Among the last things directors want are surprises. They want to go to sleep at night feeling comfortable that any potential icebergs are on management's radar screens, and that their corporate ship is being navigated effectively. In earlier chapters we outlined what risk management is and what it is not, and how it is implemented effectively. Here we look further at the board's responsibility in overseeing the risk management process.
Certainly board meetings don't last very long these days before the words risk or risk management or enterprise risk management come up. There's an unsettled feeling that if boards of major banks failed to understand and monitor risks in those organizations adequately, then other company boards probably also need to do much better in grasping a company's risks.
Unfortunately, the reality is that boards' approaches to dealing with risk often involve asking management to report on the top 5 or 10 risks facing the company. Typically a risk assessment is conducted, usually with some ranking or other prioritization designed to focus attention on the most significant issues. Knowledgeable directors, however, recognize that a risk assessment is simply a point-in-time snapshot that is soon outdated, regardless of who conducts it. They also know that hearing about the top 10 risks tells them only what senior management knows—which may well omit risks that can potentially cause tremendous damage.
Truly effective boards look to management to ...