How Can the Board Develop an Effective Approach to Risk Management?

Does Your Board Have an Effective Approach to Risk Management?

Risk management is a key component of sound corporate governance. There has been a popular view in the past that risk management was a brake on progress: a discipline inhabited by clip-board clutching box tickers intent on stifling entrepreneurial innovation. Not any more – for enlightened organisations have embedded an effective approach to managing risk into their culture and everyday processes. Risk management should be as much about spotting opportunities, as avoiding hazards.

‘The effective development and delivery of an organisation’s strategic objectives, its ability to seize new opportunities and to ensure its own long-term survival depend on its identification, understanding of, and response to, the risks it faces,’ says the Financial Reporting Council.

High profile scandals in private, public and third sectors, corporate failures, the banking crisis of 2008-2009, as well as increased globalisation, interconnectedness and the fast pace of change in the business environment, have all focused more attention on the way boards handle risk management. There has been a step change in the need for boards to focus on risk in the last few years. Regulators have toughened their approach – all but the smallest companies in the UK must now prepare a ‘strategic report’ which includes a ‘fair review of the company’s business and a description of the principal risks and uncertainties facing the company.’  For charities, the SORP 2015 requires in the annual report from trustees ‘a description of the principal risks and uncertainties facing the charity and its subsidiary undertakings, as identified by the charity trustees, together with a summary of their plans and strategies for managing those risks’. Sector specific regulators from the Care Quality Commission, to the Health & Safety Executive expect to see a proper risk management strategy.

Corporate Governance codes all stress the need for an effective approach. The UK Code states in Section C, ‘The board is responsible for determining the nature and the extent of the principal risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems.’ In the 2014 edition this was strengthened to include a new provision that ‘a robust assessment’ is carried out annually of the ‘principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity.’ Similarly, the Governance Code for the Voluntary Sector requires that the board must ensure ‘ regularly identifies and reviews the major risks to which the organisation is exposed and has systems to manage those risks.’ But also, there are increasing expectations from all stakeholders that the Board is aware of risks and has an effective plan to manage them. It is no longer acceptable in the public’s mind for organisations to find themselves in a position where unexpected events cause financial loss, operational disruption, damage to reputation and loss of market position. Witness the outcry every time a bank’s cashpoint network goes offline.

What is risk?

A useful working definition is ‘an event with the ability to impact (inhibit, enhance or cause doubt about) an organisation’s mission, strategy, projects, routine operations, objectives, core processes, key dependencies and/or the delivery of stakeholder expectations.

By taking a proactive approach to risk management, organisations should achieve positive benefits:

  • Operations should be more efficient because events that can cause disruption are identified in advance and actions taken to reduce the likelihood and containing the costs if they do occur.
  • Processes should be more effective because of the thought that is given to selecting processes and thinking about the risks involved in different alternatives.
  • Strategy should be more effective, because risks associated with different options will have been carefully analysed and better decisions reached, leading to better outcomes.

Types of risk

Risks break down into different types. Risk management practitioners classify risks into hazard risks, control risks and opportunity risks. In general terms, organisations seek to mitigate hazard risks, manage control risks and embrace opportunity risks.

Risks break down into categories:

  • Financial risks – (e.g. accuracy and timeliness of financial information, accurate accounting records, adequacy of cashflow, interest rates, exchange rates, investment returns).
  • Operational risks (machine failure, human errors, service quality, incorrect contract pricing, employment issues, health and safety, IT failures, data breaches, fraud and theft).
  • Environmental and external risks (reputation and adverse publicity, cyber attacks, demographic trends, government policy, terrorism, extreme weather events, pandemics).
  • Compliance with laws and regulation – risk of legal claims, regulatory action, prosecution and fines for failure to comply with obligations.

Risk assessment

Having identified the risks faced by your organisation, they should be categorised in terms of their likelihood of occurrence and potential severity of impact (including financial loss or impact on reputation). Sometimes a risk score of 1-5 may be awarded (with 1 being very low and 5 being very high). The impact score may be multiplied by the likelihood score to identify the areas where most board attention and scrutiny is required.  This will build up into a risk register similar to the one shown in Figure 1 below.

Figure 1 Example Risk Register

Risk Table

Once each risk has been evaluated, the board will need to consider any action that needs to be taken to mitigate the risk, either by reducing the likelihood of it occurring, or lessening the impact if it does. The technique of ‘4Ts’ is sometimes used:

  • Tolerate – accept the risk because it is not considered a significant threat.
  • Trim – take measures to control or reduce the risk, so that the residual risk after control measures have been applied is acceptable (e.g. create policies and processes, train staff on how to reduce likelihood).
  • Transfer – shift the financial consequences to third parties (e.g. through taking out insurance or outsourcing to the supply chain, or using indemnity clauses in contracts).
  • Terminate the risk – by getting out completely – e.g. closing down an excessively risky operation or facility.

