Executive Perspectives on Top Risks for 2013 - … Across Industry – Top Risks Risk Issues Overall...
Transcript of Executive Perspectives on Top Risks for 2013 - … Across Industry – Top Risks Risk Issues Overall...
Executive Perspectives on Top Risks for 2013 Key Issues Being Discussed in the Boardroom and C-Suite
© 2013 2
Introduction
• Protiviti and North Carolina State
University’s ERM Initiative surveyed more
than 200 board members and C-suite
executives on risks likely to affect their
organizations over the next 12 months
• The survey provides perspectives on the
potential impact of 20 specific risks across
three dimensions:
– Macroeconomic Risks: Likely to affect
organization‟s growth opportunities
– Strategic Risks: Likely to affect the validity
of the organization‟s strategy for the pursuit
of growth opportunities
– Operational Risks: Likely to affect key
operations of the organization in executing
its strategy
© 2013 3
Survey Methodology
• Respondents were asked to rate 20 individual
risk issues using a 10-point scale:
− A score of 10 reflects Extensive Impact to
their organizations over the next year
− A score of 1 reflects No Impact at All
• Based on average scores, the risks were
categorized into one of three classifications:
– Significant Impact: Risks with an average
score of 6.0 or higher
– Potential Impact: Risks with an average
score of 4.5 through 5.9
– Less Significant Impact: Risks with an
average score of 4.4 or lower
© 2013 4
Survey Respondent Breakdown
Organization Size
Revenues $10 billion or greater 15%
Revenues $1 billion to $9.99 billion 34%
Revenues $100 million to $999.99 million 36%
Revenues less than $100 million 12%
Executive Position (Top 5 Respondent Groups)
Board Member 9%
Chief Financial Officer 14%
Chief Risk Officer 20%
Chief Audit Executive 26%
Other C-Suite 21%
Industry (Top 5 Respondent Groups)
Financial Services 28%
Consumer Products and Services 19%
Industrial Products 13%
Healthcare and Life Sciences 12%
Technology, Media and Communications 11%
Top Risks – Overall
© 2013 6
Overall Risk Concerns for 2013
The top risk is concern that regulatory changes and heightened regulatory
scrutiny may affect the manner in which the organization’s products and
services will be produced or delivered, indicating concerns that regulatory
challenges may affect strategic direction
The next highest-rated risk areas are concerns about overall economic
conditions restricting growth, as well as concerns about uncertainty
surrounding political leadership affecting U.S. and international markets
Other top areas of concern include the ability to grow organically through
customer acquisition, and challenges related to leadership and to
succession planning within the participating organizations
© 2013 7
Other Top Risks
• Cyber threats – Cyber threats have the potential to significantly disrupt
core operations for our organization
• Security/privacy – Ensuring privacy/identity management and information
security/system protection will require significant resources for us
• Resiliency – Resistance to change will restrict our organization from
making necessary adjustments to the business model and core operations
• Performance gaps risk – Our existing operations may not be able to
meet performance expectations related to quality, time to market, cost and
innovation as well as our competitors
• Trade restrictions/government sanctions – Potential changes in trade
restrictions or other government sanctions will limit our ability to operate
effectively and efficiently in international markets
• Technological innovation risk – Rapid speed of disruptive technological
innovations within the industry may outpace our organization's ability to
compete and/or manage the risk appropriately, without making significant
changes to our operating model
© 2013 8
Top 10 Risks – Overall
4.0 4.5 5.0 5.5 6.0 6.5 7.0 7.5
Regulatory risk
Economic conditions
Sovereignty risk/political gridlock
Organic growth concerns
Succession/talent
Financial markets/currencies
Cyber threats
Security/privacy
Resiliency
Performance gap risks
S
M
M
S
O
M
O
O
O
O
M MacroeconomicRisk Issue
O OperationalRisk Issue
S StrategicRisk Issue
Analysis Across Organization Size
© 2013 10
Analysis Across Organization Size – Key Findings
• Concerns about the potential impact of
regulatory changes and heightened
regulatory scrutiny are noticeably high for
all sizes of organizations
• Uncertainty surrounding political leadership
in national and international markets is high
across most sizes of organizations
• The regulatory environment and potential
for further change to it are of particular
concern to many organizations, influencing
decisions to expand, invest and hire
© 2013 11
Analysis Across Organization Size – Top Risks
