Defining The Board’s Oversight Of Risk Management

WHEREAS the board’s oversight of risk management is an ongoing topic of discussion and definition, NOW THEREFORE from time to time I engage in these discussions.

More seriously, in addition to my own research and materials, I read a fair number of discussions by other people and groups about director, officer, and board committee (audit committee) member responsibilities, rights, compliance, and liability.

At the bottom of this post I have included links to two recent posts by Norman Marks in which he discusses risk management. While I find that pronouncements and discussions by major organizations on these topics can be insightful and advancing, typically they are much less insightful and advancing than they should and can be. Topics such as corporate governance; board and board committee oversight, responsibilities and rights; business culture and values; auditing, etc., tend to move forward like molasses on a plate. Norman provides leading, worthwhile discussions – some of which I agree and some of which I disagree, but Norman does provide independent forward-looking and leading thought. Norman and I have different backgrounds – I find that in most situations the different backgrounds and experiences of the people involved should be acknowledged and noted, and encouraged, along with their viewpoints.

The following is a short version today of the board’s oversight of risk management – I say “today” because these are and will continue to be topics and definitions in development:  The board, its committees, and its directors oversee executive management’s successful achievement of the organization’s strategies and objectives, of which risk management is an integral component of the business processes.

The following is a longer more detailed version today of the board’s oversight of risk management:  The board, its committees, and its directors oversee executive management’s and the organization’s strategies, plans, and decision making for the successful achievement of the organization’s business strategies and objectives, of which risk management or enterprise risk management or what might happen is an integral component of the ongoing and regular business processes. Note: I added “or what might happen” from one of Norman’s discussions.

Note also, often oversight of risk management is delegated to a committee of the board, such as the audit committee, and in some industries a separate risk committee is mandated by statute, rule or regulation. Even if not required by law, it is still my belief that the overall board should address risk management oversight although having a committee of the board provide initial and perhaps more detailed oversight might be prudent and also legally acceptable. And I believe that these best practices also hold true for nonprofits even if a nonprofit is allowed by law to entirely delegate risk management to a committee of the board – the overall board should nevertheless still be involved in the manner that the board determines is prudent and in keeping with the business judgment rule.

Changing topics and under the category of other questions for consideration by directors (and also by officers and others) – and because I deal with these issues on a daily basis – from the different view of legal responsibilities and rights, liability, and reputation – short version – does the director reasonably believe that she or he can describe and explain, and support and defend his or her actions and inactions?

Or, longer more detailed version from the different view of responsibilities and rights, liability, and reputation – long version – does the director reasonably believe that she or he can describe and explain, and support and defend his or her actions and inactions taken and not taken to satisfy the director’s oversight and governance responsibilities under the microscope of crisis management, shareholder and proxy questioning, inquiries or contests, lawsuits, regulatory inquiries, employee questioning or inquiries, customer questioning, social media, investigations, and reputation attacks?

The following are links to two of Norman Marks’ recent posts on risk management:

https://normanmarks.wordpress.com/2018/03/09/is-the-goal-of-risk-governance-taking-boards-in-the-wrong-direction/

https://normanmarks.wordpress.com/2018/05/12/are-you-managing-risk-or-are-you-managing-the-organization/

Please see also the additional materials in this post below. Wishing you the best and success. David Tate, Esq.

 

 

Advertisements