"Two general guidelines significantly advance the oversight element of effective financial governance. First, it is important to recognize the distinction in the use of the term oversight rather than controls. In some well-publicized instances, companies had in place policies and procedures that prohibited the actions that caused losses. Yet the lack of an oversight process allowed transactions to be executed despite these policies. Companies must recognize that it is not enough to have documentation declaring certain activities unacceptable; they must also have an oversight process with efficient and effective internal controls to ensure the enforcement of these policies and procedures. In short, a system of checks and balances that can ensure unauthorized activities do not and cannot occur, must exist.
Secondly, consistent measures of firm-wide risk must be developed. It is not possible or practical for each board member to have detailed knowledge of all aspects of complex financial transactions. Nor is it wise to eliminate their use simply because this knowledge level is absent. Rather, measures of the risk inherent in the transactions executed, as well as the risk from underlying business exposure, must be provided to senior management and the board. This allows for an assessment of whether this risk level is appropriate for the company and its objectives.
Responsibility of the Board
The Sarbanes-Oxley Act formalizes the important role that board members must play in the risk management process. According to this document, the board is expected to oversee an infrastructure that can define, analyze, measure and report on the effective control of risk inherent in the firm's underlying financial activities and instruments used to manage risk. The output of this infrastructure must be synthesized into clearly defined and understood measures that the Board can evaluate and on which it will impose its oversight responsibility.
The methodology to develop this infrastructure is where the responsibility of the board takes on greater dimensions. If the board feels a lack of expertise needed to analyze the underlying risk elements, it should consider going outside the company to find qualified, objective sources for this expertise."