14.1 Questions Boards Should Ask About Risk Management
The NYSE listing requirements specify that, when addressing the audit committee’s duties and responsibilities, the committee charter should state that the committee must discuss management’s policies with respect to risk assessment and management. The ERM framework provides a context for such a discussion. Examples of questions the committee should ask include
with respect to strategy,
- Is the board effectively engaged in strategic discussion of the company’s appetite for risk taking?
- Does management involve the board when making decisions to accept or reject significant risks?
- Is the company taking risks the board does not understand?
- Are the risks inherent to the company’s business model fully understood? Managed capably? Monitored in a timely fashion?
with respect to policy,
- How does management reward growth and innovation without creating unacceptable exposure to risk? Are there defined boundaries and limits that clearly specify behaviors that are off-limits?
- Is there a proper balance between entrepreneurial and control activities? Are the risks associated with opportunity seeking clearly understood and managed?
with respect to execution,
- Does management understand the uncertainties inherent in its strategies for the business?
- Are there assurances that risk controls function properly?
- Does the company have effective contingency plans to respond in event of a crisis?
- What system of “early warning” signals does the company have?
- Are there effective processes in place for identifying, measuring, and evaluating risk-management capabilities?
- Has a risk officer or risk-management team been appointed?
with respect to transparency,
- Is there an effective process for reliable reporting on risks and risk-management performance?
- Does the company have an organizational structure in place to support enterprise-wide risk management?