1. Identify the main risks
Identify the main risks from the company’s risk register and review the mitigation strategy. Boards should be ready to challenge any risk assessment they are concerned about. Cybersecurity risk will currently be one of the top concerns for most boards.
2. Assign responsibility for risk
Make sure that each major risk has a named executive who owns and takes responsibility for specific areas. For example, if the risk relates to currency volatility then it will be the responsibility of the finance director. On cybersecurity it will be the information technology chief.
3. Place risk at the heart of business
Boards should put risk at the centre of business strategy and operations instead of examining risk in isolation. They also need to make sure they fully understand how the company operates, particularly in complex sectors such as financial services.
4. Appoint a senior risk officer
Appoint a senior risk officer with a good track record and make sure he/she understands the lines of risk reporting within the company.
5. Keep all board members up to speed
Even with a strong chief risk officer and team in place, don’t leave all evaluation of risk levels to them. The chairman is responsible for the overall risk of the company and, in order to do a good stewardship job, the board must receive relevant risk information. Boards must learn how to ask the risk team tough questions. To do this effectively all members must keep up to speed with global corporate risk, events and forecasts and be well prepared.
6. Keep asking questions on risk
Be resilient and keep asking important questions on risk again and again until clear, satisfactory answers are provided. VW’s evasiveness over giving information to the board about suspect diesel emission levels and the scandal that followed should be a good lesson.
7. Ensure the chairman is well informed
The chairman should make sure he/she gets good-quality, timely information from management. If this does not happen, the chairman must challenge the CEO.
8. Continually assess the risks
Boards need to continually assess any risks the company is taking or might face in future in terms of impact and probability. Do the “what if?” scenario. What could harm our customers? What could damage our reputation?
9. Conduct an independent audit of your risk management
Experts say it is good practice to have an independent audit, such as a review, of how the board manages risk.
10. Remember the link between risk and reputation
Don’t underestimate the link between risk and reputation. Make sure the company has contingency plans in place for when something goes wrong. In an age of social media, quick decision-making between the chief executive and the board on how to handle the situation, and a skilled communications team that acts speedily and efficiently, can help to limit damage to reputation.