What is a board's risk management responsibility?

The board is responsible for making sure the company has a working risk management system — but not for running it day-to-day. That distinction matters. The UK Corporate Governance Code 2024 Provision 29 puts the board explicitly on the hook for "establishing and maintaining the effectiveness of the risk management and internal control framework", covering financial, operational, reporting and compliance controls. From accounting periods starting on or after 1 January 2026, boards of UK listed companies must make a formal declaration on that effectiveness. The framework is the board's job. Operating it is management's.

The three parts of the board's role

The board's risk responsibility breaks into three things:

1. Framework — set the risk appetite, approve the risk policy, define which risks are monitored.
2. Oversight — make sure risk reporting is timely and honest.
3. Response — act when the system fails, or when material risks are not being handled.

Framework — risk appetite in writing

The first job is to define how much risk the company is willing to take. It has to be written down — not held as a gut feel. An SME risk appetite might be: "We accept leverage up to 3.0x EBITDA. We do not accept single-customer concentration above 25%. We do not accept unhedged currency exposure above €130K."

Oversight — this is where it most often fails

The board has to make sure risk reporting is timely and honest. Both require active work. Timeliness comes from a fixed rhythm — risk as a standing agenda item, quarterly reviews, agreed thresholds. Honesty comes from accepting bad news without shooting the messenger — and from external calibration through auditors or independent advisers.

Response — passivity as a liability

If the board receives information about a material risk and does nothing, that passivity can itself be a breach of duty. It is not enough to have heard about the problem — the board must be able to document what it did about it. Classic warning signs where the board has to act:

• Liquidity deterioration over several quarters.
• Covenants under significant pressure.
• Loss of key people.
• Legal claims that could threaten going concern.
• Missing or delayed financial reporting.

An annual calendar as a practical tool

The simplest way to make sure risk gets systematic attention is an annual calendar. Boards with a fixed annual calendar handle risk far more consistently than those without — Plandisc data suggests roughly 83% vs. 56% coverage. The calendar stops risk from being the item that always gets pushed to the next meeting.

EU equivalents

The UK Code is the most explicit, but it is not unusual. Germany's Aktiengesetz §91 requires the management board to set up monitoring systems for risks that could threaten the company's existence. The Dutch Corporate Governance Code places equivalent oversight duties on the supervisory board. Across the Nordics, codes built on the OECD framework apply broadly the same logic to listed companies. Private SMEs are not directly bound by these codes, but lenders, investors and auditors increasingly expect the same level of board oversight.

The line against management

The most common failure mode is the board starting to run risk management — taking operating decisions itself. That is overstepping. The board's job is to make sure management has a working system. If management does not have one, the board demands it be put in place — not take it over.

Sources

• FRC: UK Corporate Governance Code 2024, Provision 29.
• KPMG: guidance on the 2026 internal control declaration requirements.
• Plandisc: data on the difference in risk coverage between boards with and without an annual calendar.