how to

All organisations must take risks to create value. The question is how much and what types of risk should they take? Risk is not something to be avoided, but to be understood and leveraged in pursuit of an organisation’s purpose. The International Organization for Standardisation defines risk as “the effect of uncertainty on objectives” (AS/NZS ISO 3100 Risk management).

Importantly, risk is not inherently bad. It arises because the future is unknowable and therefore the outcomes of decisions are always uncertain to some extent. Risk is typically characterised by considering examples of events that could occur, their likelihood and the consequence of their impact. Boards have to deal with a range of risks, including hazards (asset management, safety, environmental, social, regulatory), financial risk, operating risk, organisational risk (governance, performance, culture and conduct) and strategic risk. Risk management should be integrated into executive and board-level decision-making, largely as part of strategic planning, and also in key tactical decisions.

Role of the board

The board’s role is to set the risk appetite — given its capacity to bear risk, core purpose and the expectations of shareholders, members and other stakeholders — and to ensure it has a risk management framework to identify and manage risk on an ongoing basis. While ultimate responsibility for a listed entity’s risk management framework rests with the full board, board committees can also play a significant role.

Risk management encompasses the culture, processes and structures directed towards taking advantage of potential opportunities while managing potential adverse effects. The goal of risk management is to increase certainty that a decision’s intended outcome will be achieved. It involves identification, evaluation and prioritisation of risks.

Risk management should not be considered a discrete activity, but should be embedded in the practices, processes and policies within an organisation concerned with making decisions, and ensuring these decisions continue to be valid. Risk and strategy are inseparable.

Risk appetite

One of the most important roles of the board is in developing a mutual understanding with management on the nature and extent of risk the organisation is prepared to accept in pursuit of its purpose. The risk appetite provides parameters for management to pursue the organisation’s purpose. Defining and documenting risk appetite bolsters the development of an appropriate risk culture aligned to and supporting the purpose and strategy.

The AICD’s Not-for-Profit Governance Principle 5 on risk management says: “Boards must be careful that they are not so concerned with negative risk that opportunities are missed, but they can also not have such a disregard for risk as to expose the organisation to serious harm. Striking an effective balance between the two is the hallmark of a sound risk appetite.”

Risk management frameworks

Organisations can adopt more formal processes to facilitate better management of risk by developing a risk management framework. There is no one-size-fits-all approach. Large organisations may have highly-developed approaches, systems and processes supported by both internal and external professional advisers. Smaller organisations facing simpler decisions may adopt more informal approaches, relying on their own experience, judgement and common sense to manage risk.

The board is ultimately responsible for an organisation’s risk management framework. Management is responsible for designing and implementing the framework. The board’s role is to ensure the framework is sound and to oversee its effective operation.

The AICD director tool program, which provides high-level practical guidance for directors, has been fully revised for the latest legislative developments, current regulatory compliance advice and best practice governance principles. 

For more information on governing organisational culture, click here.