Transcript of One Question Podcast – The Board and risk management:
Welcome to the One Question Podcast from O’Brien Governance Design, who specialise in corporate governance for the public and not-for-profit sectors, I’m Will Francis. And in each episode I ask Trish O’Brien a different question about corporate governance. In this episode, that question is: As a Secretary to the Board, how do I help the Board to look at risk management more strategically? Hi Trish.
Hi, Will. How are you?
I’m good, thanks. So for this episode of the podcast, we’re looking at risk, is that right?
Yes. Risk is certainly an important element of corporate governance and it’s one that people I think often struggle with. So it’s right that we should dedicate one of our episodes to it. It’s also included in governance codes and regulations for all sectors. And it’s something that’s part of external evaluation, which we’ve talked a bit about in previous podcasts.
Okay. So do you want to give us a quick sense of what it says in the codes?
Sure. So we have the Code of Practice for the Governance of State Bodies. As we know, that’s the Code particularly for public sector bodies and that has numerous references to risk. It says that the Board’s role is to provide leadership and direction of the state body within a framework of prudent and effective controls, which enables risk to be assessed and managed. And then it has these, these code provisions 7.1 and 7.2, and they elaborate on that and they set out how the Board should approve a framework for risk and oversee its implementation. And they also emphasise the importance of the role of the Audit and Risk Committee, which is a subcommittee of the Board. Its role is particularly important in terms of risk and it reports into the Board on that and that particular code also provides separate guidance for the Audit and Risk Committee on its role. So, that’s the Code of Practice, which is for the public sector, as we know, and then with the Charities Governance Code, which is the code published by the Charities Regulator, it says that trustees, which are essentially Board members must consider and reduce risks to which their charity is exposed and regularly review a risk register.
Right? Yeah. Now, from what I know of risk, it’s a pretty big topic. So in this episode, what specific things do you plan on focusing on?
Yeah, it is, it is quite a big topic and there’s a lot of different dimensions to risk and you can get very detailed in terms of methodologies and approaches. What I was hoping that we might do is to step back a little bit from the topic and to make connections between how risk is thought about and managed and the strategy and values of the organisation. So I think we’ll talk a bit about risk appetite and how that helps to shape thinking about risk. And I’ll also provide an overview of the elements of a risk management framework. And then we’ll try to maybe flesh out what an organisation that has an embedded risk management culture, what that looks like.
Great. Okay. So for starters, let’s talk about what risk actually is and why it’s important.
There’s a specialist I read sometimes in this area called Dr. David Hillson, he’s written a number of books on risk, and he describes risk as uncertainty that matters and uncertainty matters and becomes a risk if it’s going to impact on organisational objectives, looking at objectives through risk can really tighten the organisation’s focus on what it needs to do and what might impact upon its progress. So if, if you define objectives without taking risks into consideration, there’s a higher chance that you can lose direction. If any of those risks eventually hit home.
And is risk always a bad thing?
Well, traditionally I think, you know, risk was always associated with negative outcomes only. And we can think about it in those terms, but the more kind of current contemporary discussion, if you like on risk, sees it as signifying uncertainty rather than threat necessarily. So something that’s uncertain, it won’t necessarily lead to negative outcomes it could equally result in a positive outcome. Threat and opportunity are, are now seen kind of, as two sides or two flavors of risk. And it’s also something I think we, we comprehend easily maybe in other contexts, you know, when we talk about high risk, high gain scenarios and things like that.
Yeah. And just bringing it back to the Board, you know, what’s their responsibility for risk?
Well, it’s the role of the Board to agree the risk appetite for the organisation, to oversee how it operates its risk management framework and, ultimately, to satisfy itself that the way the organisation is managing risk is sound and normally the Audit and Risk Committee, which reports to the Board has the role of assuring the Board about risk management. And then you have the executive role. The staff role is to design and implement that framework and to ensure that the organisation operates within the risk appetite that’s been agreed by the Board.
Risk appetite. Right. Okay. So, let’s start by unpacking that a little bit. What is that exactly?
Yeah. Well, what we often find when we work with organisations is that they have a risk register and that might name, you know, a number of risks and how they’re going to try to avoid them. But they often haven’t started at a step up from that, which is to think about, as an organisation, both the Board and the staff, what the organisation’s risk appetite is. And, you know, that is essentially how much risk the organisation is prepared to accept in trying to achieve its objectives. That’s essentially what the, what the risk appetite is. And it’s really important that they take that step because firstly setting the risk appetite reminds the Board and the executive that risk isn’t a random thing, or a parallel concept, it’s something that’s related to strategy and to the role of the Board. The other thing is that how you think and feel about risk is quite a subjective thing. So to go through a discussion on risk appetite really helps to express those views and brings out differences in thinking and in interpretation.
