Risk oversight and risk management have an almost-symbiotic relationship. “Almost” because having one almost always implies that you have the other.
However, organisations which have risk management may not automatically have risk oversight. Risk management is a must-have for the organisation, but risk oversight depends to a great extent on the capability and capacity of the Board to provide it. The Board sets the organisation’s strategy for management to operationalise; it follows that the Board therefore oversees the plans, processes and procedures and ensures they are being implemented and managed as they were intended to be.
But what does risk oversight do, if risk management is already in place? Risk management is an ongoing process which identifies, assesses and controls potential threats to the business. It forces the business into a proactive stance vis-à-vis its challenges, rather than waiting for a risk event to happen. It prepares the business for eventualities. To do this, risk managers set up frameworks, systems, processes and procedures which are designed to mitigate the possible negative effects of the risk event. To ensure that they have gone about it in the right way, the Board oversees the whole process by first establishing the strategy for it, then by monitoring management as it is implemented.
With the exception of the Executive Directors, Board members usually have limited time to oversee the firm’s matters, whereas management is always present and hands-on. This asymmetric relationship means management is more likely to know where the risks lie, and can provide up-to-the-minute information on how best to mitigate them. Based on this data, the Board can make informed decisions to formulate effective growth and sustainability strategies – but it requires close collaboration, trust and a high degree of personal integrity. Sound information allows both management and the Board to identify risks, assess them and develop an appropriate response.
As risk oversight is a Board responsibility, members themselves must ensure that they are up to the task. They should be aware of the major issues confronting their respective organisations, and the industrial landscape relevant to their business. Appropriate competence levels are a given, and if they are not up to the mark, they need to access the required training. Boards should also be aware of the changes in regulations, according to the jurisdictions where their businesses and subsidiaries are present. It cannot be emphasised enough that the Board must know in what direction the organisation should be steered, based on the strategy that has been formulated.
But in today’s environment, members need to rapidly recognise if or when a strategy is falling short. Agility and flexibility are critical because of the velocity with which situations change. The ability to reverse a decision quickly and re-strategise may be the difference between victory and disaster. Besides ensuring that checks and balances are in place, and everyone is doing what they’re supposed to, risk oversight has another purpose: to instil confidence in shareholders and stakeholders that the organisation is being professionally managed, and value is being created. As Boards delve deeper into risk management and oversight, the environment they operate in grows increasingly complicated.
Risks change, and expectations become greater. More is expected from both Boards and management by shareholders and stakeholders. Indeed, the stakeholder voice is becoming more strident; calls for greater transparency, accountability and better corporate governance are getting louder. The value of the company is tied to how effectively it responds. In addition to regulatory requirements, it also has to be perceived by the general public to be doing the right thing, or risk censure. Public censure will have an adverse impact on its value. Organisations should constantly monitor, review and evaluate their oversight capabilities, and make sure these are up to to the mark.
