Today I want to focus on the role of the board in risk management. All boards must have an understanding of the key risks in the organization and how those risks are managed.
The Board should start by demonstrating good risk management through appropriate governance practices, including effective oversight. Beyond that, the role of the board will differ depending on the type of organization, the types of operating risks the organization undertakes, and whether the board is a ‘policy’ board or an ‘operating’ board.
All boards should be focussed on the strategic risks in the organization. These risks are most often dealt with as part of strategic planning and the core strategies are, in part, a response to strategic risks and opportunities. However, it should not stop there. The board should have periodic conversations about these risks to assess if the risks have changed in any way that requires an organizational response.
All boards should ensure that policies are in place to manage risk. The purpose of a policy is often to define the level of risk the board is prepared to accept (e.g. level of reserve fund or investment vehicles). Boards should also review risks in proposed new program areas, new populations served, etc., anything that significantly changes the risks in the organization.
There are only four decisions to be made about risks: avoid the risk (stop doing something or don’t start), transfer the risk (e.g. insurance), control the risk (policy, ED limits, monitoring) or manage the risk (processes, training, monitoring). For significant risks, these decisions are made by the board.
In smaller organizations with operating boards, the board is likely managing the critical risks in the organization or providing significant assistance and oversight. In larger organizations, the board role is more likely focussed on strategic risks and ensuring that proper risk management policies are in place and followed.
No matter the size of the organization or whether the board is ‘operating’ or ‘policy’, a risk management framework is a useful tool for boards. This framework lists the risks by category (e.g. financial, legal, operating). For each risk, the framework provides an assessment of the likelihood of it occurring, the level of impact if it did occur, a brief description of the likely impact, and how that risk is currently managed by the organization (e.g. policy, insurance). Some organizations add a person with primary responsibility for each risk.
If you think your board should have a better understanding of the risks in your organization, a good place to start is a board discussion of the key strategic risks – especially in these fast-changing times for not for profits. The next step would be a risk management framework. Remember that risk management is everyone’s job and is often a matter of common sense and good planning.
MAS consultants can help you ensure that your organization has the right risk management plan.
Would you like to know more about MAS? Access: https://masadvise.org/
About Chris Govern
Chris has been working as a volunteer consultant with MAS for almost 20 years. She has worked with many not for profits, primarily on strategic planning and governance work.