Enterprise Risk Management (Preview)

32 Part 1 – Concepts and Methods industry knowledge and functional expertise. Gaps identified can be addressed by admitting new members, obtaining independent advice from external experts, and planning for membership renewal or succession. Boards also determine how to exercise their oversight of risks. Alternatives include maintaining all responsibilities with the full board, or delegating some responsibilities to committees of the board. Regulations from the NYSE are taken into account by publicly- traded companies, namely that audit committees must discuss the major financial risks of organizations, and the steps taken to monitor and control these risks. In addition, audit committees need to discuss the policies that govern risk management processes. More than forty percent of boards delegate risk oversight responsibilities to a board committee. In the case of large organizations, the percentage is much higher at seventy percent. 43 With the concurrence of management, boards define how risk information needs to be reported to them, and the frequency of reporting. Most organizations report risk infor- mation to their board at least once annually, and many do it semi-annually or quarterly. The timing of the reporting typically corresponds with planning cycles and external reporting cycles such as quarterly and annual reports. Some organizations group their risks into categories based on frameworks such as COSO. Others develop their own risk categories based on how they prefer to report information. The number of risks reported to boards varies greatly between organizations. Some organizations prefer to focus on a limited number of risks such as the top five or top ten risks, while others provide a more substantial list ranging from ten to twenty risks, and sometimes even more. 44 Many boards struggle to determine how to exercise their risk oversight, and what responsibilities should be allocated to committees of the board. As a general rule, risks should be discussed by the same group that is responsible for providing direction on organizational strategies, 45 and for monitoring organizational performance. Such a group needs to provide direction on the risks to assume or tolerate for implementing strategies, achieving objectives, and meeting performance targets. These responsibilities evidently rest with the full board. However, oversight on selected risks, and oversight on the risk management process and information may be allocated to a committee of the board such as the audit committee or a separate risk committee. Such allocation of responsibilities to a board committee can be designed to alleviate the work of the full board and comply with regulatory requirements. In turn, the board committee reports its observations and recommendations to the full board for consideration and decision. Management Structures Like any other management discipline, risk management requires a certain amount of structure to be carried out effectively. Otherwise, risk management is ad hoc, reactive and fragmented across the organization. To achieve the structure needed for ERM, most organizations design their approach based on recognized frameworks and guidelines such COSO and ISO. The resulting approach is a custom-tailored risk management framework , namely a set of components that provide a foundation and structure for risk management, including a risk management process that can be applied consistently across the organization. Risk management framework components include leadership and culture, purpose and commitment, knowledge and skills, communication and consultation, governance and management structures, integration mechanisms, etc.