I see lots of risk registers and risk related documents. Some are great and really help board members and executive teams identify, manage and report on the “effect of uncertainty on objectives” (as defined in AS ISO 31000:2018) but many could be strengthened.
Ultimately, risk management is a strategic process – looking forward to explore what may happen in the future that will assist or hinder your organisation in achieving its purpose and goals.
Directors have an oversight function in relation to risk management; ensuring policies, process and systems are in place to identify, manage and report on risk.
Whilst there may be compliance requirements associated with risk management, the true value of risk management is in decision making groups discussing the options, the pros and cons, the level of confidence in a position ahead of time, so that action can be taken to reduce the uncertainty and build organisational resilience.
Here are some common issues and suggested approaches to get the most from your risk management discussions.
1. – Words are important
Risk registers start with defining the risk, and the risk statement should describe the risk.
I regularly see risks described as “fraud” or “lack of funding” or “change in government policy” but these words don’t tell us much. What about “fraud”, “lack of funding” or “change in government policy creates uncertainty for us? Do we lack confidence that our ITC systems have functionality to stop collusion, or that we won’t be able to run a particular service if we don’t attract specific grant funding or that we don’t have allocated resources to update our policies and procedures if government policy requires greater focus on staff wellbeing?
The more specific our risk statements, the clearer our pathway to action. Even if you can’t control the risk event (natural disaster, government policy, whether we get a grant or not), the uncertainty is about our ability to respond and limit the negative impact of that uncertainty.
By directors asking questions like, “what creates uncertainty that matters to us?” against each strategic objective, you can create a space for discussion about the specific uncertainty – what exactly is the uncertainty, what’s contributing to the uncertainty, and what action, if any, do you need/want to take to give us confidence that the uncertainty is being managed as we expect? This in turn ensures that you’re focusing on achieving your goals and addressing barriers to success.
Some of the longest risk registers I’ve seen have more than 200 risks – they’re like a shopping list of everything that could possibly go wrong. These risk registers make it difficult for directors to know what to focus on and tend to be quite operational in focus, where Boards should be taking a more strategic view.
Most organisations find that having 7-10 clearly articulated risk statements that align to strategic objectives and have clear actions and allocated accountability, provide clarity about the significant issues the board needs to be aware of and monitor closely.
Having a spreadsheet or software tool that allows you to record strategic/enterprise level risks that are the focus of the board separate to the more operational or day-to-day risks under management oversight, makes it easier for to report on risks that require the board’s attention.
It means that you can move risks from operational to strategic tabs/sections if risks increase and require greater board visibility. You can also move risks back from strategic to operational accountability or remove completely once the risk is well managed or being controlled as expected.
3. – Inherent & residual risk are outdated terms
The AS ISO 31000:2018 standard no longer use these terms, so neither should you. I still see plenty of risk registers that include these terms and hear that directors ask for them to be included.
The practice of defining inherent risk (ie the risk before controls/actions are applied) and residual risk (ie the risk after controls/actions have been applied) is a time consuming process that doesn’t add to value to decision making.
Contemporary practice is to define the current risk.
4. – Risk rating is a guide not a fact
Most organisations will have a likelihood & consequence table (often called a ‘heat map’) that is used to rate the severity of a risk as Low, Medium, High or Extreme. It asks us to consider how likely a risk is to materialise and how great the impact would be if the risk occurred. These tables can be high level or quite nuanced, outlining specific dollar, time or resource limits (tolerances).
The problem is that many decision-making groups spend a lot of time discussing the rating and the template rather than asking if action should be taken or not.
Likelihood and consequence are not the only factors that will lead us to take action. We also need to consider how quickly a risk might change from being manageable to being a problem. Or your priorities might change in response to changed circumstances or people, thus elevating or lowering the risk rating. Or you may have controls in place but are not comfortable that they are working to address the risk as you expect.
The risk rating is just one factor to consider when looking at how well a risk is being managed.
5. – Risk management is dynamic
Most compliance/accreditation standards require risk profiles, risk registers and risk appetite statements to be reviewed at least annually, so I often see ‘risk’ as an agenda item once a year on the Board calendar.
However, your risk/uncertainty will change all the time in response to changes in your environment, so leaving a review of risks to an annual process means you’re not getting value from the risk management process and potentially missing opportunities to strengthen your organisational resilience.
One way to move away from compliance focused risk management is to integrate risk into existing processes and practices. For example, having your strategic level risk statements and risk appetite statements attached to Board, Committee &/or Executive papers ensures that they are front of mind. Attaching them to Business Cases or referencing them when noting new opportunities/issues prompts directors to seek alignment to what we are trying to achieve.
Having some agreed question sets that give directors confidence or a green light to challenge in the board room is another way to integrate risk thinking into your usual practice. For example, adding 5 minutes to the end of the agenda to ask – what’s changed in the global, national, local environment that might create uncertainty for us? What’s changed within our organisation that might create uncertainty in other areas of the business or with our partners? That way, if new things are identified, they can be captured and managed early.
We come to the board table as individuals to make collective decisions in the best interest of the organisation. Identifying and managing risk is a critical part of our responsibilities and its worth taking the time to strengthen practices and get value from the process.
This article was first published in the 2022 Better Boards Conference Magazine.
How I Learnt to Stop Worrying and Love the Risk
Exploring Risk & Compliance in the NFP Boardroom
Compliance and Creativity: the strategic obligations of directors