So is risk appetite about kind of low, medium, high levels of risk being acceptable, that kind of thing?
Yeah, exactly. I mean, in some areas there may be no appetite for risk, in other areas, there may be quite a high appetite for risk. So first of all, you need to agree the terminology that you’re using to describe risk, you know, and you mentioned low, medium, high, and I’ve seen those levels used. And there are other examples where you might have ‘opposed to risk’ might be on one end of the spectrum. So that’s kind of where the avoidance of risk is a priority. And then on the other end of the continuum might be ‘enterprise’ which means being eager to be innovative and to accept greater uncertainty. So that’s other language that’s used. In other cases, you might see risk averse being on one side, again, avoiding risk and then risk seeking the other side.
So having quite a high appetite for risk and that use of the terms, you know, enterprise and risk seeking, that brings us back to the idea of uncertainty, not always leading to negative outcomes. So deciding then on the terminology for the levels of risk appetite is important because it gives some common language for the Board and the staff together to use. So that’s the first thing, you then need to articulate a definition for each of those levels. So we can have our levels of, you know, opposed to risk or whatever it happens to be, risk averse, risk seeking, etc. whatever language that is. We then need to agree to articulate a definition for each of those levels. So if you’re adopting levels that range from risk seeking to risk averse, you might define risk seeking as actively seeking and accepting opportunities to take actions that have uncertain outcomes, while risk averse might be defined as accepting as little risk as possible. So by doing that, you’re creating a common language around risk that provides a kind of a shorthand for the Board and the executive so that they can manage together. They can manage risk more strategically.
But I think it’s important perhaps to also think about how people decide on their appetite for risk, because that’s not a hunch based thing, is it? There’s, for instance, the way that a bank manages customer data, they would probably go through kind of worst-case scenarios and work out how bad would it be if we had a problem here. Right. So we know we have to be incredibly risk averse when it comes to handling customer data as a bank, for instance, you know, how do people decide on their appetite? Do they do kind of SWOT analyses? Do they look at what the worst-case scenarios could be? If the risk, you know played out as badly as possible, and then they kind of decide where on the spectrum they are – how does that work?
Yeah. So I think what you’re kind of getting into there as well is risk tolerance. Now, I think the first thing in terms of the appetite aspect is just even deciding that terminology about what is our spectrum of risk here? What language are we comfortable with in kind of an objective sense? I think the next thing that what you’re getting into there is really around tolerance for things as well. And this is where it’s so important to have that Board and staff engagement together. Because, and again, it comes back to things being subjective, but also knowledge around things. So, you know, I’ve come across situations with the Board whereby they might feel that they have a very low level of risk appetite about a certain thing, but a very high level of risk appetite about something else, but Board members
aren’t always experts in what the business does. And sometimes they may not understand the connections between those things. So something that they think they wish to be actively engaged in risk about could actually be affecting something that they are risk averse about. And that’s where working that through with staff is extremely important and it doesn’t happen. So a lot of the time, so that kind of SWOT type exercise that you’re talking about, I think, you know, all of that, any of those tools that can start getting behind the organisation’s thinking about risk can really help. And I think one thing we would really be advocating is that a really good time to be doing this is when you’re working out your strategy or when you’re reviewing your strategy. So, you know, organisations tend to put a lot of time into thinking about what it is they want to do over the next period of time.
They don’t always spend a lot of time thinking about what might impact on them being able to do it. So if we could start thinking about risk and uncertainty in the context of strategy, where you traditionally would do more of the kind of SWOT analysis and PEST analysis, and whatever else it might be that’s informing your thinking and external consultation. If we could wrap risk into that I think we could benefit from both the strategic perspective and how risk relates to that. So just not seeing these things as parallel activities.
Okay. So you’ve described levels of risk, now, presumably you’re going to apply them to areas of work of the organisation?
Yeah. So we, we have these levels and these definitions and we have the risk appetite framework, if you like. And now we need to apply that so that we can establish our appetite for risk in different contexts. So this is where we start to look at the objectives of the organisation, the key responsibilities of the Board and the staff. And these are generally categorised. So you can find a lot of standard categories. You know, when you look up risk online, you look for risk categories, there’ll be things like health and safety, compliance, reputation, governance etc. which an organisation would decide its risk appetite against. And they’re useful categories. They’re important. But I think to make this more meaningful, you should be going back to your objectives, those in your strategy, those in the Board’s responsibilities, and include some of those objectives in your categories again. So, it could be to increase engagement with other national agencies or to secure a significant sponsor in a not-for-profit context; those kinds of objectives are equally important to figure out, what is your risk appetite in terms of pursuing those?
