Risk Management & Oversight

Enterprise risk management (ERM) is the process of identifying, assessing, and managing risks that could affect an organization's ability to achieve its objectives. Effective board oversight of risk is a core governance responsibility, increasingly encompassing ESG risks including climate, cyber, supply chain, and social risks.

Key Metrics & KPIs

Risk Governance

• Board risk committee: Dedicated risk committee or audit committee oversight
• Chief risk officer (CRO): Dedicated executive role reporting to CEO/board
• Risk appetite statement: Board-approved risk tolerance levels
• Risk management framework: Documented ERM methodology (ISO 31000, COSO ERM)
• Risk reporting frequency: Board risk updates (typically quarterly)

Risk Assessment

• Risk register: Number of identified risks, categorization (strategic, operational, financial, compliance, ESG)
• Top risks: Board-identified priority risks
• Risk heat map: Likelihood and impact assessment
• Emerging risks: Forward-looking risk identification
• Scenario analysis: Climate scenarios, cyber attack scenarios, supply chain disruptions

Climate Risk

• TCFD implementation: Governance, strategy, risk management, metrics/targets disclosure
• Climate scenario analysis: 1.5°C, 2°C, 4°C scenarios
• Physical risk assessment: Assets exposed to climate hazards
• Transition risk assessment: Policy, technology, market, reputation risks
• Climate risk integration: Incorporation into ERM framework

Cybersecurity Risk

• Board cyber expertise: Directors with cybersecurity qualifications
• Cyber risk reporting: Frequency of board updates on cyber threats
• Incident response plan: Tested and updated annually
• Cyber insurance: Coverage limits and deductibles
• Third-party cyber risk: Vendor security assessments

Supply Chain Risk

• Supplier risk assessments (%): Critical suppliers assessed annually
• Geographic concentration: Percentage of spend in high-risk regions
• Single-source dependencies: Number of sole-source suppliers
• Business continuity plans: Tested disaster recovery procedures
• Supply chain mapping: Tier 1, 2, 3 supplier visibility

Risk Management Frameworks

ISO 31000:2018 Risk Management
International standard providing principles and guidelines for risk management applicable to any organization.

COSO Enterprise Risk Management Framework
Integrated framework linking risk management to strategy and performance, widely adopted by US companies.

TCFD Recommendations
Task Force on Climate-related Financial Disclosures framework for climate risk governance, strategy, risk management, and metrics.

NIST Cybersecurity Framework
US framework for managing cybersecurity risks through identify, protect, detect, respond, recover functions.

Board Risk Oversight Best Practices

Clear Accountability
Board risk committee charter, management risk committee, three lines of defense model (business units, risk/compliance, internal audit).

Risk Appetite
Board-approved risk appetite statement, quantitative and qualitative risk limits, regular monitoring against limits.

Forward-Looking
Emerging risk identification, scenario planning, stress testing, horizon scanning for disruptive threats.

Integration
Risk considerations in strategy setting, capital allocation, M&A decisions, performance management.

Culture
Tone from the top on risk management, risk awareness training, incentives aligned with risk appetite, speak-up culture.

Climate Risk Disclosure

TCFD Four Pillars

Governance: Board oversight of climate risks and opportunities, management's role in assessing and managing climate risks.

Strategy: Climate risks and opportunities over short, medium, long term, impact on business/strategy/financial planning, resilience under different climate scenarios.

Risk Management: Processes for identifying and assessing climate risks, processes for managing climate risks, integration into overall risk management.

Metrics & Targets: Metrics used to assess climate risks/opportunities, Scope 1/2/3 GHG emissions, climate-related targets and performance.

Cyber Risk Governance

Board Responsibilities
Understand cyber threat landscape, oversee cyber risk management strategy, ensure adequate resources, review incident response plans, receive regular updates.

Key Questions for Boards
What are our most critical assets and data? What is our cyber risk appetite? How do we compare to peers? What is our incident response capability? How do we manage third-party cyber risk?

Cyber Metrics for Boards
Number of significant incidents, mean time to detect/respond, percentage of systems with current patches, phishing test results, cyber insurance coverage.

Key Resources

• COSO Enterprise Risk Management Framework
• ISO 31000 Risk Management