Dream Teams: Bringing boards and staff together for organizational success – October 11-21, 2016

October 19 & 20: Risk Governance and Risk Management

working together in Kabul
Photo Credit: Photo Credit: Sylvia Vriesendorp

In the seminar, we have discussed almost the entire board building cycle and the work of the board. Let us close with an important but less discussed topic in the context of long term success of an organization – risk governance and risk management. Actually these are great topics for the continuing education of the board. Recall step 6 of the board building cycle, i.e., the board creates opportunities for the continuing education of the board members.

For those of you who are joining us for the first time, we encourage you to look through the summaries of the topics already discussed – Part 1: Board Basics, Part 2: The Work of the Board, and Part 3: Board/Staff Partnerships.

*** Please click on the links below to open or collapse sections ***

▼ Basics of risk management and risk governance

Are you ready? Let us begin by spending 10 minutes watching four short but thought-provoking video clips on the topic.

  • Watch an elected official explain that uncertainty and risk are an inseparable part of public life (Risk is Mandatory)
  • Once you accept that risk is inherent in personal life and in the working of an organization, you’d want to know what to do about it so you are able to reduce the harm it might bring. Watch Lakay (Making Decisions About Risk) and Feachem (Mapping Risk) explain their approach to managing risk.
  • Finally, watch a consultant from the IT community, where risk governance is a critical issue, explain the concepts of risk governance and risk management in the context of an organization (Risk Governance – Risk Management).

Now that you are all fired up with your own thoughts and ideas having watched these videos, let me use this moment to set the stage.

Risk management is forecasting and evaluation of risks together with the identification of procedures to avoid or minimize their impact. As the name suggests, it is a management function.

The role of a governing body is to make sure that risks to the organization are understood, managed, and, when appropriate, communicated. This is part of governance oversight. Risk governance implies the application of the principles of good governance (participation, inclusion, transparency, and accountability) to the identification, assessment, management and communication of risks. It also considers broader legal, political, economic and social context. The governing body also ensures that sufficient resources are available and allocated to the staff function of managing the risks, e.g. funding for conducting audit activities or human resources to implement key principles such as separation of accounting and auditing function.

These are some of the risks that your organization might face at some point in time:
working together in Kabul
Source: Crystal & Company’s Risk & Insurance Primer for Nonprofit Organizations

Resources

Video: Risk is Mandatory, Everyday Leadership (01:05)
Video: Making Decisions About Risk, Everyday Leadership (01:28)
Video: Mapping Risk, Everyday Leadership (01:50)
Video: Risk Governance – Risk Management (05:00)

Q9 – Share your experiences/insights in risk governance/risk management [click on the question to respond in the forum]

Please share your own experiences in how you saw risk being governed or managed. What can the rest of us learn from your experiences?

▼ Case example and case study in risk management and risk governance

Governments are increasingly recognizing the key role played by the governing bodies in risk governance and management. See the example below:
Common risks
Source: Leaders Who Govern, Role Confusion, page 1:5

In Leaders Who Govern we encourage boards to know when risk taking is a good strategic move and when it is not. Here the culture plays a role. Some organizations are more and others less risk averse. This depends on many factors, such as whether the organization seeks to innovate (always risky) or when compliance is critical for sustained support.One of our recommendations is to establish a risk management policy for organizations. Of specific importance for organizations that receive their funding from external sources are the causes and consequences of corruption in the health sector, and strategies to reduce corruption. See the Resources list below for more about risk.Now we come to the learning activity of the day. Please read this article from Harvard Business Review and look for lessons relevant to risk governance and risk management. Keep in mind even bees can teach us a thing or two about risk governance.

Resources

Managing Uncertainty: A Beekeeper’s Perspective on Risk by Michael O’Malley, PhD, Harvard Business Review, June 20, 2012

Read more about risk in Leaders Who Govern (LWG):

LWG, Stewardship of Resources, (see seven strategies to combat corruption on pages 14:7-9)
LWG, Continuous Improvement (see pages 15:8, 15:11, 15:13)
LWG, Member Orientation and Education (see pages 18:3 & 18:5)
LWG, Strategic Thinking and Planning (see pages 19:3 and 19:5)

Q10 – What can we learn from bees? [click on the question to respond in the forum]

This Harvard Business Review article (https://hbr.org/2012/06/a-beekeepers-perspective-on-ri) contains some important insights relevant to risk governance and risk management. Comment on what in the article resonated most with you from a risk governance or risk management perspective. Share examples from your real life experience.

▼ Summary

The Part 4 of the seminar – focusing on risk governance and risk management – now concludes. The governance and management of risk are critical to the long term success of the organization.

We had several compelling and insightful posts during the two days.

