3 Factors to Consider Before Escalating Risk Issues to the Board

After beginning as a requirement for financial firms, active Board oversight of risk management has increasingly become an expectation, even a necessity, for all types of organizations over the last 20 years.

The annual State of Risk Oversight report from North Carolina State University corroborates this. According to their survey, a high number of Boards, 68% of the full sample in fact, are asking executives to increase involvement in risk oversight. NC State’s surveys over the last few years have been consistent in their findings on this topic.

Boards at the forefront of risk oversight take a holistic view that balances short-term priorities with long-term value creation.

But despite this increased interest in risk-related matters, a significant number of Boards are not satisfied with their organization’s risk management processes and strategy. And while this has been confirmed to an extent in years past, one recent survey from E&Y pegs this dissatisfaction at 84%.

Let’s take a moment to let that sink in….

Reasons for this dissatisfaction aren’t entirely clear, but in general, many Boards simply do not know what they need or want from ERM…they just know they’re dissatisfied as Tim Leech explains in a recent LinkedIn post.

Some Boards simply don’t communicate their concerns while others do but don’t see the change they’re looking for. It’s possible that CEOs are defying their Board, but the more likely explanation is executives simply don’t know where to start.

Tim maintains that the single biggest culprit of this disconnect is refusal on the part of many auditors, executives, and risk managers to admit the inadequacy of legacy risk management and audit systems, which is a topic we’ve discussed here in the past.

But in addition to this overarching issue…

If the Board feels like the information it receives is insufficient or wrong, it could trigger them to say their organization does not have good risk management practices.

Communicating risks to the Board has been both a recurring and popular topic on this blog and amongst thought leaders like Tim Leech, who explains in this comment:

I believe that the majority of Boards today are not receiving high quality/relevant information on the true risk/certainty status linked to key objectives. Traditional/legacy risk management and internal audit methods are not equipped to do that.

In my previous article 5 Tips to Making Board Risk Reports Meaningful Tools for Decision-Making, I re-iterate the fact that many companies struggle to provide their Boards with actionable information in an easy-to-digest way.  As COSO explains, there’s “…no single correct method for communicating with the Board,” but one of the most important steps executives and risk managers can take is to communicate risk information in a way the Board can understand it.

With that said, if the Board is going to play an active role in the organization’s risk management and strategic decision-making, parameters need to be set to determine what issues are ultimately brought to their attention. Risk managers and executives have the tendency to keep things so high level so as to not overwhelm their Boards with too much detail, but too high-level means you aren’t providing board members with valuable insights and actionable information.

If you find yourself in this situation, 3 factors that need to be present in a risk or opportunity to escalate it to the Board’s attention include:

  1. The risk or opportunity needs to be cross-departmental. If it’s only an issue within one department, like Marketing or Finance, that specific area should be able to take care of it. However, if the risk is pervasive and widespread, the Board may need to be involved, which requires more background information to make a decision or provide direction.
  1. Addressing the risk will require significant amounts of time, human, or financial resources to address. Again, if it’s an issue that can be resolved in 5 minutes without any or minimal financial outlay, then it’s safe to say the Board doesn’t need to be aware of it. The Board may need to be involved if the issue will require the company to divert resources from other priorities, especially when it impacts strategic objectives.
  1. The risk or issue could have significant impacts to the company’s reputation when viewed from the outside.
If at least two of these parameters are present, then it’s probably wise to go ahead and notify the Board of the situation so they can be aware and offer their insights on how best to proceed.

One important thing to keep in mind is the purpose of escalating this risk information to the Board. One way to share this information to the Board would be providing (at a minimum):

  • Description of the risk/issue
  • Facts currently known about the risk/issue (not assumptions)
  • What is not known
  • Description of potential or actual impacts to organization
  • Potential solutions

Jeff Lovern, Chief Risk Officer of Principal International, says this about escalating risk information to C-suite executives and the Board:

The list of data points is, of course, a general idea that should be customized for your organization’s needs and Board’s background, preferred communication styles, and more.

In the end though, the real purpose of escalating risk issues is to promote further conversation and dialogue, but you must make sure you’re escalating the right issues. Through this process, Boards should be able to provide needed insights to ensuring the company is addressing the right risk issues in pursuit of strategic goals.

And the natural by-product of successful escalation is an improvement in the Board’s perception of the organization’s risk management practices.

Is your Board playing an active oversight role in your company’s management of risks and opportunities?

Do board members feel they have the information they need to adequately discharge these duties?

We welcome your thoughts and insights into how organizations can improve the information they provide to their Boards. Please don’t hesitate to leave a comment below or join the conversation on LinkedIn.

If your organization is trying to improve risk oversight and strategic decision-making by your Board or senior executives and don’t know where to start, click here to schedule a meeting to discuss your specific situation and needs.

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More