On Boards and the management of risk

I've been involved in several discussions about risk management recently, including one at a Business Leaders Forum hosted by Grant Thornton. Most of the discussions have centred on the struggles that Boards face in managing risk—and more specifically, ensuring they are adequately informed. In listening to people, I've discovered many Boards struggle in this area. 

• How do Boards know all relevant risks are being notified?
  
• How big (or small) should risks be before they are reported? What is relevant?

Let's tackle the second question first. In most organisations, management has the responsibility to implement strategy. Therefore, they also have the responsibility to identify and manage risk. In doing so, management should raise (with the Board) all risks that have the potential to compromise their implementation of strategy—together with mitigation plans. Anything with a strategic impact should be reported. If Boards are not receiving relevant risk information, they should go looking for it.

That leads nicely to the first question. In my [direct though anecdotal] experience, most risk information tends to arrive via management. Though the common pathway, it is not without its problems. Many Risk Managers report up though the CEO. Even external Auditors tend to be retained by the CFO and report via the CEO. And therein lies the problem. Who decides what gets reported to the Board? Why would a CEO notify a risk that exposes him/her to extra work and/or uncomfortable questions from the Board? Oh, the foibles of human nature... 

Whereas most Boards receive risk information via the CEO, several of the high performing Boards that I've worked with seek and debate risk information directly—from staff, customers, outside advisors. They also do so in the context of strategy. Boards that open several channels are more likely to be adequately informed and, consequently, be better positioned to assess strategy implementation and ensure risks are managed effectively.

Boards need to ensure that they are adequately informed, and the best way to do that is to work directly with a range of internal and external sources. While this approach sounds straightforward, it has the potential to cause angst amongst management if not handled well. The CEO should be kept fully informed of risk discussions, and, ideally, be present when external advisors make presentations to the Board.

One final point. If risk mitigations are not being implemented effectively, and the achievement of strategy is being compromised as a result, then the Board should replace the CEO.