- November 8, 2016
- Posted by: Zina Smith
- Category: CT Blog
Of course risk is not always related to finance or regulatory compliance. The loss of a key member of staff can be very significant for small organisations. Organisations can come under the spotlight for chief executive pay (or pay-offs). Charities with frontline delivery services can be more exposed to safeguarding risks – and many report that their beneficiaries are increasingly ‘vulnerable’. Then there are the risks associated with third party contracts, of which fundraising charities will no doubt be aware.
Our work in governance over the last decade has underlined the Board’s responsibility for risk management. In our experience, most organisational failures are ultimately governance failures. Whenever we’ve been called in to help with ‘problem cases’, it’s common to find a Board that has ignored important warning signs heralding problems. Or we find a Board that has been overwhelmingly passive, simply responding to information rather than actively requesting information and asking challenging questions of itself and others. Managing risk well demands that a Board looks forward, as well as learning lessons from the past.
One important principle is for the Board to take full ownership of risk. In practice, we’ve seen many Boards execute this responsibility through simply looking at the ‘red’ bits or isolated rows of the risk register. Boards sometimes get into the weeds by focusing too much on an overly operational risk register prepared by the executive. While registers have their role to play, they can have a soporific effect on the best of Boards, as they struggle with huge sheets of paper and tiny font.
Discussions about risk should be dynamic. Risks tend not to crystallise in isolation, and the domino effect can sometimes move with velocity, as the organisation tries to catch up with emerging issues. We encourage Boards to sometimes push the risk register to one side to first have a conversation exploring any new risks or concerns about the organisation, and to look at a register only after this reflective conversation has taken place. Boards need to understand the warning signs and the potential compound impact when risks converge – for larger organisations we would expect to see some tools in use for anticipating the dynamic nature of risk, whether scenario planning, stress testing or other forms of modelling.
The positives of risk
Taking risks can be positive, and in some areas a Board may decide that it wants to take more risk. It’s not enough to sit on ample reserves in times of uncertainty – Boards have a responsibility to put their resources to use to meet their objects. Working through the Board’s risk appetite across a range of activities can help everyone to understand where the scope is to be entrepreneurial (with whatever controls are needed) and where aversion to risk is necessary to protect the organisation. And risk appetite is not static – the Board will want to revisit it when circumstances change, externally or internally.
Any reflection on risk isn’t complete without a word about the Audit and Risk Committee. In any larger charity, we’d expect to see such a committee in place providing assurance to the Board about the adequacy and robustness of internal controls and risk mitigations. This doesn’t remove or diminish the Board’s ultimate ownership of risk, but rather informs and responds to it.
Written by Radojka Miljevic and Alice Smith. For more information or to discuss this article, please contact: firstname.lastname@example.org