I recently spoke to directors and officers about oversight of risk management by boards of directors. I prepared a list of 25 reasons that risk management failure happens, based on my experience assisting boards, including boards that have failed and boards that cannot afford to fail. Almost all of what follows below is based on real examples. I have never encountered a risk management failure where the board was not at fault, based on what the board said or did, or failed to say or do.
Here are 25 reasons for risk management failure:
1. Lack of enterprise risk management expertise on the board.
2. Governance gaps over a material risk(s) within the board or across committees.
3. Directors incapable of identifying and fully understanding the risks, or worse yet, don’t want to understand. Committees show no interest when they should be shocked.
4. Internal oversight functions reporting to management instead of the board. A complacent board does not correct.
5. Directors do not insist on a real-time line of sight over material risks and their mitigation/treatment.
6. Not upgrading information systems to track, monitor, integrate risks.
7. Lack of oversight of the process by which management identifies, assesses and actions the risks.
8. Lack of conversations, common vocabulary and prioritization of the risks.
9. Lack of internal audit, or not listening to internal audit.
10. Internal controls that are weak, even non-existent, or capable of management override.
Read the full article: