Traditionally, board of directors and management have focused on understanding a company's financial reporting and the related risk management programs. Board of directors and management, today, have broadened their horizon to include an understanding of the broader risks affecting the company, as well as the company’s overall risk management program.
These risks may be related to the organisation’s strategy, operations, and compliance with environmental, health, safety, legal, and regulatory requirements. Therefore, board of directors and management should develop a thorough understanding of the company's overall risk management processes across the enterprise.
There are a growing number of tools available for companies to use to support their management of enterprise risks, including risks associated with financial reporting; to assess the potential impact of risks and the degree of vulnerability; and to link risks to specific management areas and activities in the organisation.
When considering both effectiveness and efficiency of the company’s process for enterprise risk management, board of directors and management might ask the following questions:
To keep the company's risk profile aligned with changes in the business, enterprise risk should be assessed by management at least once a year. Also, any significant business events (e.g., acquisitions, mergers, or divestitures) should result in the re-evaluation of the company's risk profile and its implications for financial reporting. Although management has the primary responsibility for assessing enterprise risk, the board of directors may have an active role in overseeing the process and in understanding management's response to the identified risks.
In assessing enterprise risk, management should: