Skip to content
Go backGo back


How can boards assess their organisation’s risk management?

By Michelle Tuveson and Danny Ralph

Globalisation and its effects permeate the infrastructure and operations of almost every company. As a result the business ecosystem is far more interconnected and complex - which brings more risks. It is vital that each member of the board has a full understanding of the business’s risk profile and the effectiveness of its risk management.

This article shows how to take a fresh look at the threats faced by a company. It provides a template for both senior executives and non-executives who are not embedded in the day-to-day business. It will help directors to interact with enterprise risk management teams and board risk committees, guiding them so that they can ask productive questions and act on what they discover.

Our contribution is intended as a summary of the most significant risks that could affect a board member’s ability to advise on a company’s strategy and general governance, while investigating its operational excellence and resilience.

We present our recommendations as three topics, two deep dives and a series of questions to assist directors in considering their organisation's risk management.

1. Risk information

The most important representation of a company’s view of risk is its risk register. This may cover top and emerging risks in areas including digitisation and sustainability, and enterprise risks in general. The register and supporting information will be available in a listed company’s public disclosures and internal reports. Questions to ask include:

  • can you articulate the risk register in terms of this year’s targets and future targets, perhaps implied, in the three- to five-year plan?
  • can you interpret the risk register as a statement of the company’s risk appetite regarding its targets? What level and likelihood of underperformance is unacceptable, and what steps are being taken regarding unacceptable outcomes?

2. Governance and assessment of the risk register

How directors contribute to risk management is not limited to risks per se: it is important to understand the structure and channels for inputs into top risks and risk processes. Talk to the chief risk officer about a business’s processes for creating and maintaining the risk register. Speak to the senior officers and committees that contribute to risk reporting and look at the ratings and data used to describe risk impacts.

Consider, too, the time taken for management responses, risk monitoring and reassessment of impacts, and the network of role-holders whose risk information is passed up the line. Questions to ask include:

  • what are the channels to use to contribute your insights on risk management?
  • what is the process that triggers an immediate review of enterprise-level risk, for example in a heightened risk situation or the immediate aftermath of an event, accounting for mitigations in divisions or business lines?

Deep dive Contributing to your organisation’s risk management

Each directors’ insight will be shaped by their unique experience. They will bring their own skills to being able to see and flag up a blind spot. For various reasons a company might not be good at accepting recommendations made by directors. If this is the case then a discussion about risk will reveal the shortcomings. Questions to ask include:

  • can you test the risk register for blind spots, for example by using a standardised risk taxonomy? (See exhibit one of the Cambridge Business Risk Taxonomy as an example of an external risk taxonomy.)
  • how might you use the risk management process to highlight blind spots at the company?

3. Organisational gap analysis

Strategy groups in a business typically make regular assessments and conduct hoizon scanning activities to keep company strategy up to date. Looking at short-term and long-term trends and bringing strategy into line with these will be part of the task. Risk teams can help by providing prioritisations and data such as key performance indicators.

Invariably a gap analysis will uncover areas that need further investigation. How well risk and strategy teams work together varies by company. A director can be an agent in bridging organisational gaps. Questions to ask include:

  • how well integrated is the risk register process with the rest of the group’s strategy activities? Is there consistency of KPIs in the risk and strategy teams?
  • what are the plans to address the gaps in the company and who will be accountable?

Deep dive Scenarios from risk awareness to business impact

Reviewing a risk may lead to a request for action from business units or central functions. Our experience is that awareness of a risk will lead to a business stress test. This then results in mitigation or a more direct response. Questions to ask include:

- what scenarios, stress tests or simulations are used to understand the severity of a risk? What roles and functions in the company have tested those scenarios? Such a job is typically for the enterprise risk team.

- for sudden risks:

  • what is the effect on operations; will there be disruption and how much? What areas of damage are relevant, for instance plant, staffing, costs, revenues and reputation?
  • what mitigations are relevant to the above and how much do they help?

- for longer term or trend risks:

  • what processes are needed to keep risks visible and monitor their changes?
  • Is there a way to set triggers so that a risk can move up or down the risk register?

- What is the route from stress testing the business to ownership of risk at board level?


Directors are expected to steer companies towards profitability and away from pitfalls. Uncertain times will bring greater risk, meaning that risk management plans come to the fore. Members of a board will be most effective if they have a general understanding of the business and know how to ask the questions that will bring risk into the spotlight. It is more exciting to focus on the upside of risk but downside risks cannot be ignored.

Checklist of key topics and questions on risk management for a director

Risk management topics
Risk management topics
Risk management topics
Risk management topics
Risk management topics

Michelle Tuveson is chairman and executive director of the Cambridge Centre for Risk Studies (CCRS) at the University of Cambridge Judge Business School. Danny Ralph is academic director of the CCRS and professor of operations research at the University of Cambridge Judge Business School.

This guide has been brought to you by FT Board Director. If you are not a member, register here.

You might also like