‘What is the worst that could happen here’? – Some basic risk questions for INEDs to ask...

The board is ultimately accountable for risk and even where there is significant work done by risk experts it’s almost certain that all independent directors will have the opportunity to provide challenge at board and/or risk committee meetings. Where you don’t, this needs fixing and fast!

As with any other seemingly ‘technical’ topic (and there are many) INEDs can confidently rely on their general challenging techniques to help ensure the best outcomes don’t get lost in debates about technicalities or detail.

Here are a few simple challenges that I have developed and shared over time, often from watching my peer INEDs as we aim to be both rigorous and fair with our board and the executive team:

·        Have your board and executive team been invited to regularly brainstorm their view of the firm’s strategic and operational risks, then to add to them as soon as any others arise?

·        Have your board seen a recent summary of top risks, have they challenged or added any, have they ‘adopted’ this key risk list as their own?

·        Are your senior executive team and board encouraged to speak with stakeholders of all types as part of a ‘horizon scanning’ effort to watch for risks that could approach from a distance at high speed and with significant effect?

·        Does each key risk have a clear owner that is empowered to coordinate any resources necessary to mitigate its likelihood, or impact, or both? Does someone else regularly check that the risk stays mitigated?

·        Has the business considered possible connections between these risks, so that cascaded or concurrent risks might be anticipated and mitigated in combination?

·        Does the board regularly review their risk list alongside progress against business objectives - considering all key risk changes, additions and incidents. Do they ask ‘what is the worst that can happen’ for each event, to consider how to be prepared for that.

·        Does the CEO regularly review the operational risks with their team, alongside their ‘business as usual’ reviews of objectives, tasks and achievements?

·        Has the board been able to agree on and share, via the CEO to staff and others, their ‘risk appetite’ such that most staff and stakeholders would probably anticipate or make much the same decision in any given situation?

·        Is there a tested crisis management and PR approach in place that can be quickly deployed when incidents occur?

·        What major difficult events have happened in the last year or more, were they anticipated, did any mitigations work, what would we do differently with these or other issues in future?

Asking these questions of yourselves and others will help ensure risk accountability remains with the board and in good shape, whatever the size or sector of your organisation. These challenges are not sufficient in themselves to achieve oversight of a complex organisation so the Risk Coalition has recently produced guidance, gap analysis and benchmarking support that boards can adopt.

Bryan Foss, Visiting Professor Bristol Business School and Co-founder www.riskcoalition.org.uk