Top risks identified by boards in 2018. Risk 5: Risk Management

Top risks identified by boards in 2018. Risk 5: Risk Management

The Governance Evaluator 2018 Governance Capability Benchmark Report analysed board evaluation responses from over 70 boards comprising almost 700 members across multiple industries.

This issue investigates Risk Management & Compliance; pressing issues, tips and resources for ensuring your board is informed and assured regarding the organisation’s risk.

What is Risk Management and Compliance?

Risk management creates and protects the values of an organisation through processes, structures and systems that help the organisation achieve its objectives and improve its performance. Compliance ensures that the requirements of laws, regulations, industry codes and standards are met.

Governance Evaluator assesses a board’s compliance & management of risk in terms of four key themes; (i) risk appetite & tolerance, (ii) risk management, (iii) risk systems and (iv) compliance.

Within the Governance Evaluator, each theme is explored via a series of targeted questions, each with four possible responses:

  • No: Represents an early capability assessment of the board in that area. Any responses in this category highlight the need for board capability improvement and education.
  • Yes, but qualified: Indicates that board capability is developing and not yet at a mature governance level. Again, these point to opportunities for focus and education.
  • Yes: Represents a mature governance capability within the board and the criteria wholly satisfied, as judged by the participants.
  • Unsure: Measures a construct other than overall board capability as it reflects individual members of the board or leadership team that are unsure of the board’s level of functioning.

Risk Appetite and Tolerance

A risk appetite statement represents the types and degrees of risk that an organisation is willing to seek and accept for itself and on behalf of its key stakeholders when making its strategic decisions. The organisation’s appetite for risk, and hence the level of control it exercises varies depending on the type of risk being taken in accordance with its strategic objectives. A risk appetite statement should aim to achieve the following:

  • align its risk-taking capabilities with its strategic objectives
  • enable risk-taking activities to create value
  • protect the interests of its stakeholders
  • create a culture of risk awareness within the organisation

2018 Benchmark Data key finding:

Q: Is the organisation’s risk-taking capability aligned with the strategic objectives?

Top risks identified by boards, Risk Appetite and Tolerance

Fig 1:  2018 evaluation findings for Risk Appetite and Tolerance

42% of board members believe there is room for improvement for their board in relation to having a sound, well-communicated and understood risk appetite statement that accurately reflects the type and level of risk that is aligned with the achievement of the strategic goals. 15% of members are unsure about the status of the risk appetite statement for their board.

Top Tips for improving Risk Appetite and Tolerance

  • The board should be actively involved in documenting the risk appetite and setting the risk tolerance limits to give management clear parameters in which to make risk-considered decisions in line with the strategic direction.

Links to Resources

Governance Evaluator has sourced some resources which we think you might find useful to build any board’s capabilities in this area:

Risk Management

The key risk management role of each director is, first and foremost, to understand their risk environment from both a business and an industry perspective. This enables them to identify key risks, which are likely to have the most adverse impact on their organisation. The board must then ensure that it has the right risk management framework (policies, risk committee, reporting structures, staffing and culture) to ensure that risk is identified, managed and reported at every level of the organisation.

2018 Benchmark Data key finding:

Q: Are the key risks identified and their management monitored at Board level?

Top risks identified by boards, Risk Management

Fig 2:  2018 evaluation findings for Risk Management

27% of board members are not satisfied that their board understands their risk environment from both a business and industry perspective and that there are appropriate systems in place to identify and manage these risks.

Top Tips for Improving Risk Management

  • Ensure dashboard reports prepared for the Board about top organisational risks include whole of organisational risks, such as service delivery risks, not just finance. Also ensure these risks have identified indicators, agreed variances and commentary with possible actions if outside of agreed variances.
  • Lead a regular review of industry-wide indicators, trends, benchmarks and commentary.

Links to Resources

Governance Evaluator has sourced some resources which we think you might find useful to build any board’s capabilities in this area:

  • The Victorian Managed Insurance Authority (VMIA) has an online risk maturity self-assessment program that helps boards to identify and monitor risks through informative dashboards and targeted reports:
  • Governance Evaluator customers can access the following, and other useful resources via the platform here.
    • Resource Manual –2A. The Role of the Board in Risk Management Fact Sheet
    • Governance Manual – 2.1 Risk Management Policy
    • Governance TV – Dr Gabby Fennessy, Senior Risk Advisor, VMIA – Risk Management for boards

Risk Systems

Risk management creates and protects the values of the organisation through processes, structures, and systems that help the organisation achieve its objectives and improve performance. A risk management framework outlines the organisation’s systematic approach to the assessment, management and reporting of risk. The framework details the organisation’s key structures and processes for risk management, including the agreed risk appetite, the procedures for reporting risk to the board and committees, and staff roles and responsibilities.

2018 Benchmark Data key finding:

Q: Does the Board have an effective risk management framework?

Benchmark Report for Risk Systems in Risk Management

Fig 3:  2018 evaluation findings for Risk Systems

38% of board members are unsure or unsatisfied about the risk management framework in place that details the organisation’s key structures and processes for risk management, including the agreed risk appetite, the procedures for reporting risk to the Board and committees, staff roles and responsibilities and cyber security.

Top Tips for improving Risk Systems

  • The board’s role is to oversee and monitor identified risks. The board should have a clear and agreed reporting structure for risk management across the organisation, as without this it is difficult for the directors to have effective oversight.

Links to Resources

Governance Evaluator has sourced some resources which we think you might find useful to build any board’s capabilities in this area:

  • Download the Victorian Managed Insurance Authority (VMIA) range of risk management tools here 
  • Governance Evaluator customers can access the following, and other useful resources via the platform here.
    • Governance Manual – 2.3 Risk Management Checklist

Compliance

The board should develop a compliance program that suits the compliance needs of the organisation as a private or public entity. In order to ensure compliance with statutory obligations, the board should receive assurance regarding compliance with legislation, standards and contracts.

2018 Benchmark Data key finding:

Q: Does the Board have appropriate compliance reporting covering legislative, standards and funding compliance requirements?

Benchmark Report for Compliance in Risk Management

Fig 4: 2018 evaluation findings for Compliance

38% of board members are unsure or unsatisfied about their board’s effective and appropriate compliance monitoring and remediation program that provides the necessary assurance to the board and that the organisation is meeting its compliance requirements.

Top Tips for improving Compliance

  • The board should be compliant with a Risk Management Framework that outlines the approach to risk identification, management and reporting at all levels of the organisation, and must have a clear system in place for their oversight role for risk.

Links to Resources

Governance Evaluator has sourced some resources which we think you might find useful to build any board’s capabilities in this area: