Questions a Board may ask to understand how an organisation controls its risks
The holding of a position on a Board or in a control committee in an organisation is a considerable responsibility and may also lead to personal liability.
The aim of this guidance 'Questions a Board may ask to understand how an organisation controls its risks' is, through the presentation of a set of questions, to give a better understanding of the most important risks which can impact an enterprise and how these can be managed.
Reading the financial statements will seldom give sufficient information to understand the key drivers of an organisation´s bottom-line results. An understanding of the enterprise´s risk profile and how this is managed is an approach which can give valuable insight into the business. The definition of 'risk' used in this guidance is 'the effect of uncertainty on objectives', where 'the effect' is defined as a 'deviation from the expected — positive and/or negative' (cf. the definition used in the ISO standard on Risk Management).
All economic activity depends on taking one or more types of risk. It is, therefore, crucial to understand the relationship between risk and value added/profit and loss. Two apparently equal results can be the result of very different risk profiles. In order to understand how good a positive result achieved is, it is, therefore, necessary to understand the related level and type of risk taken by the enterprise.
Risk in this context includes short term risks occuring within a one year horizon, but perhaps even more importantly it includes strategic risk which includes the risks an enterprise takes, or will face, as a consequence of pursuing its strategy or major changes in geopolitical conditions, markets or regulatory requirements.
In modern risk management practice, it is usual to refer to 'enterprise-wide' risk management as a method to both understand and manage the organisation in a holistic and unfragmented manner. This type of risk management is often defined as ERM (Enterprise Risk Management). Considerable advantage can be gained by adopting ERM, compared to an alternative approach of managing individual risks on a stand-alone basis, without modelling their combined effect on the enterprise.
This guidance has been developed by the Risk Management Network of IIA Norway and has been translated from the Norwegian original.