Because of cyber risk’s high impact and unpredictability, board directors must have at least a passing familiarity with it and other emerging risks. It’s a challenge; technology is always changing, and even tech-savvy leaders can find it difficult to keep up with the latest developments. Modern board directors need information about a complex set of technology risks, including big data, cloud computing, cyber risk, social media and other technology-related risks.
Cyber risks are serious enough that even the weakest of them can compromise sensitive information and disrupt business operations. Failing to address risks puts financial, customer, intellectual property and other information in danger; you need strong internal controls to prevent the damage that can so easily result.
Risk oversight is a critical area of board responsibility, and it requires careful attention to processes and metrics. Effective oversight requires close collaboration between the board and management, which means establishing clear guidelines to determine which bodies make which decisions, when matters should go to committee, how to respond to new risks and so on.
Getting oversight right
Establishing an effective risk oversight framework is not a trivial task, but neither is it an overly arduous one. Boards can start by creating (and maintaining) an enterprise-wide risk register, and mapping the risks identified to the relevant board committees for oversight.
The audit committee plays a crucial role in overseeing financial risks, so it needs a clear understanding of the risks and responsibilities involved and the capacity to monitor policies and procedures. It may also oversee cyber risk initiatives, management’s overall approach to cyber threats, and the adequacy of funding and other resources.
Board and management alike should regularly engage with the CIO, CISO and other technology leaders to help them understand where to focus their attention. The audit committee chair must work with other groups to communicate expectations regarding cyber and financial risk mitigation – and help enforce them.
Audit committees are busier, more scrutinised and under more pressure than ever. Workloads must be carefully balanced, and sufficient resources supplied, to avoid overwork and its associated risks.
Governance is the key
Effective risk oversight requires a clear risk governance structure. Your board must be sure it has identified all committees with responsibility for risk governance or oversight.
One of the primary issues to review is whether the board has considered the relationship between strategy and risk, and whether those risks are internal or external. Are you confident that your board, audit committee and other committees are getting the information they need to oversee the risk management process effectively?
Technology can – and should – play a critical role in your risk management program, especially for information-gathering and analysis. Be sure you have a robust system in place that you carefully monitor and update.
Finally, the board should hold regular reviews to ensure that risk oversight is measured and managed. Including risk accountabilities when reviewing compensation programs can also help keep a strong focus on these responsibilities.
Culture is key
Audit committees often play a key role in risk oversight, but the ultimate responsibility lies with the board, which must set expectations and create a risk-aware culture throughout the business. Regulators and shareholders alike expect boards to lead on risk and demonstrate the company’s commitment to good governance and effective risk oversight.
Whether your board is up to speed, gaining momentum or at the beginning of its risk oversight journey, it’s up to you to help it play its critical role in protecting your organisation from financial, cyber and other hazards. And if you (or the board) would like a hand, we’d be delighted to assist.
Most Downloaded Whitepapers
April 16, 2021
Top Trends in Governance, Risk and Compliance for 2021
“You need a good [GRC] system. You need the right data. You need to share the data and take those organisational learnings.” -Zeke Ward, Founder, North Star Compliance Over the past year, companies across industries have navigated diversity, equity and inclusion issues, managed intensifying…
November 30, 2020
Experts agree: Governance is the best crisis strategy
Your best defence against a crisis is good governance. Whether it’s a global pandemic, a change in senior management or the complexities of running an international organisation, governance provides ‘handrails’ to keep your organisation upright and on-track. This consensus was the unanimous conclusion of the speakers at a recent Diligent…
September 8, 2020
The Importance of Compliance Monitoring
As regulatory compliance obligations continue to multiply, achieving a clear picture of your performance around good governance and compliance is more important than ever. Organisations have responded to this challenge by putting in place increasingly stringent compliance monitoring processes. Larger and more complex businesses and smaller, simpler ones alike face…