How should effective Boards “do” risk ?

This question is usually addressed in terms of whether or not “risk’ should be part of the remit of a separate Board committee – reducing to a one-dimensional response balancing the benefits the focussed scrutiny a separate committee can offer against concerns that “risk” then becomes divorced from the more general Board oversight and decision making responsibilities.  However, to do justice to the question requires a rather more fundamental, organisation specific, appraisal of the risk competency needed and how best to achieve it.

A good starting point is the 1999 Turnbull Report which provided the basis for the 2005 Financial Reporting Council (FRC) Combined Code Guidance on Internal Controls. The emphasis here was very much on oversight and the importance of ensuring that companies are not exposed to avoidable risks, against a background of continual change.

Rolling forward to the present UK Corporate Governance Code (FRC2016) we have:

  • The board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives” and
  • “The board’s role is to provide entrepreneurial leadership of the company within a framework of prudent and effective controls which enables risk to be assessed and managed.”

This means that whilst oversight is still very much a core aspect of a Board’s risk accountability, the remit now requires that strategic decision making is properly risk informed.  For many businesses, this shifts the emphasis from risk management to risk intelligence.

In 2011 FRC published a summary of a series of discussions with companies, investors and advisers in their paper on “Boards and Risk”.  Although a few years old, this still provides a good overview of the risk aspects of Board effectiveness.   It sets out to prompt boards to think about how they approach risk rather than provide guidance.

What is striking is the breadth of risk engagement needed, as is illustrated by the mind map below.

The point here is not about the individual items shown – the FRC2011 paper provides background on these, each of which merits careful consideration.  It is more about what the whole picture tells us about how an effective board will address risk.

So here’s a few observations:

  • A Board’s risk intelligence is as relevant to entrepreneurial leadership as it is to governance.
  • All Executive and Non-Executive Board members should be at least conversant with the concepts, tools and techniques involved and some (at least one) Non-Executives have sufficient expertise to drill down into (and be able to challenge) into an organisation’s internal risk processes.  This will often, but not always be aligned with financial expertise.
  • Risk cannot be ‘ring-fenced’ into a separate committee.  First and foremost, risk is best addressed as a layer of governance, challenge and intelligence which overlays the regular activities of a Board – to inform decision making.   With this sustainably in place then there may well be cases where the focus of a separate risk committee will add value – particularly where there are specific compliance requirements.  However, this should not detract from the more general board requirements for risk intelligence.

If we accept that risk intelligence is a core aspect of entrepreneurial leadership then all entrepreneurial followers will need to see value in the organisation’s approach to risk.   This in turn requires the Board to establish, communicate and “live up to” the appropriate risk culture.  If you have any great examples we would love to hear abut them….


Spread the word. Share this post!