By: Tim Leech
In the aftermath of the financial crisis, companies and their boards have been grappling with new disclosure requirements related to board risk oversight in the United States, Canada, and Europe. Unfortunately, many organizations that have wanted to improve their risk management capabilities have attempted to implement a traditional form of what is generally known as enterprise risk management (“ERM”). Many companies that have tried the traditional ERM route have been disappointed with the results. Many of these ERM programs have focused on multiple workshops that ask participants to identify potentially negative events, assess their likelihood and consequence, log risks identified in “risk registers,” plot them on color-coded risk “heat maps” and report the top 10, 20 or 100 risks to the board. In most ERM programs, this exercise is repeated each year and the updated risk register results are reported to the board or a committee of the board. This approach to ERM has proven to be suboptimal at best, and has even proved “fatal” when companies completely missed entitythreatening risks. These poor results can be related to the fact that these initiatives miss the fundamental point of formalized risk management—increasing certainty that objectives, both strategic and value creating, as well as core foundation objectives like obeying laws and producing reliable financial statements, will be achieved with a tolerable level of risk to senior management and the board.
Continue reading here: Board Oversight of Management’s Risk Appetite and Tolerance