Arguably the most significant adjustment to the NED role over the past seven years is that all NEDs must now be well versed in identifying and managing all forms of risk – operational, financial and reputational…
As a Chairman once described: “Risk is a massive issue now: You need to understand the risks and be clear about what the board is doing about mitigating those risk.”
So, how can you ensure that risks are being articulated appropriately and how can you probe into how risks are being mitigated, irrespective if risk management is well established within an industry or not? In the first part of this article I give some steer on how you can assess current risk management practises (governance) and the latter part covers some best practises.
If not already done within the company, you could do a Risk Maturity Assessment which gives an indication of the organisation’s engagement with risk management.
There are various models, usually with five levels of maturity (see the 5 Level Maturity Model in diagram below): from an immature Level 1 organisation where there are no formal risk management policies, processes or associated activities, tools or techniques, through a Level 2 managed organisation where policies are in place but risk reviews are generally reactive, all the ay up to the mature or ‘risk intelligent’ Level 5 enterprise where the risk management tone is set at the top and built into decision making, with risk management activities proactively embedded at all levels of the organisation.
5 Level Maturity Model
The outcome of such an assessment will give you clear indication of the risk management maturity level of the organisation. Dependant on how that aligns with the Shareholders’ and Board’s expected level, the needed change actions can be initiated to mature the organisation to the expected level. It will also give you measure of clarity of the rigour of process and review that is likely to have gone into the risk reporting that you see as a Board.
Risk Score/Rating Matrix
As risks are identified, logged in the Risk Register and then assessed based on likelihood of it happening and the impact to the business if it should happen, a Risk Scoring Matrix (with preferably a 5 point scal as per diagram below) is very useful to assign a Risk Score to each risk.
The higher the score the higher the priority of mitigating the risk should be.
Risk Score Matrix
As a NED you need to assess the completeness of the Key Risks in the Risk Register. Engaging with the executives prior board meetings goes a long way to get input and a feel for risks existing on the floor (day to day running/operations) of the business. You should also ask if there is something that you are talking about in every meeting that either is not on the risk register, or is rated as a low risk? If that is true, then you need to explore why you are talking about it as a Board but management are not giving it greater focus.
Risk Heat Chart
A heat chart (as per diagram below) enables a holistic view of risks with high scoring risks in the top right (coloured red) corner and low risks in the bottom left corner (coloured green).
Risk Heat Map
For a board to get an overview of what the key risks are, I don’t think you can beat a heat chart.
As a NED, you can use this to sense check: Are the risks in the top quadrants, the Red Risks, the ones that the Board feel are the highest risk? Are you talking about these risks regularly and challenging the business on what mitigating actions they are doing to reduce them?
Approach on Risk Review
The popular parlance these days is a ‘deep dive’ into the highest risks, usually undertaken by the Audit Committee.
Apart from the “deep dive’ into risks usually undertaken by the Audit Committee you, as a NED, want to do your own exploring, below is an approached…
1. Current Risk Score
What is the justification for the current rating – does this feel right? The impact should be measured by the potential impact of the risk on strategic objectives, and is usually quite easy to define, but likelihood can be more subjective.
Also known as the mitigated risk rating, the current rating should recognise mitigations or controls that are already in place, and how effective these are.
2. Target Risk Score
What is a reasonable target risk rating for this risk, ie where are we trying to get to?
As a Board, you need to set the risk appetite (which equates to target risk ratings). This may vary by the type of risk, for example, targeting a very low risk rating might be necessary on something that is a matter of compliance or safety, but in commercial matters, the trade-off between risk and reward needs to be considered, so a higher risk appetite is likely to be acceptable.
There won’t be a limitless budget to spend on mitigating every risk to a minimal level, so as a Board you will have to decide what level of risk you are comfortable with; and where the balance sits between reducing the risk and the cost of mitigation. Why would you spend more on mitigations than the financial impact of the risk crystallising?
3. Mitigating actions
How are you going to get to your target level of risk? Planned mitigating actions should drive the risk rating to its target level. This is a focus area for audit committee deep dives – what actions are planned, and will they be sufficient to bring you to your target risk rating? Progress on these actions should be monitored regularly – if no progress, ask if this risk being taken seriously enough? Or is it not as big a risk as you first thought?
Good risk management should aid decision making, avoid or minimise losses, but also identify opportunities.
Let’s look now into Risk Mitigation in more detail…
Approach on Risk Mitigation
Risk mitigation can be defined as taking steps to reduce adverse effects and impact to the business while reducing the likelihood of the risk.
There are four types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating risk, it’s important to develop a strategy that closely relates to and matches your company’s risk profile.
Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation options.
Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on their core competencies.
All of these four risk mitgiation strategies require montioring. Vigilence is needed so that you can recognize and interrperet changes to the impact of that risk.