Board of Directors have a huge responsibility regarding risk governance and oversight; therefore it is understandable that they would delegate certain risk areas to other committees. The problem with that is certain risks might not be considered in aggregate or in relation to other known risk facing the company.
This becomes tricky because it is the full board that is ultimately responsible for making sure that the company is within its risk appetite so that interrelated risks will not be overlooked between committees. Although the full board should remain responsible, it is helpful to assign more focused on risk-topics to committees while still requiring review by the board in its entirety.
Directors should confirm with management the point at which certain operations become unacceptably risky and how management will respond if an unacceptable risk level is reached. The planned response should include discussions about how the risk is being mitigated, monitored and managed.
Directors should also develop a process to understand the potential impact of smaller risks in aggregate. Certain risk may be acceptable within themselves; however when added to other risks, they could prove crippling to the company. Instead of taking management’s word that risk is being appropriately managed, directors should request supporting evidence for management’s assertions about risk. ( NACD Report on Risk Governance: Balancing Risk and Reward October 2009 )