A recent Harvard Law School blog, “A Framework for Board Oversight of Enterprise Risk”, provides an excellent practical summary of this very important topic. This is an area where many boards are currently looking for additional input and guidance. The question check-lists provided in the blog will be very useful for many boards. I’m sure they will suggest several questions new to each organization, that the board should be asking that have probably not been considered before.
It’s also great to see the blog recognize the importance of the inter-connectivity of risks. Typically risks have been scored and acted upon in isolation when this is quite obviously not mirroring reality. Typically boards are presented with information on individual risks and the individual mitigation strategies which the organization has put in place. Sitting atop the organization it is the board and management team who must lead the questioning on inter-connectivity as this is most often the place where the clearest picture can be seen.
One surprise in the blog was the omission of any discussion of reputational risk. Several high profile cases in recent years (e.g. BP, Barclays, Newscorp) have shown how failure to consider the reputational and trust implications of risks can destroy value, threaten companies and lead to high-profile executive departures. This is becoming increasingly important in the age of social media when reputations can be destroyed in minutes rather than months.
Active Risk, recently participated in World Risk Day 2012. This event had the aim of raising the profile of enterprise risk management and to highlight the need to take smarter risks to drive innovation and growth. The web site www.worldriskday.com has built up a valuable independent set of risk information, reports and surveys and is definitely worth a look for advice on how to get started with enterprise risk management. Active Risk’s own ERM Readiness Guide and paper on Embedding a Risk Culture from the Top Down will also be very useful.
Is your board asking the right questions? And is your organization prepared to give the answers?
Leave your thoughts in the comments section or tweet us @ActiveRisk.