How to challenge and manage risks at board level

Managing risk at board level is more of an art than a science.

Over the last five years, we have seen the risk environment become increasingly complex and interrelated. Issues such as the Covid-19 pandemic, the war in Ukraine, soaring energy prices, challenges in supply chains and a tight labour market have all brought macro challenges into organisations’ day-to-day risk management.

So, how can boards challenge and manage the risks of an organisation, without creating an industry in itself? In this article, we explore how to create an effective risk management approach, to build resilience and support organisational growth.

Over the last three years, the impact of emerging risks will have dominated meeting agendas, as organisations grappled with their internal responses to external events. Part crisis management, part risk management, many boards will have increased their skills and understanding in discussing risks during this time.

However, we see many boards are now identifying a disconnect between the risk reports they see and their decision-making needs. Traditional risk management focuses on risks within their control and identifying how they will mitigate or reduce that risk. It is fed by bottom-up risk reporting processes, where operational areas of the business identify their own risks and how they plan to address them.

While this process is tried and tested, it has several drawbacks for effective decision making…

Risk reporting focuses on known risks and more often issues

The organisation also needs to consider the unknowns or potential risks which are yet to fully formulate. Therefore, risk reports also must include a section on horizon scanning to ensure that emerging risks are captured at an early stage.

Risks are often viewed in isolation

Traditional risk reporting focuses on a line-by-line recording of risk, controls and mitigations that are being taken to address that risk. Boards need an opportunity to consider the interdependencies and interconnectedness of risks. For instance, if a workforce risk materialises, that may have an impact on financial risks for the organisations. By applying a risk lens approach, in which all risks are considered if a certain risk materialises, allows a board to understand on the cumulative effect of risks and what the overall impact will be on the organisation and its strategy.

Risk trend reporting

Many boards receive a narrative report on individual risks. By including more data within reports, it allows boards to understand the trends and trajectories of risks. If all risks are trending upwards, then it may require a different intervention. If risks are cyclical in nature, it is helpful to understand how they track over a 24-month period. By utilising different risk indicators and information, it can help focus boards on managing risks in a more dynamic way.

Lack of time to discuss risks on agendas

Often, we see risk management reports low down in board agendas, which may mean they don’t receive the full time and attention they need. By bringing the risk report to the top of the agenda, it can help to set the tone for the discussions and is useful to refer to as individual reports are presented throughout the meeting. If risks are being discussed in those reports, but are not captured in the risk report, it can serve as useful prompt to the board to consider the wider issues.

Deep dives in risk topics will prove useful

Deep dives a wider discussion into the detail of a risk area or topic, to allow boards to consider the complexity of risk as well as allowing a more agile and approach response to risks without the confines of traditional reporting. They also encourage subject matter experts to be brought in, to widen the lens from the executive.

Ultimately, boards are not expected to know all the answers when it comes to managing risk, particularly at an operational level. However, effective boards know what questions they should be asking around risks, to provide perspective to an organisation’s approach to identifying, managing and reporting on risk. The age-old question ‘what keeps you up at night?’ is a great way to understand what risks are truly worth talking about.

Successful risk management is fundamental to helping organisations navigate challenges and ultimately deliver on their objectives.

If you would like to explore how your organisation can improve its risk reporting, then please contact Liz Wright or Matt Humphrey.