Share with your friends

Risk in the Boardroom

Risk in the Boardroom

Why is risk an issue in the Boardroom?


Key Contacts

Also on


Fortify your business: risk management should be embedded within the culture of the organisation

Managing risk is not about compliance and box-ticking: it is a critical investment that can underpin an organisation’s long-term growth, value and sustainability.

How robust are your policies on governance, risk and compliance?

Can you demonstrate discipline, control and responbility?

Past corporate failings have been typically attributed to lack of accountability, strategy and transparency.

What types of risk may affect the business?

There are three key risk areas to consider:

Business risk

  • Misconduct and fraud risk
  • Emerging technology and underlying algorithms
  • Governance and compliance
  • Talent and succession
  • Third Party Risk
  • Operational Risk


  • Cyber and information security
  • Third-party risks including contract defaults or a collapsing business
  • Crisis management and business continuity
  • Reputational risk
  • Instigator or defendant in a litigation case


  • Local and global regulation governing suppliers investment tax and shareholders
  • Credit, market and liquidity risk
  • Geopolitical drivers
  • Anti-bribery and corruption legislation
  • Privacy (GDPR and other country privacy legislation)

Potential benefits and consequences for an organisation

The benefits of addressing risk can include improved agility, creation of a strong risk culture throughout the organisation, more effective reporting, processes and internal controls, disruption minimisation and ultimately enable better business performance.

The consequences of not addressing risk range from possible reputational damage and lost market opportunities to affecting long term growth potential and business sustainability.

Boardroom Questions

To address the potential risks, the following are some examples of questions to be considered at board level:

Business risk

  • Does our company’s risk reporting provide management and the Board information we need about the top risks and how they are managed?
  • To what extent has the Board issued guidance for risk management?
  • Does the Board comprise a good cross section of professionals with the right skills to assess risks to the firm?
  • What is our company’s strategy to manage ethics?
  • Are people in our firm equipped to recognise and resolve moral dilemmas?


  • Is the company prepared to respond to extreme events?
  • What is the current level and business impact of cyber security to our company? What is the plan to address identified risks?
  • How comprehensive is our cyber incident response plan? How often is the plan tested?
  • How do we monitor our systems and prevent breaches?
  • Have we performed due diligence on vendors, agents representatives and other third parties?


  • Are we under any regulatory actions?
  • Do we have a transaction monitoring system or program to detect suspicious activity?
  • Do we have a formal robust practice for addressing regulatory change and its corresponding impacts?
  • Have we implemented a reporting hotline for internal and third parties to report concerns?

What actions can the Board consider?

Business risk

  • Require management to complete a full risk review across our organisation which includes prioritisation of risk.
  • Develop a formal process to review risk. Require a formal written report from management.
  • Consider engaging outside expertise to drive or conduct an ERM review – experience at both risk identification, impact measurement and mitigation.
  • Make risk an annual agenda item – not part of a three-year strategic plan.
  • Full active involvement of Board members to participate in the process.
  • Hold management accountable. Require management to integrate risk management into core management processes across the organisation.
  • Ask the tough questions.
  • Ensure the Board has a mixture of the right skills to address risk issues across an organisation.

© 2021 KPMG LLC, an Isle of Man limited liability company and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit

Connect with us


Want to do business with KPMG?


loading image Request for proposal