Appendix 1: Board questions

1.1

Should we default to the position that the company should be operating within the board’s stated appetite in the ordinary course of business?

When we fall outside appetite, are we requiring management to do everything within their power to return the company to within appetite, or otherwise cease activities that place it outside appetite?

1.2

Do I understand why our compliance risk appetite has been articulated in the way it has, and why certain metrics have been chosen (to the exclusion of others) to measure compliance risk?

1.3

Does our stated compliance risk appetite reflect our actual appetite? If not, what is the purpose of stating the appetite in this way and how will it help us oversee this type of risk in practice?

1.4

Are the metrics we have approved sufficiently representative to provide a picture of what we are trying to measure across the organisation?

1.5

Do our metrics allow us to measure performance against our articulated appetite?

1.6

Are we measuring non-financial risk in a way that provides us with early warnings of rising risk levels?

1.7

How do our compliance risk metrics and other non-financial risk metrics compare to those metrics used to measure financial risk; for example, for credit or liquidity risk?

1.8

Does management report to the board against the metrics in the RAS?

Do management committees receive reporting against the metrics in the RAS?

2.1

Is the breadth and materiality of information we are receiving from management correctly calibrated to help us perform our oversight function?

Is the information we receive on non-financial risk of a similar quality to that we receive on financial risk?

2.2

Are significant issues receiving sufficient prominence in reports?

Does management reporting make it easy to identify the materiality of non-financial risk across the organisation?

2.3

How are we ensuring that board members not present during closed sessions are informed about material non-financial risks? How are action items coming out of closed sessions recorded and conveyed to the board and management?

2.4

Do our minutes adequately capture key discussion points, reasons for decisions, and significant issues raised with management?

2.5

How are we ensuring that all directors have the benefit of material information obtained during informal conversations or meetings?

2.6

Are the methods we use to update the full board sufficient to ensure it receives reliable and timely information about material non-financial risks?

2.7

How robust are our processes for cross-committee information sharing?

3.1

Are we dedicating sufficient time to risk issues, including non-financial risks at the BRC level?

For BRC chairs: Am I allocating sufficient time to perform my duties as BRC Chair, taking into account the scale and complexity of the company?

3.2

Does the BRC meet often enough to oversee material risks in a timely manner?

Does the frequency of our BRC meetings allow for the timely elevation of material risks to the committee?

3.3

Are we receiving the right kind of information to discharge our duties?

How are we satisfying ourselves that this is the case?

3.4

Are we demonstrating active oversight of, and engagement with, matters being put to the BRC?

Do we require management to act where we are not satisfied with what is being presented or recommended to the board?

3.5

Do we have transparent and effective processes for escalation of urgent material to the board?

Are these processes followed consistently?

3.6

Are all board members (whether or not they are formal members of the BRC), fully informed, and do they have an opportunity to participate and be heard on risks?

Is the BRC the right size to be effective?

Does the BRC’s charter accurately reflect the BRC’s actual practice?