Question

“Prior to the advent of the Coronavirus, cybersecurity was ranked as the greatest risk

to doing business in North America by the World Economic Forum (WEF). In its 2019

Global Risks Report it ranked as the second biggest business risk for the UK and

Ireland after Brexit”.

- Advise how a companies’ board of directors could implement a risk management

strategy to address future uncertainties.

-Evaluate the characteristics of an effective risk management system that would

address the key issue to which the above quotation, draws attention.

Answer 1

Both the law and practicality continue to support the proposition that the board cannot and should not be involved in day-to-day risk management. However, as recent legal developments in 2019 make clear, it is important that the board’s role of risk oversight include steps taken at the board level, rather than solely at the management level, to be actively engaged in monitoring key corporate risk factors, including through appropriate use of board committees. It is also important that these board-level monitoring efforts be documented through minutes and other corporate records.

Directors should—through their risk oversight role—require that the CEO and senior executives prioritize risk management. Directors should satisfy themselves that the risk management policies and procedures designed and implemented by the company’s senior executives and risk managers are consistent with the company’s strategy and risk appetite; that these policies and procedures are functioning as directed; and that necessary steps are taken to foster an enterprise-wide culture that supports appropriate risk awareness, behaviors and judgments about risk, and that recognizes and appropriately addresses risk-taking that goes beyond the company’s determined risk appetite. This necessitates that the board itself is kept aware of the type and magnitude of the company’s principal risks, especially concerning “mission critical”-related areas, and is periodically apprised of the company’s approach for mitigating such risks, instances of material risk management failures and action plans for mitigation and response. In prioritizing such matters, the board can send a message to management and employees that comprehensive risk management is not an impediment to the conduct of business nor a mere supplement to a firm’s overall compliance program, but is, instead, an integral component of strategy, culture and business operations.

EFFECTIVE RISK MANAGEMENT

Specific types of actions that the board and appropriate board committees may consider as part of their risk management oversight include the following:

• review with management the categories of risk the company faces, including any risk concentrations and risk interrelationships, as well as the likelihood of occurrence, the potential impact of those risks, mitigating measures and action plans to be employed if a given risk materializes;
• review with committees and management the board’s expectations as to each group’s respective responsibilities for risk oversight and management of specific risks to ensure a shared understanding as to accountabilities and roles; establish a clear framework for holding management accountable for building and maintaining an effective risk appetite framework and providing the board with regular, periodic reports on the company’s residual risk status;
• review with management the company’s risk appetite and risk tolerance and assess whether the company’s strategy is consistent with the agreed-upon risk appetite and tolerance for the company;
• review with management the ways in which risk is measured on an aggregate, company-wide basis, the setting of aggregate and individual risk limits (quantitative and qualitative, as appropriate), the policies and procedures in place to hedge against or mitigate risks and the actions to be taken if risk limits are exceeded;
• review with management the assumptions and analysis underpinning the determination of the company’s principal risks and whether adequate procedures are in place to ensure that new or materially changed risks are properly and promptly identified, understood and accounted for in the actions of the company;
• review the company’s executive compensation structure and incentive programs to ensure they are appropriate in light of the company’s articulated risk appetite and risk culture and to ensure they are creating proper incentives in light of the risks the company faces and encouraging, rewarding and reinforcing desired corporate behavior and compliance;
• review the risk policies and procedures adopted by management, including procedures for reporting matters to the board and appropriate committees and providing updates, to assess whether they are appropriate and comprehensive;
• review management’s implementation of its risk policies and procedures, to assess whether they are being followed and are effective;
• review with management the quality, type and format of risk-related information provided to directors;
• review the steps taken by management to ensure adequate independence of the risk management function and the processes for resolution and escalation of differences that might arise between risk management and business functions;
• review with management the design of the company’s risk management functions, as well as the qualifications and backgrounds of senior risk officers and the personnel policies applicable to risk management, to assess whether they are appropriate given the company’s size and scope of operations;
• review with management the primary elements comprising the company’s risk culture, including establishing “a tone from the top” that reflects the company’s core values and the expectation that employees act with integrity and promptly escalate non-compliance in and outside of the organization; accountability mechanisms designed to ensure that employees at all levels understand the company’s approach to risk as well as its risk-related goals; an environment that fosters open communication and that encourages a critical attitude towards decision-making; and an incentive system that encourages, rewards and reinforces the company’s desired risk management behavior;
• review with management the means by which the company’s risk management strategy is communicated to all appropriate groups within the company so that it is properly integrated into the company’s enterprise-wide business strategy;
• review internal systems of formal and informal communication across divisions and control functions to encourage the prompt and coherent flow of risk-related information within and across business units and, as needed, the prompt escalation of information to senior management (and to the board or board committees as appropriate); and
• review reports from management, independent auditors, internal auditors, legal counsel, regulators, stock analysts and outside experts as considered appropriate regarding risks the company faces and the company’s risk management function, and consider whether, based on each individual director’s experience, knowledge and expertise, the board or committee primarily tasked with carrying out the board’s risk oversight function is sufficiently equipped to oversee all facets of the company’s risk profile—including specialized areas such as cybersecurity and the risks that are most critical and relevant to the company and its industry—and determine whether subject-specific risk education is advisable for such directors.