Get 10% off GOAT RM ToolkitTM with vouchercode LINKEDIN10. Offer end 31 May

Beyond the Dashboard: A Practical Risk Governance Strategy for Leaders

In the realm of modern business, navigating risk isn’t just about survival – it’s about thriving amidst turbulence. Today, leaders face a convergence of external forces: economic uncertainties, technological revolutions, regulatory landscapes in flux, and evolving consumer sentiments. Against this backdrop, the imperative for robust risk governance has never been more pronounced.

However, despite this heightened awareness, many organisations find themselves mired in antiquated risk management practices, relying on disconnected spreadsheets that fail to integrate with strategic priorities or inform pivotal decisions. It’s a precarious imbalance – a world fraught with risk, yet bereft of effective risk governance frameworks.

In understanding the essence of risk management, it’s imperative to recognise its pervasive reach throughout every facet of an organisation. From strategic planning and financial operations, to commercial endeavours, operations, people, systems, procedures, projects, change, transactions, safety, regulations, legal, suppliers, eco-system, reputation, and the micro and macro spectrum of short, medium, and long-term objectives – risk management permeates them all. When executed with precision, managing risks transcends mere precautionary and re-active measures; it becomes synonymous with managing the very essence of the business itself.

Crafting a strategy for effective risk management isn’t just about ticking boxes; it’s about cultivating the right culture, establishing robust processes, and implementing sound governance structures. Here at GOAT, we go beyond textbook theories and consultant jargon. We immerse ourselves in the intricacies of risk management best practices, distilling them into actionable concepts tailored for real-world application. Our approach isn’t just about theoretical frameworks; it’s about delivering tangible results that drive transformative outcomes for your organisation.

In our discussions about risk management, we frequently underscore the significance of culture – an element often deemed the most challenging aspect alongside various facets of the risk process. In this article you’re reading, we aim to delve deeper into Risk Governance, a topic closely intertwined with culture due to its profound impact on people, attitudes, and behaviours.

According to the Chartered Governance Institute UK and Ireland, Corporate Governance encompasses the system of rules, practices, and processes governing how a company is directed and controlled, including the allocation of power, accountability, and decision-making authority. In simplified terms, Risk Governance revolves around delineating roles and responsibilities pertaining to risk management.

While many organisations place significant emphasis on defining roles within the Board (with overarching accountability), Audit and/or Risk Committees (providing oversight), and Executives (responsible for owning and managing key risks), these explanations, while accurate, offer limited insight into how to effectively operationalise risk governance. In practice, much of the risk management process occurs well before it reaches the Board, Committee, or Executive levels. Moreover, these descriptions often focus predominantly on top-level risks, which are frequently overly aggregated into broad themes.

In the following section, we’ll introduce a few simple techniques aimed at operationalising risk governance. Additionally, we will highlight common pitfalls that can inadvertently reduce risk governance to a mere exercise in reporting.

Organise risks around your organisational structure

To truly embed risk management throughout an organisation, it’s essential to move beyond vague statements about its importance, and instead outline clear responsibilities and processes for team members at every level. While many risk management policies focus on how top-level decision-makers handle the organisation’s most significant risks, this approach often neglects the multitude of risks faced at lower levels.

In reality, most businesses confront a myriad of risks, potentially numbering in the hundreds. However, attempting to discuss or report on all these risks in a single forum would be impractical. Instead, we advocate for a decentralised approach that distributes accountability and cascades risks throughout the organisation.

One effective method for organising these numerous risks is to establish risk registers for each department, overseen by a senior Executive or Head. Within these registers, risks should be assigned to team members closest to their management and mitigation. The Head of Department assumes ultimate ownership of all risks within their purview, providing leadership oversight and guidance to the team members who are the risk owners.

By adopting this approach, each department’s risk register can address the most pertinent risks specific to its operations, with ownership clearly assigned to individuals responsible for managing and updating these. Additionally, team members should be encouraged to raise issues or concerns, and identify cross-team or cross-departmental dependencies, fostering collaboration and transparency.

This decentralised model can be further cascaded throughout all levels of management, ensuring that the risk management process touches upon a broader array of stakeholders. Over time, this approach can become ingrained in the organisation’s culture, serving as a powerful differentiator, and enhancing overall effectiveness in managing risk.

When one person, such as the Head of a Department or a centralised Risk Process Owner, is solely responsible for providing updates on all risks within their area or across the entire business, the value derived from such reports is limited. In both scenarios, the potential for valuable insights and meaningful risk management diminishes, and the risk management process can indeed devolve into a mere reporting exercise.

Here’s why:

  • Lack of Diverse Perspectives: Relying on a single individual to provide updates on all risks limits the diversity of perspectives and insights. Different team members may possess unique insights into specific risks within their domain, and consolidating all reporting to one person can result in overlooking critical nuances and blind spots.
  • Limited Contextual Understanding: A single person may not possess the depth of understanding required to effectively assess and mitigate all risks across a complex organisation. Without input from various stakeholders who are closer to the day-to-day operations, the reported risks may lack the necessary context for informed decision-making.
  • Incomplete Risk Picture: Risk management is inherently multifaceted, with risks spanning across departments, functions, and interdependencies. Relying on a single individual to provide updates may lead to overlooking interconnected risks that cut across different areas of the business, resulting in an incomplete risk picture.
  • Reduced Ownership and Accountability: When one person is responsible for providing updates on all risks, it can diminish the sense of ownership and accountability among other team members. Individuals may become less engaged in the risk management process, viewing it as someone else’s responsibility rather than a collective effort.

With each department actively owning, managing, and overseeing their respective risks, there’s also an opportunity for them to raise or escalate risks to the appropriate level. The Executive, Audit and/or Risk Committee, and department leaders should focus solely on the top risks, often termed Principal Risks. However, before delving into these, Executive members or department leaders should ensure that risks within their areas have been thoroughly reviewed, providing a chance for any issues to be raised or escalated internally.

The Executive will then discuss any escalated risks and determine whether they should be included in the top-level risk list presented to the Board. This process assures senior Executives and Non-Executive Directors that any bottom-up risks originating within the business will be identified and discussed at the appropriate levels and raised to them when necessary.

Additionally, Board members and Executive leaders still play a crucial role in identifying emerging, strategic, or top-down risks, typically driven by external factors. Horizon scanning, risk identification, and management therefore occur at all levels of the organisation.

Expanding on this concept of distributing risks to those closest to risk management, individual risks may have different owners, control owners, action owners, and other components, which can be further distributed to individuals closest to managing them. A single risk update can incorporate viewpoints from multiple contributors. This approach ensures that risk management becomes fully embedded, aligning with the idea that risk management is everyone’s responsibility.

By involving team members at all levels, an organisation gains the benefit of participation from those closest to managing the risks, controls, and actions. Risk reviews for department heads evolve into valuable discussions with team members, rather than mere reporting tasks for the Board. Team members are entrusted with greater responsibility, feel valued, and have more opportunities for personal development. Moreover, the risk process becomes a vital platform for team communication, action tracking, planning, raising concerns, problem-solving, and performance management.

Making Risk Management everyone’s business: Operationalising with the right tools

We’ve emphasised that risk management and governance extend beyond the realms of Executives, Committees, and Boards; they must permeate throughout the organisation, involving team members at every level. This distributed approach illustrates how a robust risk management process can evolve into a comprehensive planning, performance, and communication platform, becoming the focal point of every team meeting.

However, relying on a single individual to provide updates on all risks, whether at departmental or organisational levels, yields limited value and can gradually reduce risk management to a mere reporting exercise. To counteract this, it’s imperative to embrace a transformative vision that empowers every team member to actively engage in risk management.

Operationalising this vision requires recognising that traditional tools like Excel-based risk registers are no longer adequate. Instead, organisations need modern technology solutions like GOAT Risk™ – a platform that elegantly facilitates the easy distribution of accountability, fosters collaboration, tracks actions, and streamlines reporting.

GOAT Risk™ isn’t just another risk software product – it’s a cost-effective solution specifically designed to empower non-risk experts to understand and manage risks effectively. Packed with educational features and offering a user-friendly and collaborative interface, it makes risk management engaging and accessible for all.

Find out more about GOAT Risk™

Scale risk with confidence