Lourdes: Two real life examples illustrating an assortment of risks

Protus: A set of practical insights, e.g. constitution of risk and oversight committee, cultivating a culture of risk awareness, identification and management, and teamwork in managing and governing risk | Also described at length the risk associated with succession planning in his organization

Autry: Power of reflection

Helena: Necessity of knowledge and expertise on the risk committee to provide risk oversight

Kimberly: Necessity of risk management framework and plan to guide day-to-day operations

Dr. Arghandabi: A real life example in risk mitigation

Karine: A riveting case example of political and socio-cultural risks facing an organization working for realization of the sexual and reproductive rights of women with disabilities, and how they successfully neutralized the risk through thoughtful strategy

Bina: Shared the Global Fund’s risk management policy

Dexter: On risk measurement, risk checklist, and managing reputational risk

Noah: Sociocultural risk involved in working for reducing vulnerability of young people to sexual abuse and its complications such as STDs, unwanted pregnancy, and unsafe abortion

John Nytha: Risk governance journey of his organization

Moses: Do not run away from making decisions because there is risk of failing

Karen, Karine, Kimberly, Bina, Dexter, Autry, Protus, Painda Mohammad, Lakachew, Noah : What about handling risk we can learn from bees

The first day was devoted to basics of risk governance and risk management. Several new resources relevant to the ongoing discussion were made available during the course of the seminar.

The discussion began with measures such as constitution of risk and oversight committee, cultivating a culture of risk awareness, identification and management, and teamwork in managing and governing risk which ae central to risk oversight and risk management. Several significant details came up for discussion. Even if the risk committee is constituted, the full board retains overall responsibility for risk oversight and risk governance. The risk committee should have necessary skills and support to be effective in fulfilling its responsibility. Members should have knowledge and expertise to provide effective risk oversight. Different board committees have a definite role in risk governance. Audit committees oversee financial reporting risks. Governance committees oversee governance risks. Strategy and finance committees oversee strategic risks.

Protus shared what difficulties his organization faced when they lost the founder with no succession plan in place. He also shared a slew of measures they put in place in the next 10 years to stabilize the situation. Kimberly brought up the necessity of risk management framework to guide day-to-day operations. Information technology industry has actively embraced this principle. The framework provides a disciplined and structured process that integrates risk management activities into the system development or program life cycle. At the very least, every organization should create a risk management plan and review it on regular basis. Five steps in risk management planning were reviewed.

The participants were encouraged to share their learning with the colleagues in the organization and spread the awareness about risk and its governance and management in their organization.

Taxonomy of risk was reviewed. Internal risks arising within the organization can be controlled to a large extent, e.g. unethical conduct at various levels within the organization can be minimized the through the use and enforcement of the code of conduct and code of ethics. Risk is inherent in the organization’s strategy. The organization needs to have a risk management plan to live with the risks associated with its strategy. External risks arise outside of the organization and the organization does not have a control over them, e.g. natural disasters and economic shocks. These risks should be carefully identified. Their impact should be mitigated.

For the second day, we had a case study for reading. The participants were urged to comment on what resonated most with them from risk governance or risk management perspective and why. There was animated discussion on the learnings from the case study. The participants were able to relate the lessons from the case study with what they were seeing in the real life. The topics of diversity on the board and in the organization, long-term success and survival of the organization, open communication, distributed decision-making, and more importantly board’s role in all this came up for discussion.

These are some of the lessons the participants learned from the case study.

  • Good CEO/ED leadership is essential to every organization and the board needs to manage the risk of losing executive leadership by having a plan. The plan should ensure that new leaders are being cultivated within the organization.
  • The ideas of “calculated risk” and making “least bad mistake” are fascinating.
  • Assemble multiple viable options, and present them to independent decision-makers for making a decision. Create a friendly “solution” space for open discussion where the pros and cons of each option are discussed and decisions are made in a democratic and transparent manner.
  • Emphasis on prevention as a risk management method
  • As an organization grows, it becomes more difficult to manage especially when too many responsibilities are handled by one person. This can make the organization inefficient. The responsibilities should be shared by a body of individuals.
  • Focus on our areas of strength and resourcefulness and prepare for any unpleasant situation.
  • Establish a system where people have access to information so they can make sound judgement and decisions.
  • We should know how to take responsible risk.
  • Know the risks, and their possible impact. Prioritize them accordingly.
  • Take timely risk mitigation measures.
  • Have candid conversation about all common concerns and aspirations and make collective decisions.
  • Sharing resources, using preventive measures, long term thinking, knowledge management, communication, diversity, quorum and distributed decision making and choosing the mistakes are essentials in risk governance and risk management.
  • Each person in an organization (May they be board member, manager or staff) has a role to play in identifying, preventing and managing risks facing the organization.
  • Need for continuous communication and learning cannot be emphasized enough.
  • As leaders, we need to do risk mapping which can help us to identify times when a certain risk type peaks up or peaks down. We can then look ahead and plan to intensify preventive / mitigation measures during that particular time.

I thank you for the time you invested in sharing your insights and experiences with fellow learners. Stay with us for one more day for tomorrow is a wrap-up day. All five facilitators will be available to help you synthesize the learning from the seminar.

With best wishes,
Mahesh
On behalf of the facilitation team