Risk Issues Overall
Organizations
$10B or
Greater
Organizations
Between $1B
and $9.99B
Organizations
$100M and
$999.99M
Organizations
Less than
$100M
Regulatory risk
Economic conditions
Sovereignty
risk/political gridlock
Organic growth
concerns
Succession/talent
Financial
markets/currencies
Cyber threats
Security/privacy
Trade restrictions/
government sanctions
Significant Impact – Rating of 6.0 or higher Potential Impact – Rating of 4.5 – 5.9 Less Significant Impact – Rating of 4.4 or lower
Analysis Across Respondent Role
© 2013 13
Analysis Across Respondent Role – Key Findings
• Nearly all executives rated economic conditions
and regulatory changes as “Significant Impact”
risks
• Board members, CAEs and CFOs did not rate
any of the other 18 risks as “Significant Impact”
risks
• Other C-suite executives identified two additional
risks as “Significant Impact” – volatility in global
financial markets and political uncertainty
• CROs named three additional risks as
“Significant Impact” – risks related to cyber
threats, succession issues and recruitment and
retention of managerial talent, and risks related
to privacy/identity management and information
security
© 2013 14
Analysis Across Respondent Role – Top Risks
Risk Issues Overall Board
Member
Chief
Financial
Officer
Chief Risk
Officer
Chief Audit
Executive
Other C-
Suite
Regulatory risk
Economic conditions
Sovereignty
risk/political gridlock
Organic growth
concerns
Succession/talent
Financial
markets/currencies
Cyber threats
Security/privacy
Significant Impact – Rating of 6.0 or higher Potential Impact – Rating of 4.5 – 5.9 Less Significant Impact – Rating of 4.4 or lower
Industry Analysis
© 2013 16
Industry Analysis – Key Findings
• Respondents across all industry groups believe
economic conditions in markets they currently
serve will significantly restrict growth
opportunities this year
• Most industry groups believe regulatory changes
and heightened regulatory scrutiny may
significantly affect the manner in which the
organization‟s products or services will be
produced or delivered
• While most industry groups identified three to
four risks as having “Significant Impact,” both the
Financial Services and the Technology, Media
and Communications industry groups had the
greatest number of “Significant Impact” risks
© 2013 17
Analysis Across Industry – Top Risks
Risk Issues Overall
Consumer
Products
and Services
Energy and
Utilities
Financial
Services
Healthcare
and Life
Sciences
Industrial
Products
Technology,
Media and
Communi-
cations
Regulatory risk
Economic conditions
Sovereignty risk/political
gridlock
Organic growth concerns
Succession/talent
Financial
markets/currencies
Cyber threats
Security/privacy
Resiliency
Performance gap risk
Technological Innovation
risk
Significant Impact – Rating of 6.0 or higher Potential Impact – Rating of 4.5 – 5.9 Less Significant Impact – Rating of 4.4 or lower
Plans to Deploy Resources to Enhance
Risk Management Capabilities
© 2013 19
Additional Resources to Risk Management – By Industry
All
Respondents
Consumer
Products
and Services
Energy and
Utilities
Financial
Services
Healthcare
and Life
Sciences
Industrial
Products
Technology,
Media and
Communi-
cations
Likelihood the
organization
plans to devote
additional
resources to risk
management
over the next 12
months
5.8 5.7 4.5 7.0 5.5 5.4 5.5
On a scale of 1-10, respondents rated whether the organization plans to devote additional
resources to risk management over the next 12 months. (1 – “Unlikely to make changes”; 10
– “Extremely likely to make changes”)
© 2013 20
Additional Resources to Risk Management – By Organization Size
All
Respondents
Revenues
Less than
$100M
Revenues
$100M –
$999.99M
Revenues
$1B – $9.99B
Revenues
$10B
or higher
Likelihood the
organization plans to
devote additional
resources to risk
management over the
next 12 months
5.8 6.1 5.8 5.3 6.7
© 2013 21
Additional Resources to Risk Management – By Organization Type
All Respondents Publicly Traded
Companies
Private, For-
Profit
Enterprises
Not-for-Profit
and
Governmental
Organizations
Likelihood the organization
plans to devote additional
resources to risk manage-
ment over the next 12
months
5.8 5.6 5.8 6.4
© 2013 22
Additional Resources to Risk Management – By Respondent Role
All
Respondents
Board
Members
Chief
Financial
Officers
Chief Risk
Officers
Chief Audit
Executives
Other
C-Suite
Likelihood the
organization plans to
devote additional
resources to risk
management over
the next 12 months
5.8 5.1 6.0 6.3 5.4 5.9
© 2013 23
Calls to Action
Ensure there is sufficient focus on the implications of a
changing environment
• Is management periodically evaluating changes in the business environment to identify
the risks inherent in the corporate strategy?