The risk register should be used for recording risks that have been identified, actions taken to investigate the risk, identifying the person with management responsibility for the risk, recording measures taken to deal with risks, and recording regular reviews of the risks. The risk register should be a living document that is reviewed at scheduled intervals by the board – not a one-off exercise that then sits in a filing cabinet

How does the Board discharge its responsibility?

The approach taken by any Board obviously depends on the size of the organisation and the complexity of its operations, but any organisation can benefit from a structured approach. In an organisation with full time professional managers, it would be usual for the managers to take the lead in assembling the risk register and bringing it to the board for review. However, in a smaller organisation the board members themselves may have to take the lead in compiling a risk register, perhaps with the assistance of an external facilitator, such as Elderflower Legal.

The processes  which boards use to consider risks were examined in some detail by the FRC in 2011 and the Sharman Inquiry in 2012. The key areas of best practice recommended were:

  • The board must first decide on its appetite and willingness to take on risk – this feeds into the organisation’s culture, behaviour and values. Are the risks commensurate with the expected returns? An environment of excessive or ill-informed risk-taking could be fatal to the organisation’s long-term future. The Walker report into the banking crisis found that boards simply did not understand the risks that their traders were taking on mortgage backed-securities. At its simplest level, the board may set financial downside limits on transactions and these feed through into specific limitations on the authority of managers in any scheme of delegation. There are also inevitable linkages to personal reward systems and motivations and HR policies and how these influence staff attitudes to risk.
  • Risk management and internal control should be incorporated within the organisation’s normal management and governance processes – not treated as a separate or one-off compliance exercise.
  • The board must make a robust assessment of the main risks to the organisation’s business model, including ability to deliver its strategy, solvency, liquidity and long-term viability.
  • Once the risks have been identified, the board should agree how they will be managed and mitigated. It should satisfy itself that the management and control systems are adequate and, in larger organisations, receive adequate formal assurances from managers, the audit committee and external auditors. Regular reports should be coming to the board to provide this. Risk data should be captured from across the organisation: often front-line staff are the first to be aware of problems.
  • Risks and associated control systems should be reviewed on a regular ongoing basis.
  • The organisation should report publicly and transparently to its stakeholders on the principal risks it faces, any material uncertainties and their review of the risk management and internal controls. Stakeholders should feel that the board has a visible role in governance and stewardship and that the board is held accountable.

Five key questions for the Board

What are the top 5 actions the board can take to ensure success?

  • Focus on the culture – is there an embedded commitment to risk management and control in your organisation? Does the board lead by example? There should be openness and creativity around risk issues. (Don’t be like HBOS, which sacked its group head of risk when he tried to warn the Board they were taking excessive risk).
  • The risk register and associated controls must be documented, understood, reviewed and disseminated regularly – not locked in a filing cabinet and dusted off once a year, or even less frequently.
  • There must be a process for monitoring and reviewing risk – adequate time must be scheduled at board meetings to consider risk issues and review whether the organisation has the skills and capacity and tools to manage risks effectively. The board should focus its attention on the top ten areas identified with highest risk score.
  • The board must be alert to new and emerging risks (such as cyber attacks, sovereign debt crises, Grexit/ Brexit, global political instability/ terrorism, climate change, social media, pandemics, demographic changes).
  • Report on the board’s activities in examining and reviewing risks so that stakeholders can gain assurance that the board is discharging its duties and form a balanced, clear and informed view of the organisation’s prospects.

As with all aspects of good governance, the effectiveness of risk management and internal control ultimately depends on the skills, knowledge and behaviour of those responsible for operating the system. The board must set the desired values, ensure they are communicated, incentivise the desired behaviours, and sanction inappropriate behaviour.

Mark Johnson is an experienced solicitor and company secretary helping SME businesses, charities, social enterprises to manage risk, ensure good governance and protect their legal position.

The Pivotal Role of the Chair in Ensuring Good Governance

How can the Chair perform the role effectively to maintain accountability and high performance from the Board?

Last time we considered the conditions for a high performance board. A critical player in making the Board effective is the Chair. He or she has a crucial role to play both inside and outside the boardroom. The Chair should be a team-builder: ensuring the Board understands the strategy and common objectives; promoting open and two-way communications, facilitating participative decision-making and providing visible leadership.

