A. Complete the text with the examples. Match a-j to gaps 1-10.

    1. Accordingly, boards should ensure that an organization's risk management processes include strategy setting and its flow down to business-unit planning and decision-making processes.
    2. Accordingly, the board should receive periodic updates on management's views of emerging issues and risks.
    3. For example, an organization does face many risks, but a listing or matrix of 30, 40, or 50 risks will overwhelm a board and not allow a real focus on the key risks.
    4. For example, is there a strategy and plan to enhance risk management in the organization?
    5. It should also ensure that board committee charters are updated appropriately to reflect activities and responsibilities related to risk and risk management as those processes evolve in the organization.
    6. It's one of two areas of inquiry that Standard & Poor's focuses on in its initial reviews of risk management practices in nonfinancial companies. The board should ask itself how it knows what the risk culture is across the company and what its members should be doing to assist in setting and reinforcing the right risk culture.
    7. The board may also want to consider whether there are or should be consequences (such as clawbacks) included in compensation plans to address situations where subsequent risk events happen or risk tolerances are exceeded.
    8. The board should also ask itself how it knows that the risk information it's receiving is accurate and complete.
    9. The board should also know how the risk appetite and tolerances are communicated and aligned with business-unit plans, decision making, and operations. If management and the board decide to focus on this area, we would highly recommend they review the new thought paper.
    10. The board should also know if other roles and responsibilities have been defined, such as risk owners for certain significant risks.

Boards of directors have to pay more attention to risk management than ever before in their corporate oversight duties. Sometimes it helps to ask the right questions.

1. What are the top risks facing the organization that could significantly impair the organization's ability to achieve its business objectives?

The board should know the key risks that management believes could impair their ability to achieve their business objectives. Also, given the dynamic nature of risk, the board should be receiving periodic updates about these risks. The focus should be on a concise list of the top strategic risks (such as a "top 10" list). We've found that boards receive the most benefit from a concise listing and discussion of the top or strategic risks facing the organization. They should be cautious about initially trying to deal with too large and complex reporting of risks. 1.__

2. What are the organization's risk management processes and capabilities, and how do we know that they are effective?

The board should understand the overall risk management processes and capabilities of the organization. In addition, because risk management practices are continuing to evolve in general, it should also understand what management will be doing to enhance these processes and capabilities in the organization. 2.__

3. How is risk management integrated into strategy setting, business-unit planning, and decision making?

A key responsibility of the board is strategy setting, and this process should include an understanding and thorough discussion of the related risks. 3.__

4. Who in management is responsible for risk management, and is there clarity and accountability for that role and responsibilities?

Directors should ask which executive is responsible for the overall risk management program. As with any other process, accountability is needed for these risk processes to be effective. 4.__

5. Do we understand and agree with management’s risk appetite and risk tolerances?

There should be clear dialogue between the board and management about the organization's risk appetite and risk tolerances. Our experience is that the concept of risk appetite is a difficult one for many boards. Yet understanding the amount of risk an organization is willing to accept while striving to achieve its business objectives is a basic issue.5. __

6. What is the organization's risk culture, and how is it reinforced?

The board should ask management to describe the "risk culture" of the organization and how they communicate and reinforce it. Risk culture is a critical underpinning of effective risk management. 6. __

7. How does management monitor external events and trends to identify "emerging risks"?

Management should conduct an ongoing process to identify emerging issues and establish appropriate monitoring activities. Management and boards are increasingly aware of the dynamic nature of risks and the need for periodic review and updates of the key risks facing the organization. In particular, recent events such as the credit crisis have focused more attention on the need to monitor developing external events that could ultimately impact the organization. 7.__

8. How are compensation and incentive plans aligned with the organization's risk appetite and tolerances?

The board should understand how risk and the organization's risk appetite have been explicitly considered for each major compensation plan. The possible impacts of risks related to compensation policies and plans are another facet of risk where the SEC has expanded its proxy disclosure requirements. There should be clear direction from the board to its compensation committee to ensure that this relationship is considered appropriately when reviewing and approving compensation policies and plans. 8. __

9. Is the risk information communicated to the board adequate, timely, and accurate?

The board should make a critical review of the risk information it receives to determine that it's adequate and effective. The information should be clear, concise, and not overly technical or voluminous. While acknowledging that the board must and should rely on management for information, the NACD cautions that, "...directors cannot be overly reliant on management for determining the board's priorities and related agenda, and information needs." 9. __

10. Are we comfortable and confident with risk related information furnished to external parties, including both financial and nonfinancial reports?

With external parties' increased interest in risk information, the board needs to be comfortable with its external reporting of risks and risk management practices, including both financial and nonfinancial information. The board should also look for consistency of risk information across disclosures-for example, between the proxy statement disclosures and the risk information in the 10-K report. 10. __