• Is the board sufficiently involved in the process, particularly when such changes involve
acquisition of new businesses, entry into new markets, the introduction of new products
or alteration of key assumptions underlying the strategy?
Ensure the risk assessment is sufficiently robust to inform
board/management communications
• Does management apprise the board in a timely manner of significant risks or significant
changes in the organization‟s risk profile?
• Is there a process for identifying emerging risks?
• Does it result in consideration of response plans on a timely basis?
© 2013 24
Calls to Action
Ensure the board is knowledgeable of the key enterprise risks and the
capabilities in place for managing those risks
• Is the board aware of the most critical risks facing the company?
• Does the board agree on why these risks are significant?
• Do directors understand the organization‟s responses to these risks?
• Is there an enterprise wide process in place that directors can point to that answers these
questions and is that process informing the board‟s risk oversight?
Enrich the strategy setting process with a risk appetite dialogue
between management and the board
• Is there a periodic board-level dialogue regarding management‟s appetite for risk and
whether the organization‟s risk profile is consistent with that risk appetite?
• Is the board satisfied that the strategy-setting process appropriately considers a
substantive assessment of the risks the enterprise is taking on as it formulates and
executes its strategy?
Break
Risk Management Hot Topics:
Major Challenges Facing Businesses
Shaping the 2013 Risk Oversight Agenda
Five Risk Categories for Focusing Risk Oversight
Identifying Emerging Risk
Preparing for a Black Swan
Oversight of Information Technology Risk
Ten Ways Risk Oversight Can Fail
Ten Risk Oversight Principles
© 2013 27
Major Challenges Facing Businesses
The complexity and velocity of change in an increasingly interdependent world are altering the dynamics
of doing business. As the business environment continues to change, so does the risk landscape that
companies and their audit committees face.
Ten Major Challenges Facing Businesses
As discussed, below are some observations and ideas for consideration by boards and their audit
committees when setting the 2013 agenda.
1. Regulatory changes and increased regulatory scrutiny
2. Economic conditions in current markets and the possible lack of significant growth opportunities
3. Volatile global economic and political conditions
4. Succession challenges and the ability to attract and retain top talent
5. Challenges with organic growth through existing customers
6. Ensuring privacy/identity management and Information security protection; cyber threats could significantly disrupt
core operations
7. Resistance to change
8. Inability to meet performance expectations as well as its competitors can
9. Unexpected crisis and the likelihood of a significant impact on reputation given the organization's existing
preparedness
10. Inability to utilize data analytics and "big data" to obtain needed market intelligence
© 2013 28
Major Challenges Facing Businesses (Continued)
The 2013 Mandate for Audit Committees We have summarized an agenda below that is broken down into two categories – enterprise, process and technology risk
issues and financial reporting issues. The following agenda is based on our interactions with client audit committees,
director roundtables we have conducted, and discussions with directors at conferences and other forums.
Enterprise, Process and Technology Risk Issues
1. Update the company's risk profile to reflect changing conditions - The pace of change in the business continues to
escalate.
2. Oversee the capabilities of the finance organization and internal audit - Capabilities in these functional areas must be
aligned with the company's changing needs.
3. Continue to provide oversight for significant changes in the control environment - Tone at the top, culture, and
controls in critical risk areas should be areas of inquiry.
4. Understand how new technological developments and trends are impacting the company - Understand the
implications of technological innovations to security and privacy, financial reporting processes, and the viability of the
company's business model.
5. Take a fresh look at the compliance infrastructure - Recent actions of regulators with respect to enforcement actions
and offering clarifying guidance may provide insights for evaluating compliance practices.
6. Assess audit committee effectiveness - Evaluate whether committee composition and expertise are sufficient in light
of the changing environment and company risk profile.
© 2013 29
Major Challenges Facing Businesses (Continued)
Financial Reporting Issues:
7. Work with the external auditor to upgrade the communications process - In some countries, the auditor may be
required to enhance communications with the audit committee, so expect more.
8. Be aware that the auditor's report may expand in the near future - It's possible that the expanded report may
incorporate topics the auditor addresses to the audit committee.