Managing meetings is critical

The Chair’s role is to create a safe space in which constructive inputs from all board members can occur. The Chair runs the Board and set its agenda. Meetings should be held in conducive locations and should start and finish on time. Agendas should focus on strategic matters, value creation and performance, rather than operational details, which are better delegated to executive managers.

The Chair should ensure that all members of the Board receive accurate, timely and clear information. This should cover both financial and non-financial indicators. This will enable the Board to make decisions based on evidence and properly to discharge their duty to promote the success of the organisation. Information should generally be circulated in advance of meetings to allow reading time.

For each item, the Chair should invite the person leading on it, often an executive manager, to introduce the subject and report, then open up the subject for discussion and debate. Vociferous members of the Board should not be allowed to dominate, particularly if this discourages quieter members from contributing. The Chair’s primary role should be to elicit the views of others and not to manipulate the discussion so that it goes their own way. The sense of the meeting must be ascertained and the outcome documented in the minutes. The Chair must ensure that actions are followed through.

The Chair should manage the Board to ensure that sufficient time is allowed for discussing complex or contentious issues. Board members should not be faced with unrealistic deadlines for decisions. All Board members should be encouraged to participate and offer constructive challenge. One Chair I know always sets homework for individual board members in advance of the next board meeting!

A skilful Chair should encourage feelings to be openly expressed and create a climate of trust and candour. Conflict should be surfaced and handled, with constructive negotiation, rather than personal attacks. Contrary views should not be glossed over. One technique to avoid ‘group think’ and ensure proper debate is to assign the role of devil’s advocate for unpopular alternatives, to stronger members of the group. Or occasionally the Chair could divide the board into two groups to evaluate options.

If consensus cannot be reached on a particular decision, the Chair should consider adjourning the discussion and returning to it at the next meeting. In the meantime, the Chair should attempt to identify the concerns of dissenting directors and reduce differences of opinion. Resisting contrary views may only serve to entrench the dissenter in his views, or even polarise the Board. If agreement cannot be reached, it may be appropriate to go to a vote: this should draw a line under the debate and allow the Board to move on.

The Chair should make certain that the board decides the nature and extent of the risks that it is willing to tolerate in implementing strategy. Sufficient attention should also be given to the composition, skills mix and succession planning for Board roles.

Chair’s role outside of the Board room

A newly appointed Chair should make a special effort to get to know the other board members through one-to-one phone calls or meetings. Valuable insights can be gleaned by drawing out fellow directors’ perceptions of the strengths, weaknesses, opportunities and threats facing the organisation. The Chair may help to facilitate social time in advance or after meetings to enhance teamwork within the group, by encouraging Board members to get to know and understand each other’s background, skills and perspective.

The Chair should take the lead in providing a proper induction programme for all new appointees to the Board (assisted by the Secretary, where appropriate). The Chair should also lead on evaluating the performance of the Board as whole, as well as individual directors, preferably on an annual or biennial basis. The Chair’s performance should be subject review by fellow directors too.  Following the review, the Chair should follow through on any training and development needs which have been identified.

The Chair has a crucial role to play in managing communications with the organisation’s stakeholders and ensuring that board members develop an understanding of the needs and desires of customers and employees, investors, funders, as well as regulators. There is a key role to play in dealing with the media, particularly during a crisis, to protect the organisation’s reputation.

What makes an effective Chair?

An effective chair needs self-confidence, usually acquired through experience, good listening skills and charisma, which arises from being simultaneously in control, yet still open to contributions. To lead the board effectively, the Chair must know the directors, their strengths and weaknesses, so that they can be drawn out on relevant matters, or reined in when they are becoming too long-winded. A visible presence, walking the floor, motivating and talking to staff, as well as meeting and presenting to external stakeholders, is important.

The Higgs Review of 2003 found that an effective Chair:

  • Upholds the highest standards of integrity, probity and good governance, leading by example
  • Sets the agenda, tone and style of board discussions to promote debate and discussion and sound decision-making
  • Ensures a clear structure for running board meetings, including starting and finishing on time and spending proportionate amounts of time on thorny and complex issues
  • Promotes effective communications, inside and outside the boardroom
  • Builds an effective board by initiating change and succession planning for board vacancies
  • Ensures that Board decisions are implemented effectively
  • Establishes a close relationship of trust with the senior executives, providing wise counsel, advice and support, but at the same time being careful not to interfere with operational management decisions
  • Provides coherent leadership of the organisation, including representing the organisation to the outside world and understanding the views of all the organisation’s key stakeholders.

