NOTE: I HAVE UPDATED THIS MATERIAL – PLEASE SEE MY BLOG POST FOR MARCH 28 OR THE “ABOUT” BUTTON FOR THE UPDATES.
Board & Director Oversight of Risk & Uncertainty Management Form
Dave Tate, Esq. (San Francisco)
(See also separate board and committee evaluation materials for additional detailed discussion.)
This form is a work in progress – I seldom publish materials that are works in progress, but in this circumstance I don’t see why not as the current state of risk and uncertainty management, and board and director over sight of risk and uncertainty management are all in various degrees of continual development and they will continue as such.
I have intentionally not provided a checklist of general or specific risks and uncertainties, or a checklist of risks and uncertainties that might be applicable in a particular situation or for a particular entity or for a particular industry, or a checklist or discussion about risks and uncertainties that are or might be appropriate for board oversight within the context of a particular organization. More specific or targeted risk and uncertainty discussions can be provided and sometimes found in other materials. But doing so in this material could cause more limited application of this form, which is contrary to the intent.
Management is responsible for risk management. The board and directors serve an oversight function. As a general proposition all risk cannot be absolutely or even reasonably identified, assessed, controlled or managed, or eliminated, and to varying extent risk and uncertainty management requires the exercise of judgment relating to the future, which is occurring and potentially or actually changing or shifting at various or altering speeds or velocity.
I have not discussed in this form board, board committee or director oversight or risk oversight responsibilities as those topics and discussions are for other materials, some of which can be found in other separate papers and forms relating to annual self evaluation.
Technical and detailed materials, discussions and opinions about risk management already are voluminous – at times it seems that they are increasing from unlimited sources and directions. As eyes gloss over it is easy to lose sight of the forest for the trees. Instead, the intent of this form, as a current work in progress, is to provide one useful version of a concise and uncomplicated but accurate easy to use and get started format to assist in the oversight of risk and uncertainty management processes.
For some people the format provided in this form will be too uncomplicated and detail lacking, and some of my risk professional friends might well consider the form too simplistic; but any user of this form can add and continue to add as much detail as desired. I don’t expect the majority of directors to be interested in reading and understanding twenty, or thirty, or more pages of technical terminology, materials and alternative theories and approaches. This form encourages a keep going or get started approach.
I do note that as this is a developing area management might in part use different or additional risk management terminology or processes, some of which might or might not be appropriate or universally understood. With respect to oversight, the director should ask appropriate questions of management so that he or she sufficiently understands the terminology and processes in use.
The discussions in this form are applicable for all entities – public companies, private companies and organizations, nonprofits and governmental entities – although depending on the entity type or situation, sometimes the terminology or context might be or need to be different, and of course some members of management and directors are extremely knowledgeable about these topics whereas others are somewhere in the middle or just beginning. All of that is okay.
This form does not provide legal or other professional advice, and does not discuss legal or other professional standards, requirements or responsibilities – you should consult with a professional about your specific situation.
1. Risk and Uncertainty Management Defined
Several established and broadly recognized organizations have each developed and provided their definitions of risk and uncertainty management. But there is no universally accepted definition. You will note that throughout this form in addition to “risk” I have included “uncertainty.” I prefer “uncertainty” but the more often heard reference is to “risk” management. “Risk” suggests the occurrence of a negative or loss deviation from expected results; however, as deviations can also be positive or beneficial, I believe that “uncertainty” management is the more accurate description. In part ISO 31000 Risk Management uses the “uncertainty” terminology (ISO stands for International Organization for Standardization). Accordingly, for this form I have used both “risk” and “uncertainty” recognizing that “risk” is more universally used whereas “uncertainty” is also used and is more accurate.
Risk and uncertainty management: activities and processes used to help and attempt to identify, evaluate or assess, manage and control, and monitor risks and uncertainties that may or may not occur in the future. Risk, according to ISO 31000, is the effect of uncertainty on objectives. Uncertainty or lack of uncertainty exists when knowledge or understanding of an event, consequence or likelihood is inadequate, incomplete or not absolute. In other words, as to the future we don’t have a crystal ball, and there is a chance that things will not go according to plan or as anticipated or assumed. The chance of deviation from plan or anticipation or assumption can be negative or a loss, or positive or a benefit.
2. Risk and Uncertainty Management Processes
No universally accepted process……..
Insert/discuss generally understood or agreed upon processes………..
Terminology that I generally don’t like or that I have problems with depending on how they are used or defined, and why: risk appetite, risk tolerance, some definitions or uses of assessment, and similar………
Consider inserting a table of processes or steps to consider…………
Insert text boxes for generally understood or agreed upon processes……..
* * * * * * *