This is “Questions Boards Should Ask About Risk Management”, section 3.1 (from appendix 3) from the book Governing Corporations (v. 1.0). For details on it (including licensing), click here.

For more information on the source of this book, or why it is available for free, please see the project's home page. You can browse or download additional books there. To download a .zip file containing this book to use offline, simply click here.

Has this book helped you? Consider passing it on:
Creative Commons supports free culture from music to education. Their licenses helped make this book available to you. helps people like you help teachers fund their classroom projects, from art supplies to books to calculators.

14.1 Questions Boards Should Ask About Risk Management

The NYSE listing requirements specify that, when addressing the audit committee’s duties and responsibilities, the committee charter should state that the committee must discuss management’s policies with respect to risk assessment and management. The ERM framework provides a context for such a discussion. Examples of questions the committee should ask include

with respect to strategy,This appendix is from Waller, Lansden, Dortch, and Davis (2005).

  1. Is the board effectively engaged in strategic discussion of the company’s appetite for risk taking?
  2. Does management involve the board when making decisions to accept or reject significant risks?
  3. Is the company taking risks the board does not understand?
  4. Are the risks inherent to the company’s business model fully understood? Managed capably? Monitored in a timely fashion?

with respect to policy,

  1. How does management reward growth and innovation without creating unacceptable exposure to risk? Are there defined boundaries and limits that clearly specify behaviors that are off-limits?
  2. Is there a proper balance between entrepreneurial and control activities? Are the risks associated with opportunity seeking clearly understood and managed?

with respect to execution,

  1. Does management understand the uncertainties inherent in its strategies for the business?
  2. Are there assurances that risk controls function properly?
  3. Does the company have effective contingency plans to respond in event of a crisis?
  4. What system of “early warning” signals does the company have?
  5. Are there effective processes in place for identifying, measuring, and evaluating risk-management capabilities?
  6. Has a risk officer or risk-management team been appointed?

with respect to transparency,

  1. Is there an effective process for reliable reporting on risks and risk-management performance?
  2. Does the company have an organizational structure in place to support enterprise-wide risk management?