Chairmanship is a challenging role. A good Chair will have a clear vision and focus on strategy, bringing together the disparate skills, qualities and experience of other board members. The Chair should foster a positive culture of corporate governance which then permeates down through the organisation and delivers positive results.

I hope you enjoyed reading about The Pivotal role of the Chair in Ensuring Good Governance.   Next time we look at The Board’s role in identifying and managing risk.

Mark Johnson is an experienced solicitor and company secretary helping charities, social enterprises and SME businesses to flourish. His company Elderflower Legal offers a range of support packages to help organisations with legal compliance, managing risk and good governance. For more resources check out

How to Create a High Performance Board

How can you put in place the right systems, structures and processes to ensure that your Board drives success?

Any organisation, whether in the private, third sector or public sector is only as good as the people who lead it. Board members have a vital responsibility to define the vision and mission of the organisation, to decide its strategy and objectives, to manage the risks and to fashion the ethos and culture of the organisation.

The Board is the epicentre of any system of corporate governance, by which the organisation is directed, controlled and held accountable to achieve its purpose and create value over the long-term; it must balance the needs and interests of different stakeholders, whilst at the same time providing the entrepreneurial drive and leadership to succeed. Sound governance should be seen as a source of competitive advantage, not a brake on progress.

Four key tasks of the Board

An effective Board has four main strands to its work:

  • To establish and maintain the vision, mission and values of the organisation (the vision should be an inspiring picture of the organisation’s potential, the mission is a statement of how to achieve the desired state, whilst values are the principles and deeply held beliefs and standards of conduct embedded in the organisation’s way of doing things).
  • To decide the strategy and structure – the Board should continually review and evaluate the strengths, weaknesses, opportunities and threats and consider how best to play to the organisation’s strengths, or bolster the required competencies. (More on strategy here).
  • Delegate authority to managers and then monitor and evaluate the performance of the strategy and business plan, whilst maintaining appropriate monitoring and controls over risks; determine the appropriate KPIs to be used for effective monitoring.
  • Communicate with all the stakeholders in the organisation (such as customers, employees, funders, and members): maintain a continuous dialogue to understand their needs, promote their goodwill and support.

In carrying out these tasks, there needs to be a dynamic dialogue within the Board. As the Walker report into the behaviour of bank boards during the financial crisis found, many boards ‘lacked a disciplined process of constructive challenge’. They had descended into ‘group think’ and had focused on conformance with rules, rather than thinking laterally and strategically. The Financial Reporting Council in its 2010 Guidance on Board Effectiveness tells us, ‘An effective Board should not necessarily be a comfortable place. Challenge, as well as teamwork, is an essential feature’.

The role of the Board

One of the Board’s first tasks is to decide how it will function and identify the key issues and decisions which it must tackle collectively and which cannot be delegated – a schedule of reserved matters. Following that, there will be a scheme of delegation of powers to executive managers, committees and subsidiaries. Typical matters reserved for decision-making by the Board, include:

  • Approval of the annual report and accounts
  • Approval of dividends (in a profit-distributing organisation)
  • Approval of communications with members and the public
  • Appointment or removal of auditors
  • Developing, approving and reviewing the strategy
  • Approval of operating plan and budgets, review of progress against budgets
  • Approval of expenditure and contracts in excess of delegated limits
  • Approving the prosecution, defence or settlement of any litigation
  • Approval and ongoing monitoring of risks – the board should set appropriate risk management policies and seek regular assurance that the system is working effectively
  • Appointment and removal of Board members and senior executives
  • Succession planning for key roles
  • Ownership of health and safety policies
  • Approval and ownership of ethics codes and CSR policies
  • Setting terms of reference for delegation of powers to executives and committees

Practical steps for success

There are several practical organisational steps which will contribute to success of any Board:

  • The Board must be properly constituted with the right skills and have the resources to undertake its duties, such as a good company secretary. Board members must dedicate sufficient time to their role.
  • The number of meetings should be sufficient to deal with the business effectively.
  • Agendas should be properly planned and sent out in advance, together with supporting papers to allow for prior reading and preparation.
  • There should be enough time to devote to the items on the agenda, with the right focus on the most important topics – especially strategic issues, rather than mundane operational detail.
  • Minutes should be accurate and available promptly to aid follow-up actions. (Minutes also form a legal record of decision-making that must be kept for up to 10 years).

The organisation’s governance framework should be implemented in a way that is proportionate and realistic. However, as the Financial Reporting Council commented in 2009, the quality of corporate governance depends ultimately on the behaviour of individuals, not on procedures and rules. That leads us to consider what are the desired qualities and skills of valuable Board members?