9. Inquire whether PCAOB inspections impact the audit approach - The PCAOB has provided guidance to audit
committees for these discussions with the auditor.
10. Keep an eye on developments with respect to mandatory auditor rotation - The PCAOB continues to consider this
alternative to increase audit effectiveness.
11. Expect action on convergence to IFRS -If applicable, inquire about the company's readiness as the U.S. FASB issues
new standards over the next two years.
12. Consider other issues -Inquire about the company's compliance readiness with respect to the conflict minerals
disclosure, if applicable, and the likely impact of COSO's update of the Internal Control –Integrated Framework.
© 2013 30
Shaping the 2013 Risk Oversight Agenda
10 questions for board members to consider as they evaluate their risk oversight agenda
for this fiscal year.
Has the company's risk profile changed? Has management updated the company‟s risk assessment and provided the board a summary of
such risks with an indication of the risks that have increased, decreased or remained the same since
the previous assessment?
Do the board's delegations of risk oversight responsibility provide for adequate coverage
of the critical risks?
Are the most critical enterprise risks assigned to appropriate board committees to ensure coverage
in the normal course as part of their ongoing activities?
Is the board giving appropriate consideration to technology-related risks? Rapid technological innovation creates new risks in return for faster and more accessible data. In
addition, increasing demands for privacy and information security, intellectual property, and asset
protection, and growing complexity of regulations, are driving the need for more investment in
security.
Is the board satisfied that there is a process for identifying emerging risks? Are risk assessments providing directors with insights they didn't previously have? Is the company
thinking about the "known unknowns" and potential "unknown unknowns" that lie in the future?
© 2013 31
Shaping the 2013 Risk Oversight Agenda (Continued)
Does the board understand the key assumptions underlying the organization's strategy? These assumptions are management's "view of the world“ and should be used to identify risk
indicators to provide early warning of one or more critical strategic assumptions becoming invalid as
the company executes its strategy in a changing business environment.
Is the board satisfied with the risk reporting it receives? At minimum, risk reporting provides information about the critical enterprise risks and summarizes
how those risks are managed. It is up to the board to communicate to management the additional
information it needs. The board should also obtain substantive risk information from external sources
to supplement the information received from management.
Is the board satisfied the company's risk management is sufficiently resourced? Directors should inquire as to whether appropriate policies, processes, people, reporting, tools and
incentives, along with a supportive culture, are in place to mitigate key risks.
Does the board periodically assess whether there are potential issues in the company's
culture and its incentive compensation structure? Are there any dysfunctional behaviors that could undermine the effectiveness of risk management
and lead to inappropriate risk-taking or compromise established policies and processes?
© 2013 32
Shaping the 2013 Risk Oversight Agenda (Continued)
Is the company prepared to respond to extreme events? These are the events no one can predict or see coming, the so-called unknowable risks. Has the
company used scenario analysis to prioritize its "high impact, low likelihood" risks in terms of their
reputational effect, velocity to impact and persistence of impact, as well as the enterprise's response
readiness?
Does the board periodically assess its risk oversight processes? This assessment should be incorporated into the board's periodic evaluations of its overall
effectiveness.
The board of directors should consider the above questions when assessing its oversight focus within
the context of the nature of the entity's risks inherent in its operations.
© 2013 33
Five Risk Categories for Focusing Risk Oversight
As the board organizes itself for risk oversight, the question arises as to whether it should adopt its own
risk language to ensure it is covering all bases. While each board must decide for itself whether a risk
language is useful given the nature of the enterprise's operations, here we explore five risk categories
directors may want to consider.
Areas for Board Responsibility for Risk Oversight
1. Governance risks - Risks related to directors„ decisions regarding board leadership, composition and
structure, director and CEO selection, and other governance matters.
2. Critical enterprise risks - The top five to 10 risks that can threaten the company's strategy, business
model or viability.
3. Board-approval risks - The risks related to decisions the board must make with respect to important
policy areas, such as major strategic initiatives, acquisitions or divestitures, major investments, entry
into new markets, etc.
4. Business management risks - Risks associated with ongoing day-to-day business operations.
5. Emerging risks - External risks outside the scope of categories (1) through (4).
© 2013 34
Five Risk Categories for Focusing Risk Oversight (Continued)
Following are some suggested questions that boards of directors may consider in the context of the
nature of the entity's risks inherent in its operations:
• Is there a process for identifying the organization's critical enterprise risks for purposes of prioritizing
the board's risk oversight focus with management?
