Trois étapes pour aider le CA à s’acquitter de ses obligations à l’égard de la surveillance de la gestion des risques

Quel doit être le rôle du conseil d’administration eu égard à la surveillance de la gestion des risques ? L’article publié par Scott Hodgkins, Steven B. Stokdyk, et Joel H. Trotter dans le forum du site du Harvard Law School présente, d’une manière très concise, les trois étapes qu’un conseil doit entreprendre en matière de gestion des risques d’une société.

Les auteurs rappellent l’utilisation d’un modèle développé par le COSO (Committee of Sponsoring Organizations de la Commission Treadway), bien connu en gouvernance, qui invite les CA à :

  1. S’entendre avec la direction sur un niveau de risque acceptable (l’appétit pour le risque);
  2. Comprendre les efforts de la direction dans l’exécution des pratiques de gestion des risques;
  3. Revoir le portefeuille des risques en considérant l’appétit pour le risque;
  4. Connaître les risques les plus importants de l’entreprise, ainsi que les stratégies de la direction pour les contrôler.

L’article discute des trois étapes que le CA doit accomplir afin de s’acquitter de son rôle en matière de gestion des risques :

  1. Déterminer le modèle de supervision privilégié par le CA;
  2. Convenir avec le management d’une approche appropriée à la gestion des risques et revoir l’approche retenue;
  3. Évaluer les ressources du CA en matière de gestion de risques et éviter les biais et la pensée de groupe.

Voici donc un extrait de l’article qui précise chacune des trois étapes.

Bonne lecture !

Three Practical Steps to Oversee Enterprise Risk Management

1. Determine the board’s preferred oversight model

Typically, boards either retain primary responsibility for risk oversight or delegate initial oversight duties to a committee, such as the audit committee or a risk committee. Where the board retains primary responsibility, individual committees may provide input on specific types of risk, such as compensation risk, audit and financial risk, and regulatory and compliance risk.


In selecting between the active board model and the committee model, the board should consider those directors with the necessary expertise to oversee unique market, liquidity, regulatory, innovation, cybersecurity and other risks that may require special attention. The board should also consider whether adding duties to an existing committee, such as the audit committee, may be too burdensome in light of existing workload.

These issues are unique to each company, and the key is to ensure that the model you choose is effective for your situation.

2. Develop a stated approach to risk management

Some companies may adopt a risk management statement or policy. As with other policy statements, a risk management statement can create a tone-at-the-top benchmark for assessing value-creation opportunities as they arise and provide guideposts for management’s operational decisions.
A risk management statement should separately identify:

  1. Acceptable strategic risks
  2. Undesirable risks
  3. Risk tolerances or thresholds in stated categories, such as strategic, financial, operational and compliance

In developing the company’s approach, the board should consider:

  1. Investor expectations of the company’s risk appetite
  2. Competitors’ apparent risk appetite
  3. Stress-tests for risk scenarios, using historical experience and sensitivity analysis
  4. Long-term strategy versus existing core competencies
  5. Possible long-term market developments
  6. Risk concentrations (e.g., customer, supplier, investment, geographic)
  7. Effects of new business generation on desired risk profile
  8. Strategic planning and operations compared to articulated risk appetite

Developing a stated approach to risk management requires good working relationships among the board members, the CEO and management, as well as active participation by all involved.

3. Assess board capabilities and effectiveness, reviewing for bias and groupthink

The board must evaluate its own capabilities and effectiveness, paying particular attention to the possible emergence of cognitive bias or groupthink.

In assessing board capabilities and effectiveness, the board should consider:

  1. Directors’ skills and expertise compared to the company’s current and future operations
  2. Possible director education initiatives or new directors with additional skills
  3. Delegation of risk oversight in highly technical areas, such as cybersecurity
  4. Retention of independent experts to evaluate specific risk management practices
  5. Clear allocation of responsibility among the board committees and members
  6. The balance between board-level risk oversight and management-level day-to-day ERM Boards must also guard against two types of bias:
  7. Resistance to new ideas from outsiders, thus overlooking new opportunities or risks
  8. Confirmation bias, incorrectly filtering information and confirming preconceptions

Maintaining contact with business realities also requires collegiality and open communication among management and directors.

Boards should consider their risk oversight in light of these three steps to assist in framing an effective approach to enterprise-level risk exposures.

%d blogueueurs aiment cette page :