Nine steps for effective risk oversight by corporate boards

Corporate boards are taking a more comprehensive view of risk oversight as a result of a global financial crisis. But many boards are unaccustomed to and unprepared for this role, according to a report by the Canadian Institute of Chartered Accountants (CICA), which established a nine-step process aimed at helping boards identify, understand and address critical enterprise risks.

The CICA’s report, A Framework for Board Oversight of Enterprise Risk, also includes a process for understanding how risks are connected to one another, and the potential compounding effects that can occur when unfavourable events occur simultaneously.

Gigi Dawe, the CICA’s national practice leader for governance, strategy and risk, said CICA research found a lack of literature on enterprise risk management (ERM) for corporate boards.

“For the last ten to 20 years, ERM has become more prevalent and relevant in the readings and in terms of what organisations are doing, and what that’s led to is a number of frameworks developed for management,” she said. “Our premise is that boards of directors are interested and eager to do the best job they can in terms of overseeing risk, but really didn’t have a framework to follow. So this one was developed specifically for boards in that respect.”

Although the framework calls for boards to be more active with regard to risk, it says they mostly must serve in an oversight role rather than unilaterally identifying, analysing, mitigating and monitoring enterprise risk. The board’s job is to oversee risk-management systems and processes and continually review the associated outcomes and planning, according to the framework.

Two instances demand more hands-on attention from boards, Dawe said. Boards need to take a leadership role in assessing and managing risk with regard to business strategy because management cannot objectively assess its own strategy, she said. And when risk involves the chief executive or leadership, it makes sense for boards to step in with a neutral viewpoint to assess and manage risk.

Otherwise, the board should adopt an oversight role that must not be passive or too reliant on management, the report urges. The nine steps, designed to facilitate vigilant, thorough oversight, are as follows:

  1. Establish context. Understand the organisation’s current operating conditions from an internal, external and risk-management perspective.

  2. Identify risks. Document threats to the organisation’s objectives and the value of its assets.

  3. Analyse consequences. Quantify the likelihood and potential impact of the risk.

  4. Analyse interconnectivities and compounding effects. Aggregate risks and understand relationships, interdependencies and the compounding effect of simultaneous failures.

  5. Re-analyse consequences. Recalibrate and, if possible, create probability distributions of outcomes of interrelated risks.

  6. Prioritise. Rank risks, blending severity, likelihood and potential for mitigation.

  7. Assess risk capacity, tolerance and risk appetite. Determine the entity’s ability and willingness to accept the potential consequences of risk.

  8. Choose response strategy. Develop plans to avoid, reduce or control, share or insure, accept or (in certain cases) exploit risks.

  9. Monitor. Continually measure and monitor the risk environment and the outcome of risk-management strategies.

The report comes at a time when many organisations are trying to help companies get a handle on risk management.

  • The International Federation of Accountants recently released a report, Evaluating and Improving Internal Control in Organizations, which explains how accountants can ask the right questions to ensure a proper risk assessment.

  • The Committee of Sponsoring Organizations of the Treadway Commission is updating its popular Internal Control—Integrated Framework for release in the first quarter of 2013.

Dawe said the focus on connected risks in the CICA framework for corporate boards is important because companies often get hurt when they focus on one or two risks without considering a full range of possible threats and how those problems can compound one another.

Determining the organisation’s tolerance and capacity for risk also is a vital step, Dawe said. The objective of risk oversight is to enhance performance and create shareholder value, she said, and that is similar to the duties of the board of directors.

“They can’t do that without taking risks,” Dawe said. “The key is to take those risks with intention and in an informed fashion.”

Additional CGMA resources:

How to Communicate Risks Using a Heat Map”: In the risk-assessment process, visualisation of risks using a heat map presents a big picture, holistic view to share while making decisions on the likelihood and impact of entity-wide risks within an organisation. 

How to Improve Your Board’s Effectiveness: Three Tools for Risk and Strategy Governance”: A high-performing board is one that adds value to the organisation by achieving a full package of responsible activities. One of the areas organisations and their boards need to focus on: improving strategy and risk oversight.

Ken Tysiac ( is a CGMA Magazine senior editor.