Risk Instigator

Here’s a recent email from a DirectorPrep member: “I am serving on a board that does not have much understanding of risk management. What suggestions would you have to get the discussion going?”

That’s a great question from a risk instigator – a board director who’s looking to find a way to push their risk management rock up a hill when their fellow directors don’t see much value in having the discussion.

That’s okay. It won’t be the last time directors view risk management as nothing more than a navel-gazing exercise. Maybe there’s a good reason for that if previous attempts to get a risk discussion going failed to move the needle. That can certainly happen if the risk discussion begins with insisting everyone read an overly academic paper or attend an expensive training session meant for advanced practitioners.

Let’s go back to the initial question – how to get started? The short answer is to keep the language simple and the questions practical.

In a board or committee meeting, you could start a discussion by asking an open-ended question without branding the topic as risk management. Let’s say your organization has a new strategic plan. A savvy director might simply ask, “What could prevent us from being successful in achieving our goals?”

Then let the discussion happen.

Remembering that risk discussions are also about opportunities, another safe question might be something like, “What must go right to make progress toward our goals?”

“Your top risks may even be the source of your next innovation, if you are willing to see risk as an opportunity.” – Steven Bowman, Conscious Governance

Some of today’s content may seem like old hat to you if you sit on boards with well-established risk management processes, committees, and review procedures already in place. If so, good for you.

Maybe you’re now in a position to pay it forward. We can all benefit from the tips that follow to assist colleagues on other boards who are struggling to cultivate a culture of prevention and risk management within the organizations they govern.

A Risk Instigator’s Workplan

For the benefit of those looking to get a risk program started following general discussion at a board meeting, let’s explore the basic steps for getting a risk management system off the ground, developed, and embedded into the culture of the organization.

Educate yourself and the board. Begin building support for risk management by educating yourself and your fellow board members about the importance of risk management. This might involve reading practical articles or books on the topic, attending conferences or workshops, or inviting experts to speak to the board.

Build a case. Once you have a solid understanding of the benefits, the next step is to build a case for why risk management is important for your organization. This might involve gathering data or statistics on the risks facing your organization or using case studies or examples to illustrate the potential impact of poor risk management.

Start small. Don’t try to implement a comprehensive risk management program all at once. Start small by identifying a few key risks and developing strategies to manage them. Instead of asking to see a complete risk register, ask management to identify the top five or top ten risks facing the organization. It might involve working with management to develop a risk management plan or establishing a risk committee to oversee the process.

Involve stakeholders. To build support, it’s important to involve stakeholders in the process. This might involve working with management, employees, clients/customers, and others to identify risks and develop strategies for managing them.

Monitor and evaluate. Once the risk management program is implemented, it’s important for the board to monitor its effectiveness on an ongoing basis. Management should report regularly to the board on risk management activities and conduct regular risk assessments to identify new risks and opportunities.

Link to strategy. Effective risk management is not just about identifying and mitigating potential threats. It’s also about identifying opportunities and positioning the organization to take advantage. When risk management is linked to the organization’s overall strategy, it becomes clear that it’s a key driver of success.

Measure success. One way to demonstrate the value of risk management is to use KPI’s/metrics to measure success. For example, you might track the number of risks identified and managed over time, or the reduction in losses or incidents as a result of effective risk management. By using KPI’s/metrics to demonstrate the impact of risk management, you can show that it’s not just an internal exercise, but a critical driver of organizational performance. 

Align with customer needs. By identifying and managing risks that are important to customers, organizations can improve client satisfaction and loyalty, and position themselves for long-term success. When risk management is aligned with client needs, it becomes clear that it’s more than a navel-gazing exercise – it’s a key driver of customer value.

Drive innovation. By identifying and mitigating risks associated with new products or services, organizations can take calculated risks and position themselves for growth. Risk management isn’t just a defensive exercise, but a driver of innovation and a key enabler of organizational agility and performance.

Foster a risk awareness culture. It's important to foster a culture of risk awareness throughout the organization. This can be done through training and communication, by establishing clear roles and responsibilities for managing risks, and with recognition and rewards for individuals or teams that demonstrate a strong commitment to risk management.

Engage board members. With regular reporting to the board and updates on risk management activities, board directors become more engaged in the process. Inviting a risk management expert to speak about emerging risks and trends is another way to engage the board. Keeping the board informed ensures that this critical area receives the attention it deserves.

Director Liability

Here’s something for all directors to think about. While there’s no one perfect way to create a risk culture inside the organization, anticipated changes to Canadian federal legislation on cybersecurity may soon have board directors held personally liable for damages if the board is ruled negligent for not having demonstrated effective due diligence/risk management prior to a cybersecurity breach.

Does the risk of personal liability for board directors get your attention?

While the board may delegate the oversight of risk management to a board committee, I’ve always understood that accountability for the oversight of enterprise risk belongs to the whole board and its directors.

Risk Tools

Here are three digital tools from our colleagues in Australia and New Zealand that you can download by using the links below from the BoardPro Resource Centre:

• How to Conduct Effective Strategic Risk Reviews. White Paper by Steven Bowman, Conscious Governance. c/o BoardPro Resource Centre.
• Risk Management Register (excel template). Steven Bowman, Conscious Governance. c/o BoardPro Resource Centre.
• Risk Management Policy Template. c/o BoardPro Resource Centre.

In Summary

Cultivating a culture of risk awareness can be a challenging task, especially when board members are not fully engaged in this area.

By positioning risk management as a driver of innovation, growth, and client value, savvy directors can play a key role in ensuring that their organizations are well-positioned to succeed in today's fast-paced non-profit and business environment.

Your Takeaways

• Effective risk management is critical to the long-term success of any organization.
• Educating board members and building a case for risk management are critical steps in building support for risk management.
• Starting small and involving stakeholders can help build momentum for broader adoption.
• Monitoring and evaluating the effectiveness of the risk management program is crucial to demonstrating its value to the organization.
• Cultivating a culture of risk awareness can help organizations to better align with client needs and expectations, drive innovation and growth, and position themselves for long-term success.
• Savvy directors play a key role in getting an enterprise risk management system off the ground, developed, and embedded into the culture of the organization, both at the board table and inside the enterprise.
• Director liability may be impacted by the lack of a prevention-based risk management system in key areas like cybersecurity. Artificial intelligence could be next.

Special thanks to DirectorPrep’s ChatDPQ for foundational research on today’s topic.

Resources:

• The Garden of Risk Oversight: Positioning the Board to Cultivate Strategic Risk-Taking. Melanie Lockwood Herman. Nonprofit Risk Management Center.
• A Framework for Board Oversight of Enterprise Risk. John E. Caldwell, CPA, CA. © 2022 CPA Canada.
• Eight Steps to Establish a Firm Risk Management Program. Monica Foerster and Christopher Arnold. International Federation of Accountants. July 2019.
• Case Study: How to overcome board resistance to integrate a risk management programme. Strategic-Risk-Global.com. September 2023.
• Risk Management. BoardSource. February 2024.
• What are the key roles and responsibilities of the board and senior management in risk oversight?. contributors on LinkedIn.
• Governing Risk – A Guide for Directors. Mark Watson. LinkedIn. September 2023.

Thank you.

Scott

Scott Baldwin is a certified corporate director (ICD.D) and co-founder of DirectorPrep.com – an online membership with practical tools for board directors who choose a growth mindset.

We Value Your Feedback: Share your suggestions for future Savvy Director topics.