- December 15, 2018
- Posted by: Zina Smith
- Category: CT Blog, CT News
Jon Slade, Director at Campbell Tickell, reflects on key pointers from CT’s recent risk & assurance masterclasses.
A couple of points went down particularly well when Sue Harvey and I delivered Masterclasses North and South recently on the subject of those non-identical twins Risk and Assurance.
‘Good enough’ and ‘not good enough’
The first is our point that when it comes to Risk Management ‘good enough’ and ‘not good
enough’ can look superficially similar. Too often organisations mistakenly regard copious
detail as evidence of assurance and provide to us wide and long corporate risk registers
assuming that the sheer quantity of risks, triggers, controls and mitigations is evidence of
assurance. When full Board consigns all risk management to an Audit and Risk Committee
who are down in the detail it ends up assuming, wrongly, that reams of detail reported back
up are evidence of assurance.
Indicators of less than robust health
Secondly, when we then look at the risk map, records and risk management practices there
are a number of indicators of less than robust health. The greater the number of these that
ring a bell, the more worried you should be:
|1. Presenting an A3 risk map on a
|If you are, no-one is reading it.|
|2. Audit Committee has skills gaps||Strong on ‘doing detail’. Less strong on critical evaluation of controls and assurance.|
|3. Audit Committee doesn’t track||Limited or no tracking of recommendations and actions points, including from internal and external audit.|
|4. Vague on accountabilities||Risk ownership unclear or shared across teams|
|5. Mistaking detail for assurance||Very detailed reports and poring over detail in committee.|
|6. Mistaking monitoring for control||Watching a car crash in no way stops it from happening. Monitoring alone does not reduce risk.|
|7. Believing future controls reduce risk today||The strategy that is going to Board next May is not reducing risk today.|
|8. Overly complex, disproportionate & bureaucratic||The big brother of detail is complexity. All of your Board should be able to describe your top four risks.|
|9. Imprecision in risk descriptions||Lots fall at the first hurdle. ‘Health and safety’ is not a risk. ‘Harming a resident, visitor or contractor’ is a risk.|
|10. Cursory full Board engagement||“The Audit Committee does risk …”|
The appropriate management of risks requires the right people (at full Board, on the Audit and Risk Committee, on the executive team, throughout the staff team), doing the right things (describing risks accurately, identifying triggers, controls and mitigations and testing their effectiveness), all the time.
The best approaches integrate risk management into daily work so that it becomes part of the weave and weft of how you do business. For example, by identifying which golden financial rules are relevant to the approval of your development programme and mandating consideration of performance against those rules at scheme approval meetings as well as when considering the financial plan and stress testing.
Risk management can not only stop you getting poorly, it can also make you healthier.
Every business takes its lead from the people at the top. If the behaviours of your full Board and/or Executive team portray risk management as a necessary but mundane set of tasks, then you should expect your staff to mirror that in their work. You can not rely on the fact that a bad thing has not happened yet as evidence that it never will. To do so is to sleep walk towards a crisis.
Here at CT we have an approach which can effectively manage risk and provide assurance, together with the expertise and experience to diagnose issues and risks arising from your existing approach. Building on the success of our recent Masterclasses we are intending to take our Risk and Assurance show on the road to Dublin and Belfast. Watch this space!