Practical Steps to Good Governance and Risk Management

For us tragic Essendon Football Club supporters, good governance is something that cannot be ignored. Governance and risk management go hand-in-hand, and provide a framework to ensure that an organisation meets its legal obligations, manages its risks and ensures appropriate accountability throughout the organisation.

Some practical steps which a Board might consider as part of this framework include:

Board Charter
A Charter can set out the duties, responsibilities and expectations of the Board, the Chief Executive and the executive staff of an organisation. The key roles and responsibilities of each help to clarify respective duties and help prevent a Board overly interfering in management issues, and allow the Chief Executive and other executive staff to recognise the Board’s rights to enforce accountability. The Charter can also set out the expectations of all participants in relation to meetings, reporting, provision of information and risk management.

Delegation and Reporting

A formal document setting out the delegation of the Board’s powers to the Chief Executive and other executive staff helps establish accountability. Where delegation of powers is made, there should also be requirements for reporting (monthly/quarterly/annually) on all areas of the organisation’s operations. Delegations will not just be financial, but may reflect contractual rights, communication on behalf of the organisation, and other non-financial areas. Similarly, reporting expectations can be established, so that the Board receives timely information in relation to how delegated powers have been utilised.

Risk Register and Risk Management Framework

Every organisation should have analysed its risks, established clear procedures to minimise and control risks, and set out accountabilities for management of risk. A Risk Register, appropriately and regularly reviewed, sets out the risk, the likelihood of the risk, the controls to minimise the risks and who is responsible for oversight. This should be in the context of a framework which sets out the processes by which risks will be managed, by whom, and when reporting should be made to the Board.

Policies

High-level policy documents endorsed by the Board establish the organisation’s framework for quality, safety, risk and operations. These should include occupational health and safety policies, now mandated by legislation. However, they can also include appropriate provisions for quality of service, financial processes and other legal risks.

In relation to all policies, the Board should be satisfied that all relevant staff within an organisation have access to appropriate education and training so as to be able to fully understand the policies that have been set, and be equipped to implement those policies as required.

Incident Monitoring and Notice Requirements

One of the clear policies which should be endorsed by a Board can set out processes by which the Board, the Chief Executive or other executive staff are notified of adverse incidents which may occur and affect the organisation. A process of escalation in relation to dealing with those incidents should be clear. In relation to the most serious risks, provision should be made for prompt notification to the Chief Executive and the Board. Boards will recognise that things can go wrong, and will adversely impact on the organisation. It may not be the organisation’s fault, but nonetheless the incidents need to be addressed promptly, and the Board will need to be satisfied that there are appropriate policies and processes in place to address these matters.

Compliance Check List and Sign off

Notwithstanding the policies that may be in place, occasionally things go wrong, and notification to the Chief Executive or the Board may not always be prompt. There is always the possibility of parts of an organisation not recognising the severity of a risk or incident, or even actively concealing it. A compliance check list, which requires senior executives to formally “sign off” on a quarterly basis in relation to a range of compliance issues, can be one method to “flush out” any lurking issues. A compliance check list can require an executive to confirm whether they are aware of any particular incident or non-compliance, or any circumstances which may give rise to an incident or non-compliance. These can include breach of legislation and legal obligations, human resources issues, OH&S, product liability, criminal or penalty offence matters, customer claims, breach of contract and other matters which can be tailored or made more specific to the nature of the organisation.

Complaint Handling

Depending on the nature of the business of the organisation, the Board should be satisfied that it has appropriate complaint handling processes in place, particularly in relation to customers, but also in relation to suppliers. The complaint handling process can be an early warning system for problems with products or services, or deficiency in operations. A complaint handling process should provide a prompt empathetic response, to preserve the goodwill and reputation of the organisation, and appropriate reporting should be made to those within the organisation who need to understand the nature of complaints and any trends or developing issues.

Audit

Just as an organisation will undertake a financial audit on an annual basis, it can also utilise internal audit processes to review some of these governance processes; to ensure that they are in place, and more particularly that they are operational and effective. An internal audit could be undertaken by those within the organisation to save costs, or could be done by external independent auditors or consultants.

Not all of these practical steps will be possible for any organisation, depending on the resources available. The size of the organisation will depend on how critical some of these particular issues may be. Nonetheless, they are issues that should be considered by Boards as part of the overall governance framework of an organisation.