more-arw search

Q&A Forum

Korn Ferry report about board oversight of risk management, from Norman Marks' blog

I have pasted below a blog post from Norman Marks. Norman is the Compliance Officer with SAP.  I thought this group might be interested in his comments about a recent Korn Ferry report about risk management oversight. If you are interested, the link is

David Tate

Norman's blog:


Interesting insights from Korn/Ferry on board oversight of risk management

Norman Marks | April 1, 2011 at 1:04 pm | Tags: ERM, governance, GRC, risk | Categories: Uncategorized | URL:

The Korn/Ferry Institute has interviewed 26 chairmen, chief executives, and board directors from companies in the US and Europe on the topic of board oversight of risk management. In its report, they shared some interesting observations.

Here are a few excerpts:

  • Because of the increasing complexity of risk, the threat and reality of new regulation, heightened public interest, and the Internet-enabled speed at which issues can turn into crises, boards are fundamentally reassessing this aspect of their work. They are demanding additional resources, improved data, and sharpening boundaries around oversight. They are looking more critically at themselves, asking how they can best support the business, in part, by challenging risk issues. They are seeking to exploit their knowledge and understanding of risk to enhance strategic debate and decision-making and gain commercial advantage.
  • If you are risk averse, you don’t go anywhere. The profit of tomorrow comes from the risk you take today.
  • Risk oversight is how boards put the appropriate risk appetite in place and ensure it is informing decision-making on a multitude of issues.
  • Risk is both necessary and good – up to a point. The continual challenge is to identify the tipping point between opportunity and peril, and set the risk appetite dial accordingly.
  • Risk must be the responsibility of the whole board, prepared by the audit committee. There is a danger in multiplying committees and losing focus.
  • Risk metrics are important to a board’s oversight of risk. But beware of people who bring you simple solutions to complex problems.
  • Many board members express skepticism about the risk reports they receive. They offer little opportunity for directors to dig into the assumptions and interrogate the data. Even when the data capture is sufficiently rigorous, interviewees say, risk reports are often triumphs of advocacy, victims of over-refinement, or simply over-aggregated. Directors say they require less refined, more granular data, and they want it earlier in the business cycle. They need more leading indicators and predictive data in order to help with forward-looking risk assessments.
  • There’s only one way we’re going to find out what’s really going on, and that’s by bringing the right people within the company to our board discussions and generating the right kind of dialogue with them.
  • The real evolution and value will come when risk finds its way into day-to-day behavior and culture. It will become one of the things that people pay attention to. It will become part of what people do implicitly.
  • You don’t get a better system by adding more controls. Instead you should focus on the values and cultures within the company. That’s the most important thing.
  • Boards should be particularly alert to poor management style and behavior in the organization, as these will tend to be replicated at the front-line.
  • Boards should push for the integration of risk sensitivity and consciousness into performance management.

I welcome your comments.


Add a comment to this post


Mark Stokes
Title: CFO
Company: Private
(CFO, Private) |

That's a very interesting article, thanks. I agree heartily with two themes here:
1)If you don't take risk today, you have no business tomorrow. I can't stand audit committee members (or CEO/CFO's for that matter) who try to squeeze every ounce of risk out of a company. That just kills creativity and motivation. There are very appropriate risks to focus on, diminish and eradicate, but if your goal is to get down to zero risk, please leave my board, b/c you are killing us.
2)Board reports and anything written that finds its way to an audit or other board committee are so "cleansed" due to fear that they are largely useless. I find getting the execs and operating folks (regardless of title) into the room for some Q&A is far more effective at a)learning, and b)uncovering issues. The paper just doesn't cut it and I think never will b/c people are (justly) afraid of memorializing issues that could come back to haunt them. Plus, when they write it down, they are not looking you in the eye.

Products and Companies

Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email [email protected] to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.