Takeaway tips
- Framing risk in terms of strategy achievement will help the board to engage.
- An effective risk management framework starts with what success looks like for the business.
- Risk management isn’t necessarily about taking smaller or fewer risks, it’s about understanding your risk appetite and behaving accordingly.
- The board should own decision-making around risk.
- Risk is dynamic and should be discussed as a live issue at every board meeting.
The purpose of risk management is to enable organisations to achieve the things they want to achieve through the management of relevant obstacles.
This should almost go without saying. Except that it doesn’t, as panellists Sandro Boeri, Head of Staff Development and Culture Assessment at Deutsche Bank and President of the CMIIA, Susan Swabey, Chair of Spark and former Company Secretary of Smith and Nephew plc and Chris Burt, Co-Founder and Chair of the Risk Coalition, discussed on day one of Governance 2024, our Annual Conference.
They pointed out that one of the keys to effective risk management is tying risks to the achievement of strategic objectives. It’s not just about coming up with a shopping list of things that could go wrong. Instead, it requires deep thinking about what your organisation wants to do, the potential risks and what mitigations can be put in place to navigate – rather than necessarily avoid – those risks.
Is risk a bad thing?
We’re all managing risks every day, we just don’t always define it as such. Taking a risk may be the only way to achieve growth or exploit new opportunities. As such, taking risks shouldn’t necessarily be seen as a negative thing.
The crux of risk management is being able to have an open discussion about trade-offs. Through these conversations, organisations can establish their risk appetite, which is likely to vary from activity to activity. For example, an organisation will probably have zero appetite for a risk that will result in non-compliance with the law, but there may be more flexibility around other activities where the downsides are less significant.
As an alternative to scoping risk appetite, organisations can use an objectives-centric risk management. This approach looks at the certainty of achieving what you’re setting out to do. If you don’t have enough risk mitigation in place to be fairly certain that you’re going to achieve your objectives, that should signal that more needs to be done.
Whatever approach is adopted, decisions around risk-taking should sit with the board, not with the executive.
An integrated approach
Given that risk management is about how the organisation is going to achieve its strategic objectives, risk should be incorporated into every aspect of the board agenda. Risk should be included in every proposal requiring a decision and, if it’s not, the board should be proactively asking risk-related questions.
Risk registers and heatmaps can be helpful ‘at a glance’ to support board-level discussions of risk but – if used too early in the process – can stifle discussion. A more helpful approach may be to have a broad initial conversation about risk which can subsequently be developed into a risk register or heatmap following the meeting. Once these tools have been created, they can support conversations and facilitate deep dives into higher risk items and how they can be managed.
Constant monitoring
Given that risk management should support the achievement of strategic objectives, it is not enough simply to review the register annually and leave the conversation there. As workstreams progress, new activities are initiated and the external environment changes, so too will the likelihood and implications of existing risks. What’s more, new risks may emerge mid-year, or anticipated risks may become less likely over time. An effective risk management approach will adjust to reflect these internal and external changes.
Even with the best will in the world, no organisation will be able to anticipate every possible risk. How many were taken by surprise with the COVID-19 pandemic? Or the war in Ukraine? It is impossible to develop mitigations for every eventuality, and that would not be a good use of scarce board time. However, by taking a pragmatic approach to risk management, organisations should be in a position to anticipate and respond to challenges, building resilience and maximising the potential of new opportunities as they emerge.
Read more about risk in Governance and Compliance.