• Is the board approving major strategic and policy issues on a before-the-fact basis?
• Is there a process in place for identifying and communicating emerging risks to enable management
and the board to be proactive?
© 2013 35
Identifying Emerging Risks
Emerging risks are newly developing risks that cannot yet be fully assessed but that could, in the
future, affect the viability of an organization's strategy.
Identifying Emerging Risks:
• Validity of the assumptions underlying the strategy Are the critical assumptions underlying the Company strategy, becoming, or have become, invalid ? Fundamentals
eventually change, and management should identify relevant drivers to monitor the external environment for
changes that could invalidate one or more of those assumptions
• Global Trends: Economic, Environmental, Societal, Geopolitical and Technological factors categorized into three risk „clusters‟
Macroeconomic Imbalances
The Illegal Economy
Water-Food-Energy
• Organization's Pre-emptive Actions: Management must carefully consider the actual or anticipated effects (e.g., exposure to political/sovereign risk,
cultural issues, a different regulatory regime and catastrophic events) of pre-emptive actions that alter the entitiy‟s
risk profile.
• Game-Changing Risks Cybersecurity, demographic changes, resource security, retrenchment from globalization, infrastructure fragility and
fiscally distressed cities.
© 2013 36
Identifying Emerging Risks (Continued)
Questions to Consider
Following are some suggested questions that boards of directors may consider, based on the risks
inherent in the entity's operations:
• Is there anything management truly fears, and are those concerns out in the open? Does the
organization consider interrelationships among risks to identify relevant risk themes?
• Is the board apprised in a timely manner of significant changes in the enterprise's risk profile? Is there
a process for identifying emerging risks? Does the exercise result in appropriate response plans?
• Is the board satisfied that management is periodically monitoring changes in the business
environment to identify potential impacts on the assumptions and risks inherent in the corporate
strategy?
© 2013 37
Preparing for a Black Swan
A black swan is a high-impact, hard-to-predict and rare event that is beyond the realm of normal
expectations in history, science, finance , and technology.
Since no one can predict the future, we should think of how to gain an understanding of what we don't
know? One approach is to use the most critical assumptions underlying the strategy as a context for
understanding how much a black swan might hurt. The approach works as follows:
• Define your strategic assumptions:
These assumptions are management's "view of the world" for the duration of the strategic planning horizon.
• Develop contrarian statements:
These statements negate the strategic assumptions. If the strategic assumptions are management's "white swans,"
the related contrarian statements are potential "black swans.” They frame the impacts that could seriously damage
the company's ability to execute its strategy.
• Recognize that not all contrarian statements are black swans.
Look for the statements that are likely to have the greatest impact on the company if they were to transpire.
• Articulate the implications of high-impact contrarian statements:
An implication statement resolves the conflict between the strategic assumption and the contrarian statement by
asking: "What do we do if critical assumptions underlying our strategy are no longer valid?" and "How would we
know if our assumptions are no longer valid?" Action plans arising from an implication statement often include
implementing new trending and key factor metrics to monitor vital signs germane to the external environment
exposures that concern management and the board.
© 2013 38
Preparing for a Black Swan (Continued)
Questions to Consider
Questions that boards of directors may consider, in the context of the nature of the entity's risks inherent
in its operations:
• Is there a common understanding between management and the board as to the critical assumptions
underlying the enterprise's strategy?
• Is there a process for challenging underlying assumptions? Are key factors that provide insight
regarding the continued validity of the key underlying assumptions monitored over time?
© 2013 39
Oversight of Information Technology Risk
A recent survey of more than 200 board members determined that 47% of directors are dissatisfied
with their board's ability to provide IT risk oversight.
Following are suggestions for boards to consider to help them enhance their IT risk oversight:
• Start with the right questions: What are our risks? how are we managing them? and how do we know?
• Take an integrated, comprehensive view:
Integrate these risks into its oversight of strategic, operational, financial and compliance risks.
• Organize for IT risk oversight: Evaluate strategic IT issues as part of a separate strategy committee or the finance committee, mirroring how the
board oversees strategic planning and execution.
• Understand how technology fits within the business model:
For organizations where technology is a tool for building connections with strategic suppliers, channel partners,
customers and outsourcing providers, directors need management to present a picture of IT that is integrated with a
view of the business.
• Remember, there is a compliance aspect to IT risk:
New and expanding regulations continue to arise across and within industries. Noncompliance with regulatory
requirements can have severe consequences.
