You have probably read about the importance of the Board’s role when it comes to providing oversight of risk management in an organisation. But how do you do this practically? What sorts of activities are common to organisations that have a mature approach to risk governance?
Boards play a key role in overseeing the culture, governance and risk management framework. Different organisations have varying degrees of sophistication and rigour as it applies to the practice of risk management.

Depending on the sector that your not for profit is operating within, there are differing and frequently changing compliance standards to comply with. New Aged Care Quality Standards came in to place last year which address governance and risk management systems.

With the ongoing evolution of the disability sector, there have been increasing compliance requirements for risk management – such as through the risk management section within the NDIS Practice Standards which is administered by the NDIS Quality and Safeguards Commission. With the Disability Royal Commission underway and investigations into several tragic and neglected deaths, it’s likely we will see further changes to systems and governance with the NDIS.

Risk intelligent organisations are rarely surprised by the outcomes of processes like this since they have often addressed any shortcomings of compliance/regulation within their own risk management processes.

Risk governance maturity is different to risk management maturity which we wrote about last month in this article.

Deloitte consultants in the UK have written a number of publications on risk intelligent businesses, and we have used their insights in compiling this article.

Deloitte identified six actions that boards can take to enable a risk intelligent approach to governance. From our experience, we will look at practical applications of how these actions can be applied to not for profit and disability focused organisations.

The six distinct actions are:

1. Define the board’s risk oversight role

In my experience with not for profit Boards, I have seen the Board’s role on risk oversight articulated and defined in documents such as the Board charter, Board committee terms of reference, governance policies and Director position descriptions. If you don’t have documents like this, then you should consider putting them in place, or reviewing and updating if you haven’t done so for a few years.

2.Foster a risk intelligent culture

The risk culture needs to flow from your values, and also relates to your code of conduct. Your culture is set by the tone of leadership. Board members and executives should think about how the questions they ask focus on risk – not just from the perspective of avoiding it, but understanding how to effectively manage the risks inherent in providing your core services.

For example, many disability providers need to provide unsupervised services within the NDIS participant’s home and this introduces risks to care workers such as safety, and potential for them to be involved in theft or other forms of abuse to a vulnerable client. It’s not possible to avoid this risk and still deliver the service – so providers need to be selective on who they recruit, supervision processes and other checks and balances.

Being risk intelligent involves taking on the risks that you know best how to manage – and not just avoiding risk.

3. Understand and approve an appropriate risk appetite

It is becoming increasingly more common for Boards and CEOs to define a risk appetite statement that defines the tolerances around different categories of risk: e.g. financial, safety, environment, customer satisfaction and public reputation.

As part of the risk appetite, you should define the risks that you want to take and those you want to avoid.

For example, organisations with low financial reserves will have little room for error on missed financial goals, and while no one wants to lose money, organisations with larger reserves have the ability to fund projects – such as launching a new office or new product/service under the NDIS – that can take some time to grow, achieve a surplus and provide financial returns.

4. Help management incorporate strategic risk thinking into strategy

One way to consider risks in the strategic planning process is to look at the strategic plan from the perspective of multiple scenarios and different perspectives on the future. You may like to read about this idea further in the article Your post COVID-19 Strategic Plan.

One of the most practical ways I have seen risk being addressed in the strategic plan is to specifically have a section in the plan for risk which identifies the main risks to achieving the plan, and the mitigation strategies to put in place.

To go a step further, risk mature organisations will also address risks and opportunities within the budget build-up. A budget always has inherent assumptions and sometimes they turn out to be conservative while other times they are underestimated. For example, a medium size disability provider might target a budgeted surplus of $100k, but have identified 4-5 risks (potential negative impact) and 4-5 opportunities (potential positive impact) that might be realised in the year which could result in the actual results being better or worse. This analysis provides a sensitivity analysis to how ambitious or ‘risky’ the budget is.

5. Assess the “maturity” of the risk governance process

Boards can benefit from completing a self-assessment to compare their practices to best practice standards. Different sectors will often have relevant standards to measure against.

For example with disability service providers, it is the NDIS Practice Standards, and so a self-assessment should include reviewing compliance against the NDIS Practice Standards for Risk Management. Inherent in this is a practical application for these Boards to have visibility over complaints and incidents reporting and follow up.

6. Make sure the organisation discloses the risk story to stakeholders

The Deloitte framework applies to publicly listed companies which would include requirements relating to disclosure to the shareholders and stock exchange. However, when applied to the NFP and disability sector, it is important to provide disclosures to the ACNC, NDIA, external auditors and your members via an AGM. It would also be appropriate to consider risk as relating to your customers, and any risk that needs communication with them.

We trust this article has provided some insights to consider in reflecting on your own board’s risk governance processes.