I think it's important for the organization to have people internally who can do inspections and make assessments, and then use third parties when they need them. From the board's perspective, it needs to have some comfort that what it is hearing from management about risk assessment is an appropriate approach or review.
In terms of what you're talking about, from time to time it would be important for the board to make sure they have advice from some of those third parties directly, and are not just getting advice from management about the state of the risk management practices. That would help them have confidence that management is providing them with the right information and the information they need.