So when that risk appetite is agreed across the various areas of work, what happens next?
Okay, well, organisations should have risk management policies and procedures in place that are agreed by the Audit and Risk Committee, and that are approved by the Board. And those documents should explain how risk appetite is agreed, how risk management is implemented. That should all be set out in those policies and procedures. And probably the most recognisable element of the implementation of risk is a risk register and all the work done in developing and testing an organisation’s risk appetite. It has to be connected into that risk register. And you might think that’s a logical step, but often we find when working with organisations that the risk appetite levels that have been agreed, they’re often not reflected in the risk management process. So, you know, for instance, some of the risks in risk registers, they might sit outside of defined tolerance levels, or they may not align with the risk appetite level assigned in the area. So you might find that there’s really no connection between these things, between what the organisation has said is its appetite, its tolerance, and how it’s actually treating risks that are associated with them. But again, if you spend time on that step and make it a discussion and engage with the topic, you know, that’s far less likely to happen. You’re far more likely to have appetite and tolerances reflected all the way into the risk register.
So what exactly is a risk register and how does it get populated?
A risk register is essentially a record of information about identified risks. It could be in a spreadsheet format or even just a word document and it identifies risks as associated with different categories of business. And it will show how the organisation plans to deal with those risks. So really the organisation’s policies and procedures, they should describe how the risk register gets populated. And often you’ll see that risk owners are assigned within the organisation who are responsible for identifying and monitoring certain types of risk, and that can work quite well. And you’ll often have someone who’s responsible for the coordination of the risk register in the organisation, but it’s important that the register again is, you know, in the same way as when we’ve been defining risk appetite, the risk register really has to be a product of coordinated discussion across knowledgeable staff and in conjunction with the Board, rather than being the role of just a series of individuals who are working in isolation.
Right. And have you any tips for things to consider when building a risk register?
We have a few suggestions for things to consider when you’re developing the risk register. And these are really informed by that need to consider risk from a strategic standpoint. The first is that the risk register template, it should request that risks identified are associated with the risk appetite statement, which in turn should be linked to one of the organisation’s objectives. And this will really help those identifying risk, to remember that risk is uncertainty that’s important to the organisation meeting its objectives. If you can’t connect the risk, you’ve identified to one of the categories that have been signaled as being strategically important, then it’s worth questioning if that risk warrants the resources needed to manage it. And if it does, then, you know, the person identifying the risk may have come up with an additional area that should be categorised and should be given a risk appetite by the Board.
So, that’s one of the first things, the template should be prompting those questions. Another thing is just that the description of risk really should follow a consistent format. You know, the point of including something in a risk registrar is to identify it as a risk and to be able to monitor how it’s being managed. And sometimes when we look at risk registers you know, the risks will be things like ‘reduced fundraising potential’ might be identified as risk, ‘low staff morale’ might be identified as a risk. And, and so when you see these lists, it just feels like any possible risk has been thrown into the register. And when risks are described like this it kind of gives you nothing to work with. It doesn’t tell you why there might be low staff morale.
It doesn’t tell you what would cause it, and the thing is in that case, you’re only dealing with the effect. You’re not dealing with the cause. And if you don’t know what the cause is, then how are you going to manage the risk? So how risks are described is really important, and it should be clear that because of something, a cause, a risk might occur and that would lead to a particular effect. So that should be clearly set out within the risk that’s been warranted as being included in the risk register. Otherwise, how are you going to manage the risk?
The relative importance of risks included in the risk register also needs to be analysed and agreed, and risks are identified in the risk register in terms of what level of impact they might have and how likely they are to happen. And some say that risks that have a low likelihood of happening should be given a low level of attention. But if you look at the OECD, Organisation for Economic Co-operation and Development, it looked at different governances systems internationally, and it concluded that Boards really weren’t giving enough attention to high impact risks, where the likelihood of the risk happening was low, high impact is high impact and low likelihood is different to no likelihood. So the things that could kind of sink the boat they need to be watched and managed. And I think that’s, that’s an important aspect to consider. So even though it’s unlikely, the impact could be high and it deserves attention as a result of that.
