Board role in Enterprise Risk Management

Are your top execs and board aligned on company risks and how to handle them? For many companies, this is an area ripe for continuous improvement. Part of the board’s role is to oversee this process, ensuring that major risks are identified and mitigated. Companies in which top execs and their boards are aligned through a formal process are more likely to minimize risk.

We suggest that executives talk with the board and align from the beginning on how to structure the risk matrix. This will make it easier to drill up and down when tackling specific risk areas.

Moreover, our experience is that if the board has various committees (such as Audit, Nomination, Remuneration, and potentially other company-specific committees), the job will be much easier if execs and the board agree on which risks sit in which committee.

Often, boards focus on financial risks and assign all risk mitigation to the Audit Committee, while risks surrounding the areas of people, strategy and other disciplines get less attention.

Best practice is that “daily” risk mitigation should be anchored / owned by various “department heads”, so that each leader is delegated the risks most relevant to his/her area of responsibility.

For example, risks related to not complying with corporate governance should be owned by Legal Counsel, while risks involving missing out on attracting, retaining, and developing key leaders should be owned by the head of HR or Talent Management. For this to work well, risks should be owned by the most relevant leaders in top management, and there should be a structured set-up enabling the leaders to coordinate, discuss and measure progress.

The risk matrix should be revisited yearly and looked at each time with fresh eyes. If this is done adequately, each year some risks should be moved up or down in the matrix, some should leave the matrix, and a few new ones should be added. Otherwise, there is a real danger that the risks just “sit” in the matrix, and as time goes by, no one is sufficiently questioning whether the most relevant risks are covered.

In our experience, the risk matrices that work well involve grouping risks into “operational/preventable” (like cyber security, retention of key talents, etc.), “strategic” (linked to strategic ambitions), and “external” (related to macroeconomics, geopolitical situations, etc.). Some find it meaningful to add a group or two; often, these include “Corporate Governance” and “Finance” (which otherwise would be covered in the other groups).

Finally, we often see that the risk matrix provided to the board is not updated or fully aligned with what board members perceive to be the most significant risks. Boards tend to be most worried about strategic risks, which are the most intangible risks and require significant effort (for example, to identify non-financial KPIs to measure risk mitigation progress). Executive Management should be aware of this and expect challenges from the board if this area is missing. Early discussion and a structured process year after year can make alignment and mitigation much easier.

If you’d like our feedback on how your board and executive management company can improve enterprise risk mitigation plans, we welcome you to contact us at

Can we help?

Let us find out.

Interested in self-evaluation? Try Online Board Evaluations

Well-aligned with national corporate- and foundation/charity governance recommendations, our board clients usually conduct an external board evaluation every three years. However, most national governance recommendations recommend that boards perform a self-evaluation in the years between an external board evaluation. Therefore, we have developed which is a tool enabling boards to self-evaluate effectively and effortlessly every year.