© 2013 40
Oversight of Information Technology Risk (Continued)
• Strengthen internal audit: Establish an IT function, conduct and IT audit risk assessment, obtain the resources and skills in audit to evalaute
organization‟s IT risk.
• Don't forget board education:
IT risk oversight requires some education for most boards. Directors must look to the CEO, CIO and chief strategy
officer for assistance in this regard.
© 2013 41
Oversight of Information Technology Risk (Continued)
Questions to Consider
• Does the board devote sufficient time to IT risks and the organization's processes to manage them?
• Does the company monitor technology innovations, including how new technology can be deployed by competitors (or
employees) to create disruptive change? Are aging legacy systems preempting efficiency, agility and innovation?
• For IT projects, does the board understand the underlying assumptions about how each project will produce cost
savings, improve business processes or achieve strategic goals, as well as how success will be measured? Is there
follow-up to ensure each significant project delivers on promises made?
• Does the board receive adequate information on (a) the organization's overall IT costs and (b) allocations of IT spend
across all projects to assess optimization of ROI and ensure compliance and contractual obligations are being met?
• Does the board understand the data privacy and security risks faced by the company? Are data privacy and security
considered integral to all new business processes?
• Is the CIO organization effective in supporting the changing needs of the business? Are cloud solutions being
deployed? If so, does the board understand the risks associated with them?
• If the company uses outsourced providers, is the board satisfied such relationships are being managed effectively?
• Does the board stay current with respect to its knowledge and understanding of IT matters as they relate to the
company and industry?
© 2013 42
Ten Ways Risk Oversight Can Fail
Risk oversight is a top-of-mind issue for boards today because of the dramatic failures associated with
the financial crisis and the unanswered questions around what directors might have done to thwart it.
Following are 10 reasons that can contribute to failure of the board's risk oversight process:
1) Lack of a robust process for prioritizing, managing and monitoring the enterprise's critical risks
2) Lack of understanding of, or a failure to monitor, the significant assumptions underlying the strategy
3) Executive management and the board are not on the same page with respect to the entity's risk
appetite
4) Failure to identify and manage emerging risks
5) Insufficient time to think about the future
6) The company practices "enterprise list management“
7) Drowning in data with little knowledge or insight
8) Deficiencies in the enterprise's "tone at the top" and culture
9) Lack of an effective chief risk officer
10) The board isn't organized effectively for risk oversight
© 2013 43
Ten Ways Risk Oversight Can Fail (Continued)
Questions to Consider:
Following are some suggested questions to consider, in the context of the nature of the entity's risks
inherent in its operations:
• Has the company articulated its risk oversight objectives and evaluated the effectiveness of its risk
oversight processes in achieving these objectives?
• Is the company proactively taking steps to address any gaps that may impede its risk oversight
effectiveness?
© 2013 44
Ten Risk Oversight Principles
Below are 10 principles to assist boards in strengthening their oversight of the company's risk
management.
Ten Principles of Effective Risk Oversight
1. Understand the company's key drivers of success.
2. Assess the risk in the company's strategy.
3. Define the role of the full board and its standing committees with regard to risk oversight.
4. Consider whether the company's risk management system - including people and processes - is
appropriate and has sufficient resources.
5. Work with management to understand and agree on the types of risk information the board requires.
6. Encourage a dynamic and constructive risk dialogue between management and the board, including
a willingness to challenge assumptions.
7. Closely monitor the potential risks in the company's culture and its incentive structure.
8. Monitor critical alignments - of strategy, risk, controls, compliance, incentives and people.
9. Consider emerging and interrelated risks: What's around the next corner?
10. Periodically assess the board's risk oversight processes: Do they enable the board to achieve its risk
oversight objectives?
© 2013 45
Ten Risk Oversight Principles Continued
Questions to Consider:
Following are some suggested questions that to consider, in the context of the nature of the entity's risks
inherent in its operations:
• Has the company articulated its risk oversight objectives?
• Has the company evaluated the effectiveness of its risk oversight processes in achieving its risk
oversight objectives? Does the board plan to conduct this evaluation periodically?
• Is the company proactively taking steps to address any gaps that impede its risk oversight
effectiveness?
© 2013 46
Steven La France
Director
Powerful Insights. Proven Delivery.™
Phone: 213.327.1445
Madhushi Kurera Associate Director
Powerful Insights. Proven Delivery.™
Phone:213.327.1488
Protiviti Contacts
Thank you!