What is the Board’s Role in Risk Management?

The Board’s role in risk management is fundamental – the buck (for everything) stops in the boardroom!  It’s essential that the Board thinks deeply and often about the key risks that can lead to different outcomes than expected, positive or negative.  Every week we see scandals relating to safeguarding, abuse, fraud, cyber security …  For each of the organisations involved in those scandals, their reputation is seriously tarnished, and all stakeholders (including funders, staff, customers) may be hesitant to engage with them again. 

If we think of ‘upside risk’, there may be a danger that Boards become risk averse, and lose a valuable opportunity by not taking a chance with a new product or service.  It’s important that risks are identified, monitored and managed at all levels.

It’s true that we need every single person in an organisation (and also visitors to their premises) thinking about risk, but there is a key role for the Board to set the tone for the risk culture, and give clear guidance on issues like risk appetite and escalation processes.  It’s vital that the culture supports everyone to be open, helpful, and challenging with positive intent.  

“Clean sheet thinking” on key risks

We strongly recommend that the Board does its own ‘clean sheet thinking’ on key risks at least annually, after the strategic priorities have been agreed.  Recently we’ve been asked a few times why that matters.  Neuroscience tells us that, when we read a detailed document, such as a Risk Register, we turn on the ‘detail’ part of our brain.  As we go through line after line of information, we’re likely to spot any spelling mistakes or grammatical errors, but there may be one or two really significant risks that haven’t been identified by the managers who drafted the document.  We recommend that, at least annually, perhaps at the Board Away Day, the Board should: 

1. Begin with a clean flipchart sheet and brainstorm ideas on key risks, using questions like:
   1. What could stop us from achieving each of those priorities?
   2. What could ruin our reputation?
   3. What could ruin our financial position?
   4. What could put us out of business?
   5. What has happened in other governance failures, that we can learn from?
2. Management should then be tasked with developing a Corporate Risk Register, and delivering reports to Board using a heat map, which charts risks against levels of likelihood and levels of impact.  The Board should monitor progress, and should always be clear whether the controls put in place by management are having the desired effect (eg) reducing the likelihood or impact of the risk.  Reports should clearly show what’s being done about each risk, and whether that risk is reducing or increasing.
3. The agenda for Board meetings should be influenced by changes in key risks, with emerging risks identified and actions agreed.
4. Consultation with staff at all levels can provide helpful inputs to the list of key risks, and there should be clarity about when and how anyone should escalate a risk, and bring it to the attention of someone more senior.

While many of the key risks identified on the flipchart may already have been included in the Risk Register, if this kind of thinking identifies one or two more that matter, then it has been a worthwhile exercise.  

During 2020, we were all taken by surprise by the Covid 19 pandemic.  According to the Institute of Risk Management research carried out in April 2020, of the 1,000 people they interviewed, 32% hadn’t considered pandemic risk at all.  One fifth of those who had pandemic risk in their Risk Register hadn’t done anything about it.  Understandably, 83% of those surveyed predicted greater Board interest in strategic risks in the future. 

Further useful guidance on risk management processes is available in The Orange Book, including risk identification, risk treatment, risk monitoring and risk reporting.  While it’s written for the public sector, the guidance is very relevant for all Boards.

In all of this, we need to ensure that we don’t avoid risk entirely.  In the words of John A Shedd (on www.goodreads.com) “A ship is safe in harbour, but that’s not what ships are for”.

Some useful reading –

• Risk Management for Company Executives
• Fundamentals of Enterprise Risk Management: How Top Companies Assess Risk, Manage Exposure, and Seize Opportunity
• The Failure of Risk Management: Why It’s Broken and How to Fix It (Free with Audible free trial)
• The Risk Management Handbook: A Practical Guide to Managing the Multiple Dimensions of Risk

Did you know?

You can join the Leading Governance website as a member? Members get access to thousands of pounds worth of essential Governance materials to build their own Governance Manuals, from Sample Board Agendas to Board Member Review templates and much more! Click here to see more about Membership and join our community.

See more of our recent blog posts below!

• How do Boards make decisions?
• Public, Private and Charity sectors – “Smart people learn from their mistakes, but the real sharp ones learn from the mistakes of others”
• Accredited Course in Boardroom Leadership
• 360° Review at Board Level
• What is governance and why is it important?