First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

PwC confuses boards on risk oversight

This article discusses the responsibility of the board in terms of risk oversight and not in identifying and assessing risks as management has done.

risk oversightI want to start with two admissions:

  • I worked for 10 years at PwC and still have friends and respect for many of the professionals there.
  • I am hopeful that the pending update to the COSO ERM Framework, written by PwC, will be a leap forward in the practice. In fact I am more optimistic about the COSO initiative than I am that the ISO 31000:2009 update will reflect current leading (that risk management is about disciplined risk-taking through informed and intelligent decisions).

Then I read the latest advice for boards from PwC on risk oversight.

Why your board should take a fresh look at risk oversight: a practical guide for getting started is hugely disappointing.

While the PwC team on the COSO project recognize explicitly that risk management is far more than a periodic review of a list of risks, the authors of the board governance report are on a totally different page.

For example, the report says:

“It’s helpful for the board and committee chairs to work together to ensure all key risks are subject to board-level oversight. Some boards find it helpful to use a risk allocation matrix, which extends the key risk summary that many boards currently receive. Some companies even show overall risk allocation graphically in their proxy statements.”

They are talking about a list of risks, not about the achievement of objectives.

The report has a useful discussion about whether the organization’s disclosures about risk are complete and sufficient to satisfy investors.

It also asks interesting questions about the competence of the board members in risk management.

But, the role of the board is not to second-guess management and perform their own identification and assessment of risk.

The role of the board is to ensure management has the capability to do this and is in fact doing it well.

Frankly, the PwC report advises boards in a way that will lead them all astray!

It suggests the wrong questions.

I have written about this before, but here are the questions I would ask the executive management team if I were on or advising a board:

  1. What does risk management mean to you? Is it something you have to do (for compliance purposes) or does it actually and significantly help you determine and execute on strategy? If the latter, please explain.
  2. How effective do you believe, Mr. or Ms. CEO, is the management of risk is? Does it give you a strategic advantage?
  3. How effective does your CRO believe it is (if you have one. If not what does the responsible executive think?)
  4. How effective does your internal audit team think it is? How did they assess it? If they didn’t, why not?
  5. How do you factor in the consideration of risk (“what might happen”) into the selection of strategies and objectives?
  6. How do you factor in the consideration of risk into the selection, planning, and execution of major initiatives? Where can I find it in the proposals you submit to the board for approval?
  7. How do you and your management team make decisions in the face of uncertainty?
  8. What is the likelihood of achieving each of our strategic and major operational objectives? How do you assess not only performance to date but anticipate what might lie ahead? What are you doing about the latter?
  9. How do you know all decision-makers are taking the desired amount of the right risks? Do you help them at the point of decision-making or only after the fact through risk reporting against risk appetite? Does what you are doing work?
  10. What are you doing to improve the ability to address and respond to likely future events and situations?

The conversation about risk management expertise is, in my opinion, misplaced.

Members of the board should, for the most part, be able as former executives themselves to assess the competence of the executive management team in addressing what might happen.

That doesn’t require skills and knowledge in risk assessment techniques.

It requires the ability to listen, challenge, and think about how the CEO and his/her team are managing the organization with an eye on the future that is realistic about what might happen and what to do about it.

I welcome your comments.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me
Send to Kindle

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.