Redefining risk assurance for the board
Boards give much away through the quality of their risk discussions, and of course through the information which feeds those discussions.
Risk assurance is about judging the gap which exists between the strategic risks which the organisation actually faces and those which the board believes it faces or feels comfortable acknowledging. This is what I refer to as the organisation’s risk reality.
The prospect of a disconnect centres on one simple question for those around the table - are you seeking reassurance from the information in front of you, or are you seeking revelation?
I first applied this question to qualification courses that I was delivering through the Institute of Leadership, and experience at board has shown how this question can be used to completely reset a discussion. It isn't a question board members are necessarily familiar with and it can offer the opportunity to examine things from a very different perspective.
Annual audit planning within local government: Having 'fraud' detailed on the audit plan provides an opportunity to determine whether controls are in place and operate as intended, and in this particular example it also represented something of a success. However, this was also an opportunity to look beyond the obvious components of policy and training and to seek new insights about behaviours and how leaning from incidents is shared and embedded. I didn't want the board to be taking comfort from the apparent absence of fraud cases - I wanted them to adopt a proactive mindset and healthy skepticism and to embrace the very real possibility of fraud.
Ensuring committee work is proportionate
One of the most valuable lessons that one learns in working across a range of sectors and organisational types is the need for governance arrangements to be proportionate. This is particularly relevant to the scrutiny provided through board committees on the topics of the topics of risk and assurance. I would also say that advising a committee on aspects of proportionality is virtually impossible without detailed knowledge of how such information finds its way to board and what happens to it once there.
Enhancing VFM within a small not-for-profit: Value for Money (VFM) reporting is a mandatory requirement in social housing and local government, and the principles that underpin it are widely adopted across external reporting for many organisations. One of the smaller outfits that I have worked with had provided VFM reporting for several years, and seemingly without it having been subject to explicit challenge at board. Well established, reporting had become a rather routine affair, centred around the restatement of various controls, rules and expectations. In short, VFM reporting had become a statement of intent, and a predictable and static one at that.
The challenge here was to develop the VFM over a period of 12 months, utilising quarterly board updates to build a better understanding of what was achievable - an exercise in testing key aspects of the VFM, including elements such as accessibility and engagement, in addition to delivery costing. The goal was to reposition VFM reporting to become something which described performance using the language of outcomes rather than settings - such as, highlighting user impacts in preference to detailing the arrangements under which the organisation connected with the user.
As an example, the measurement of administration and governance was enhanced through the introduction of behavioural indicators, both internal and externally-facing. These indicators were also explicitly linked to the organisation’s risk reporting, thereby triggering an early warning of where value might come under pressure and which elements of the VFM might need to be refreshed for the board.
Taking a fresh look at new and emerging risk
“In order for a risk to emerge (or indeed re-emerge) something else must have changed”. Taken together with an acceptance that our success rate at predicting events is rather poor, this emphasis on change-related processes provides a very different, and often much more productive platform from which to consider emerging risks.
Many boards remain wedded to predictive risk techniques, believing that this is the basis of strategic foresight. It is only by challenging this approach that the patterns and changes that signal the emergence of new risks are not repeatedly overlooked. Foresight is about uncovering connections by exploring divergent paths and contrasting outcomes; it should not be an exercise in predicting the future by extrapolating the present.
A very traditional approach to risk within a large Financial Services company: Rather than focus here on the organisation or the context within which emerging risk was being considered, the following points summarise the position as a I first experienced it upon entering the organisation, almost all of which centred around a very traditional-looking radar diagram.
-
Arguably better radar diagrams were available elsewhere. It was difficult to determine whether the investment of internal resource in creating a bespoke view was justified.
-
What at first appeared to be dynamic, really wasn’t. Radar diagrams do appear to be dynamic, but given the opportunity to see them over an extended period it was apparent that many not only remained static but also lacked any meaningful update or reassessment.
-
Neither accuracy nor application were measured. It is absolutely vital that firms seek to understand how ‘good’ they are managing risk, and the same is true of new or emerging risk.
-
The connection to corporate strategy was largely absent. Risk only has meaning within the context of what the organisation is seeking to achieve and the conditions within which it is operating.
-
Underlying change forces were not part of the picture. As I have observed on many occasions, the board gives a great deal away through the quality of its risk discussions - by that, I mean about itself and the strategy that it steers.