The Board and Risk Management

We remain in the midst of a global pandemic. We have all had to think, respond and behave differently as a result. Things that we took for granted before 2020 are no longer possible or require a different approach. Our expectations have changed. Our priorities have changed.

The pandemic has created uncertainty for us all. This is in addition to other factors that create uncertainty in our environment, business and personal worlds.

The effect of that uncertainty (either positive or negative) on what we are trying to achieve, is risk (as defined in AS ISO 31000:2018).

We manage risk all the time in our day to day lives but what does it mean to manage risk as a board member? How do you know that uncertainty is being managed appropriately? Are you getting the right information to be able to analyse the risks and make informed decisions? Is the whole board really understanding the risks or just focused on the risk register.

Here are a few things for board members to consider in managing risk.

Risk is the effect of uncertainty on objectives

Risk is neither good nor bad. It is about understanding the changes that are taking place around you, thinking and planning ahead. It’s about asking what would happen if…?

Once you have identified a risk, you need to decide what to do. You can do nothing and accept the risk. You can share or shift the risk (eg through insurance or third party relationships such as outsourcing payroll or contracting an ITC provider). You can aim to reduce the risk (eg hiring to a specific skill set or installing a security device).

Documents

There are a few documents that are typically used to support risk management, collectively known as Risk Management Framework. This includes a Risk Policy that states the organisation’s approach to risk management, Risk Procedures that articulate how risk is managed, Risk Appetite statements that articulate what risk the organisation is willing to take and to what extent, and the Risk Register which articulates the current risks, controls and actions.

In addition, using rating tools, such as likelihood and consequence tables, assist the Board in quantifying the significance of the risk.

Board accountability

The board is accountable for ensuring that systems and processes are in place to adequately identify, analyse, manage and respond to risk. It is important for board members to understand any relevant legislative, regulatory or policy requirements related to risk management that applies to this role, including Workplace Health and Safety.

Usually, the board focuses on the risks that would impact the strategic goals and ability to deliver to the purpose and core functions of organisation. There are times, especially where a significant operational risk arises that requires the boards urgent attention, where it is appropriate for the board to be across the detail of day to day operational risk.

Consider mechanisms to ensure that the board and committees have visibility of the issues facing the organisation, such having risk as a standing item on agendas, or as part of every business case or project update report to foster a culture of not only talking about risk but also documenting the key discussion and decision points in responding to risk.

In response to uncertainty, the board could consider asking these types of questions:

• What do we know is going to happen that will give rise to uncertainty?
• What could happen instead? What else could happen that we can plan for?
• What do we want to happen knowing that we have uncertainty?
• Are we taking actions to achieve your goals and create value for the organisation or taking actions to protect the value of the organisation?
• How resilient are we if a risk materialises?

Risk appetite

It is also good practice for the board to define the organisation’s risk appetite. That is, what we want to do and does that align to our purpose and goals? And how much do we want to do it? What are the boundaries that will guide us in relation to this action, such as how much money will we spend and how much time will we allow? What resources are we prepared to release to the task?

You can have more than one set of statements depending on how you will then use them to assist in making decisions. For example, you may have quite broad statements that are used throughout the organisation to set expectations with staff and/or clients such as “we have a zero appetite for unethical behaviour” or you might have very specific statements aligned to your strategic objectives such as “we have a high appetite to engage with partners who will strengthen our advocacy reach but not at the expense of our values or budget”.

Using these more specific statements to guide discussion at the board table is very helpful. It is a way of articulating ahead of time, where the board is willing to take more or less risk. Changes to service profiles, board membership or environmental circumstances can mean that you need to adjust the statements to reflect a changed view, so these are not set in stone, rather they are there to guide discussion and debate.

Shared risk

All organisations rely on third parties to a greater or lesser degree to deliver our services and meet our objectives.

Some of these relationships are formalised through legal contracts, Memorandum Of Understanding or joint ventures. Some are informal such as through professional working groups, or based on influence and relationships such as engaging with family members of clients.

The board should understand who the organisation relies on to be able to carry out its purpose and also who relies on your organisation to fulfil their goals. Then you can ask, is there risk? If so, who is accountable for the risk? Is this level of risk acceptable to us? Are there ways to reduce the risk? What happens if the risk materialises?

VGRMF

The revised Victorian Government Risk Management Framework (VGRMF) came into effect on 1 July 2021. Whilst community service organisations are not required to attest to these standards, they do set out a pathway to good risk management practice. Guidance material related to risk management practice and the VGRMF is available at - Practical guidance for managing risk.

Ultimately, the board has collective responsibility to understand how uncertainty will impact the organisation and time spent talking and planning as a board about the way you will manage risk, gives you a head start when/if a risk materialises.

The greatest value is in asking the hard questions – what could go wrong and stop us achieving our goals and what must go right for us to be successful?

This article was first published in the Better Boards Conference magazine, August 2021.