Norman usually has good comments on the topics of risk management, internal controls and internal audit.  If you are interested in these topics you should read his blog.  If the following link works, here is the link to PWC’s publication, http://www.pwc.com/en_US/us/corporate-governance/publications/assets/pwc-risk-appetite-management.pdf

Not being critical of PWC, but I don’t find their publication to be very helpful.  It’s too general. What does it really mean?  Can a board member satisfy his or her risk oversight duties by asking the general questions that PWC provides?  Perhaps. But the questions don’t go far enough of course.  Not nearly enough inquiry, but it is a starting point.

Risk management is a continual, ongoing task. Identify the categories of risk, identify specific risk or areas of risk in the categories, evaluate for each risk the seriousness if the risk occurrs and likelihood of occurrence which should help provide you with guidance on “risk appetite” (those of you who have read my posts know that I don’t like the current definitions and uses of the terms risk appetite and risk tolerance), evaluate the risk management processes currently in place for each risk, design and implement risk management processes or improved risk management processes for each risk as deemed necessary, appoint the person/people responsible for and owning the risk area(s) and processes, set time deadlines, monitor, follow-up, improve, and on and on.

The board is responsible for oversight.  If risk oversight is included in the audit committee’s charter, the audit committee had better know what it is supposed to do and what it is doing.  Consider, should the board have a separate risk management committee?  I prefer the term risk and uncertainty management, but whatever.

Dave Tate

http://tatetalk.com

Since this publication is put out by the NACD, in addition to the ISA, with at least some involvement by a large insurer, would the positions in the publication arguably create a community recognized standard of care for directors? In some regards, from a D&O viewpoint, a standard of care would be helpful, but of course a generally recognized standard of care must then be met.  Currently we have like 1,000 points of light with all of the different viewpoints on the standards that a director must meet.  See for example my prior post about the ISS proxy position on election of Target board members in light of the Target computer hacking occurrence.

You might also want to see a discussion at http://www.weil.com/files/upload/Cyber_Security_June_2014.pdf

Directors being held to ever higher, increasing and diverse responsibilities and expectations, but what is the standard of care, i.e., what levels of expertise, time commitment and diligence?  Directors are responsible for oversight, not running the day-to-day operations or parts of operations.

Doesn’t surprise me, if it’s possible, or can be developed.