a robust and broadly applicable foundation for any board seeking to strengthen its risk oversight practice.

      1. Require that (risk) management drafts the company’s complete risk universe (including strategic and operational risks).
      2. Perform a (or ask for an independent) critical analysis of the risk  assessment processes set up by the company.
      3. Based on the risk universe, prepare an assurance map, indicating the activities of the second- and third-line functions that contribute to achieving reasonable assurance that the risks are under control. This will help to identify gaps and overlaps and to define a proper audit plan based on the board’s assurance appetite.
      4. Request that management have a specific reflection on the Governance, Risk and Compliance target operating model during business transformations. Ask how the three lines of defense are working together in an optimized manner (i.e., with sufficient coverage and in a cost-efficient manner). Challenge whether the right governance model is put in place for effective risk oversight, including committees at board and management level, roles, and responsibilities as well as reporting lines and escalation mechanisms.
      5. Request that management provides integrated risk reports, combining the insights of all risk and audit professionals overseeing specific risk categories. Reports presented to the board should reflect a cross-functional view of risk exposure, not siloed assessments from individual departments.
      6. Systematically challenge management on how risks and controls are being managed and on risk identification and horizon scanning: which mechanisms are in place to detect emerging risks, weak signals, and regulatory developments before they materialize into significant exposure?
      7. Request that management explain how they align the company’s culture with the risk appetite.
      8. Ensure that sufficient GRC knowledge and experience (besides financial expertise) is present in the competence set of the board and/or the audit committee.
      9. Periodically reassess the Risk Management and Internal Control process, organization, and performance.
      10. Periodically reassess the internal audit function process, organization (including its size, composition, and sourcing model), and performance.
      11. Periodically evaluate the board’s effectiveness, particularly on its risk oversight duty. 
      12. Ensure that the organization leverages adequate digital capabilities to support risk identification, monitoring, and reporting. Periodically assess whether GRC tools, dashboards, and data analytics are proportionate to the complexity and velocity of the risk landscape.

       

      About the Board Leadership Center

      KPMG’s Board Leadership Center (BLC) offers non-executive and executive board members – and those working closely with them – a place within a community of board-level peers. Through an array of insights, perspectives, and events – including topical seminars and more technical Board Academy sessions – the BLC promotes continuous education around the critical issues driving board agendas.

      Contact us

      Olivier Macq Partner, Chairman Board Leadership Center | Audit
      Olivier Macq

      Partner, Chairman Board Leadership Center | Audit

      KPMG in Belgium

      Oliver Elst
      Olivier Elst

      Partner | Advisory

      KPMG in Belgium

      Stay informed

      Be the first to know about top business trends that can drive success for your company.

      Subscribe now
      stay informed