Risk oversight and the board: Navigating the evolving terrain

We’re living in an era of unforeseen events that give rise to risks, including geographic conflicts and a global pandemic — a “black swan” event (something so unpredictable that it’s not on anyone’s radar) with far-reaching economic and social consequences. While a company can’t always anticipate what might be around the corner, strong risk oversight by the board can help the company respond with more rigor and agility. The number and types of risks the board oversees continue to grow, even as their nature changes. Some become more likely as businesses are more interconnected. Some are likely to impact just a certain area of the business. Others could severely impact the entire brand.

Download the report

The evolution of enterprise risk management (ERM)

ERM has always been about identifying and managing the top risks to the organization. That hasn’t changed. The inputs, the methodology, the output and the overall process have—because they’ve had to. As depicted below, there are several drivers for the evolution of ERM and risk oversight processes.

The link between strategy and risk

Large institutional investors have been pushing for more information about how a company’s statement of purpose is linked to its long-term strategy and success. Let’s use environmental, social and governance (ESG) risks to illustrate this. For many companies, these risks were already on the radar — somewhere. But the recent focus by large institutional investors, combined with an increase in shareholder proposals seeking disclosure, have brought these risks to the forefront. Large institutional investors are suggesting that ESG risks could have an impact on the long-term sustainable value of the company. 

Learn more

For more discussion on ESG and ERM, read Safeguarding trust: the board’s role in integrating ESG and ERM.

First things first: Board composition

Risk oversight is a full board responsibility. Having diverse skills, backgrounds and experiences on the board is vital to understanding the broad range of risks a company can face. It is important to have some board members with deep expertise in the industry who can help anticipate what’s to come. On the other hand, it is also important to have fresh perspectives—whether it’s new directors, those with experience in different industries or different skill sets—to view risk through different lenses. Directors who have specific risk management expertise can also bring real value.

Understanding and maximizing ERM

What ERM is—and isn’t

ERM is the collection of capabilities, culture, processes and practices that helps companies make better decisions as they face uncertainty. It gives employees a framework and policies to help them understand, identify, assess, manage and monitor risks so the company can meet its objectives. It’s most valuable when it’s integrated with strategic planning and decision-making.

...read more in the guide.

Making sure ERM lives beyond the C-suite

If ERM operates only at the executive level, it’s not going to influence behavior across the organization. In fact, some companies find it helpful to assess risks or risk prioritization at different levels. If you ask different groups of people to prioritize a handful of key risks at the company, you may get different answers based on each individual’s purview. The board and the executive team might be aligned on risk prioritization, but middle management might have a very different prioritization. 

...read more in the guide.

Risk appetite

We’ve all read headlines about companies taking bets involving levels of risk they don’t fully understand. But it’s also common to be concerned about taking on too little risk and missing opportunities for performance and growth. In light of what they see happening, it’s not unusual for directors to wonder: How much risk does our company need to take to realize the strategic plan? Instinct drives risk-taking at many companies. Most people have a sense of how they should behave and what risks are acceptable. But how can senior management and the board know everyone is on the same page when it comes to taking risks? It comes down to leveraging a risk appetite.

...read more in the guide.

Risk reporting

Many companies use a silo-based and manual approach to managing and reporting on risks. This means that various parts of the company may report risks to the board at different frequencies, in different formats and with different focus areas. Compounding the inefficiency of that fragmented approach, each part of the company may be using different systems, therefore reporting different types of data. Some companies prepare comprehensive risk reports by distilling the information delivered by various risk management groups. But such an approach raises other challenges and the process itself can be inefficient. More and more companies are leveraging a GRC (governance, risk and compliance) technology platform to consolidate and streamline the risk reporting process.

...read more in the guide.

In conclusion...

In a business risk environment that is becoming more complex and interconnected, boards play a crucial role in overseeing risk and keeping shareholders informed. 

  • To begin, boards can start by looking around the table. Is there diversity of experience, thought, gender and race to bring different perspectives on risk?
  • Boards will also want to understand their company’s ERM program and how they can contribute to that program. Additionally, they will want to spend time on their own structure for oversight.
  • Finally, boards will not want to forget about the company’s various stakeholders—what information is provided to them about the company’s risk management programs and activities?

By examining and refining its approach to risk oversight, a board can deliver enhanced value to the company and its shareholders.

Contact us

Ray  Garcia

Ray Garcia

Leader, Governance Insights Center, PwC US

Paul DeNicola

Paul DeNicola

Principal, Governance Insights Center, PwC US

Stephen G. Parker

Stephen G. Parker

Partner, Governance Insights Center, PwC US

Brian Schwartz

Brian Schwartz

Partner, Cyber, Risk and Regulatory, PwC US

Jamie Gamble

Jamie Gamble

Managing Director, PwC US

Catie Hall

Catie Hall

Director, Governance Insights Center, PwC US

Carin  Robinson

Carin Robinson

Director, Governance Insights Center, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide