Large listed and private companies focus on risk through a risk management committee of the board of directors. SME boards without a risk management committee should consider having clearly defined board processes in place which raise the issues that would otherwise be considered by a risk management committee.
In the end, effective board level risk oversight begins with a clear understanding of the risk appetite.
Types of Risks to be Considered?
The types of risk which have to be considered and often hard to predict will vary enormously by business or industry. The following list is a useful example of risk categories to consider.
- Financial – includes for example cash flow, budgetary requirements, tax obligations, creditor and debtor management.
- Equipment – extends to equipment used to conduct the business and includes everyday use, maintenance, depreciation, theft, safety and upgrades.
- Organisation – relates to the internal requirements of a business (cultural, structural and human resources).
- Security – includes for example the business premises, assets and people. Also extends to security of company information, intellectual property, and technology.
- Legal and regulatory compliance – includes for example legislation, regulations, standards, codes of practice and contractual requirements.
- Reputation – threat to the reputation of the business due to the conduct of the entity as a whole, the viability of products/services, or the conduct of employees or others associated with the business.
- Operations – covers for example planning, operations, resources (including people) and support required internal to the business resulting in the successful development and delivery of products/services.
- Contracts – meeting obligations required in a commercial contract. For example, including delivery, product/service quality, guarantees/warranties, insurance and other statutory requirements, non-performance.
- Service delivery – Delivery of services, including the quality of service provided or the manner in which a product is delivered. Includes customer interaction and after-sales service.
- Commercial – includes risks associated with market placement, business growth, product development, diversification and commercial success. Also to the commercial viability of products/services, extending through establishment, retention, growth of a customer base and return.
- Project – includes the management of equipment, finances, resources, technology, time frames and people involved in the management of projects. Extends to internal operational projects, business development and external projects such as those undertaken for clients.
- Workplace safety - Every business has a duty of care underpinned by legislation. This means that all reasonable steps must be taken to protect the health and safety of everyone at the workplace. Workplace health and safety is integrated with the overall risk management strategy to ensure that risks and hazards are always identified and reported. Measures must also be taken to reduce exposure to the risks as far as possible. (New Health and Safety legislation in New Zealand is in effect since April 4).
- Stakeholder management – includes identifying, establishing and maintaining the right relationships with both internal and external stakeholders.
- Client - customer relationship – potential loss of clients due to internal and external factors.
- Strategic – includes the planning, scoping, resourcing and growth of the business.
- Technology – includes the implementation, management, maintenance and upgrades associated with technology. Extends to recognising critical IT infrastructure and loss of a particular service/function for an extended period of time. It further takes into account the need and cost benefit associated with technology as part of a business development strategy.
How do boards deal with risk?
Determining the most appropriate method to deal with the risks facing an organisation will depend on the nature of those risks. In general terms, an organisation will have a choice between:
- avoiding the risk by discontinuing the activity that generates it
- preventative control that reduces the likelihood of the risk occurring (for example, only allowing new business initiatives to proceed if they have been assessed and approved from a business risk perspective)
- corrective controls that reduce the consequences of the risk if it occurs (for example, contingency planning, back up systems, business continuity plans)
- transferring the risk to another party (for example, by contract, insurance, outsourcing, joint ventures or partnerships)
- accepting the risk and having plans in place in case the risk eventuates
All organisations must take risks to create value or put another way risk can create opportunities. The question to ask yourself as a director is how much and what types of risk should we take?
Henri Eliot is CEO of Board Dynamics.