Desired attributes of Board members

The late Neville Bain, former Chairman of the IoD boiled it down to ten attributes:

  1. Ability to understand issues and identify central points for decision
  2. Sound judgment – probes facts and assumptions, weighs evidence to arrive at decisions
  3. The ability to provide and accept challenge in a constructive way
  4. Ability to influence through clear communication and persuasion
  5. Good interpersonal skills and ability to manage conflict
  6. Forward thinking – anticipating new trends and events, alert to the need for change
  7. Ability to think strategically, to understand the role of risk analysis and control
  8. Financial and commercial skills to understand how well the organisation is progressing against its goals.
  9. Integrity and high ethical standards – which they live by in practice.
  10. Good self-awareness – a thirst to improve personal knowledge and performance.

Boards must strive for continuous improvement

An effective Board should aim to be a learning organisation. They should continually review their collective performance as well as the performance of individual members. A useful way to approach this is through a structured external board effectiveness review, such as BoardCHECK360™ offered by Elderflower Legal. The review will examine various aspects of the Board’s operating procedures, composition and succession planning, induction, meetings management, internal controls and risk management, delegation and will highlight good practice, as well as areas for improvement.

As Bob Garratt tells us: ‘Directors are there to ensure that at the cybernetic centre of the enterprise, there is a heart and brain. This heart..creates an emotional temperature appropriate to that specific organisation. This is the essence of that organisation’s climate or culture”.

Next time: the pivotal role that the Chair plays in developing a successful Board.

Mark Johnson is an experienced solicitor and company secretary helping charities, social enterprises and SME businesses to flourish. His company Elderflower Legal offers a range of support packages to help organisations with legal compliance, managing risk and good governance. For more resources check out

What Makes a Successful Joint Venture?

Joint ventures can be a useful route to combine resources and skills, to secure greater market power or better access to markets for SMEs, charities and social enterprises.

A new corporate entity can be used to ring-fence more risky trading activities or to develop a distinct brand or business culture outside the strictures of the host participants (such as borrowing controls, pay scales or corporate overheads).

Partnering with an outside organisation may bring access to new technology, lean business processes and technical know-how. A joint venture arrangement in which partners each hold a shareholding provides an opportunity for ‘value capture’: as the business takes off their shareholding should increase in value. A shareholding and directors on the board provide a ‘seat at the table’, visibility and transparency on the money flows and activities of the business: areas of obscurity, which have been frequently criticised in more arm’s length outsourcing and licensing arrangements.

A joint venture is ‘an arrangement between two or more parties who pool their resources and collaborate in carrying on a business activity with a shared vision and a view to mutual profit’.

Analysing the elements of this, we find several main ingredients:

  1. There is a contribution of resources, assets and skills from both parties. Participants need to consider carefully the terms on which they make their staff and assets (land, equipment, brand, intellectual property rights etc) available to the new venture. Do the partners have the necessary powers and approvals to set up the arrangements?
  2. A joint venture is usually about starting a new business. There must be clarity about the business plan and risks, whether there is a demand for services or products supplied by that new business. Is there a wider market beyond the hosts’ areas that can be exploited to generate more revenue?In many cases, the joint venture will involve establishing a new limited company in which the partners each take a stake. The terms of the joint venture agreement are very important. Important areas to consider will be the agreed strategy and business plan for the venture, relative shareholdings and capital contributions, policies on reinvestment of profits vs. distributing them as dividends, decisions for which unanimity is required vs. decisions taken by majority and, crucially, what are the exit provisions if things don’t go according to plan or if one party wants to leave and sell its stake? Some enterprises with long-standing joint ventures have recently found it difficult to extricate themselves from arrangements which are no longer fit for purpose or perceived as too expensive. For example, Liverpool City Council had a long-standing JV with BT plc. It to come to an end after it was reported that BT would not agree to cutting the cost of the £70m-a-year deal any further than the £5m a year over three years they had negotiated so far.
  3. There must be genuine joint working around a shared vision. A lot of joint ventures have come unstuck because the partners have not invested enough time at the outset in considering explicitly what both parties’ objectives are from the arrangement. For one partner, the objective may be to achieve a step change in products or service levels by levering in new investment, technology and improved business processes; for another, the objective may be to achieve a defined level of profit and to use the contract as a springboard to capture more market share and new distribution channels. Open conversations about how each partner can help the other achieve these goals are important.
  4. A good joint venture has an appropriate balance of shared risks and rewards. The parties should ensure that they negotiate an appropriate share of future rewards, but equally it must expect to shoulder its share o