Another thing I think is to build knowledge, to treat risks. But to treat individual risks, you need to understand them. And this is where building up research and understanding of risks is important. And the outcome of that increased knowledge will result in further options for how the risk can be managed and may lead to it being upgraded or downgraded from its original positioning on your risk register. So just in terms of the risk register, pointers are to link the risk template to the risk appetite categories and statements, make those connections, provide meaningful descriptions of risk so that you can see cause and effect and take actions in that context, analyse and prioritise risks – they’re not all equally important – and build up knowledge about risks to increase the ways that risks can be treated.
So from a governance perspective, then what’s the role of the Board in overseeing risk management?
As we mentioned earlier, the Audit and Risk Committee will be looking at the detail of the risk register with the executive. And that role is part of their terms of reference and part of what’s expected under the governance codes. So the Audit and Risk Committee should be challenging progress reports on the effectiveness of the plans for addressing risks throughout the year when it comes to reporting to the Board. I think the Board should receive progress reports from the risk owners on the top priority risks, those with the highest impacts as we said earlier, the risk registers should be developed collaboratively, but owners of risks will be identified. And if these individuals can report directly to the Board, it’s likely to lead to more insightful and detailed reporting on priority risks. So Audit and Risk Committee certainly keeping an eye on risk on behalf of the Board it’s a big part of their role and responsibility, but the Board is ultimately responsible, and then focusing on top priority risks and having those risk owners maybe report directly to the Board to give them that understanding of how each risk is being managed. We have found that to have been a particularly useful way of reporting to the Board.
Yeah, I can imagine. And so I presume the risk register and even risk appetite has to be reviewed because you know, how the organisation thinks about risk might change over time and the risks themselves on the risk register might change and evolve over time. Is that right?
Circumstances change all the time. The external environment can throw up all sorts of developments that need to be factored into thinking. The Board really should be leading that review. And it should be in conjunction with the staff, as we’ve said all the way through, it has to be a collaborative effort. And it’s also just, it’s important to continue to connect that thinking with strategy. Often there’ll be midterm evaluations of strategy. It’s very important to again, look at where you stand in terms of risk as it connects to that strategy.
And so in real terms, do you think that all this attention on risk actually works and warrants all the time and effort?
Well, I think that we can all think of things that have happened both external to and internal, to an organisation that weren’t on any risk register and had never been considered. So of course, you know, it has to be acknowledged that a risk isn’t an answer to everything, and it certainly won’t anticipate all risks, but I don’t think that means that it has no value. I think that a comprehensive look at risk in the way that we’re suggesting is important because it helps you to look at your objectives from a different perspective and to challenge yourself, to anticipate uncertainty that matters.
Yeah. You know, earlier you used this term, a mature risk management culture. If an organisation has the ambition to develop that, what does that actually look like in practice?
Well, we’ve developed kind of a checklist that is available on our website that lists a series of characteristics and gives you the opportunity to rate, you know, where you think you are with each of them. So, you know, for instance, are you satisfied that a given thing is fully in place or partially in place? So, that might be useful, but in general terms, you know that you’re operating within an organisation that’s managing risks strategically and in a kind of a mature fashion, if you like, if you’re satisfied about some of the following things. So if you’re satisfied that the organisation’s risk appetite and management processes are documented; that the Board is setting clear and consistent expectations for managing risks; that senior management are communicating clear and consistent expectations for managing risks; if you’re happy that the Board kind of role models, risk management thinking, and that it discusses tolerance to risk;
and that senior management is doing the same thing, that it role models risk management thinking and it discusses tolerance to risk that these things are, are informing decision making; if you’re satisfied that senior management engage with staff on risk and actively seek out information about risk; if you can see, and there’s evidence of an effective means of communicating risk information across the organisation; if staff are taking the necessary steps to escalate what they see as being risks; and if the currency of risks is kept under review on an ongoing basis. So I think they are the kinds of characteristics of what might be termed a mature risk management culture or risk culture. I think for the most part organisations are perhaps on the road to that, with probably a relative minority who could satisfy themselves, that all those characteristics are fully in place.
Yeah, I can well imagine. What are we going to be looking at for the next episode of the podcast?
Well, we’ve talked here about how risk is connected with achieving strategic objectives. During our next podcast, I think it might be helpful to talk about the Board’s role in strategy development. And then maybe in terms of the role of the Board in overseeing progress against strategic objectives.
Well, I’ll look forward to taking a closer look at that in the next episode, Trish. Thanks very much.
You can find out more, access resources, templates, and the One Question Guides at obriengd.ie. Thanks for listening. Goodbye.