E-Mail ! Print ! Post ! Republish ! Get Photos ! More>

I can sympathize with Chief Staff Officers (CSOs) who already have enough on their plates without taking on a comprehensive risk analysis.  Yes, I know how many risks there are out there. 

The risks are innumerable, but here is a list to help you, er, the board - actually, both you and the board - avoid missing some of the most common ones. 

Let’s start by taking a look at the shared responsibility for risk management.  What is a logical and practical division of duties when it comes to this big task?  We’ll begin with a look at the risk management process. 

As with strategic planning, we see significant merit in board and senior staff members working together in the first round of risk identification.  When working with groups to assist with this process, we ask:  “If you were the sole proprietor of this organization, what would you classify as the top five risks that should be managed?” 

Having board members involved in risk identification brings to the task the diversity of experiences and perspectives that is a key ‘raison d’être’ for a board in the first place.  Perhaps Joe has had first hand experience with a union negotiation gone bad; he knows the potential cost and disruption that poor employee relations can have on an organization.  In discussions, you find out that Marion was on the pandemic planning committee at the hospital she works for.  She shares the perspective that the question isn’t whether a pandemic will occur -- the question is when it will occur. 

After jointly identifying the most common risk areas, agree on a common definition for understanding risk within your organization.  What constitutes a high risk both financially and qualitatively?  This sample in FERMA’s Risk Management Standard provides a starting point to define the risk ranges.

As well, the board and senior staff group should also agree on the probability definitions.  Here’s another FERMA sample; naturally, it can be amended to fit your organization if you think it appropriate to do so. 

Once these definitions are agreed to by the board and senior staff, plot the identified risks on a graph of impact and likelihood.  This exercise is helpful in prioritizing which risks to tackle first in the risk assessment process. 

What additional input will board members have into risk management?

At a minimum, the board should annually identify top risks and monitor management’s process for managing them.  In addition, directors should have their risk awareness antennae up at all time.  What impact do board decisions have on risk?  What new risks are emerging in the environment (for example, after 9/11, data security took on a whole new meaning)?  What constitutes an acceptable or unacceptable risk?

Some boards are keen to engage beyond risk identification and participate in the first round of risk analysis.  Here are a couple of samples of what is involved in risk analysis.

Whether or not the board has undertaken a methodical risk assessment as illustrated above, you’ll want to take prudent steps to manage risks.  You’re responsible for putting internal controls in place which limit the risk of fraud and negative outcomes from other significant hazards.  Depending on the size of your organization, you may decide to assign operational responsibility to a Chief Risk Officer. 

Summary

Whose job is risk management?  Although all people in the organization have a part to play, the board and senior staff members must take the initiative to start the process and to be role models in making risk management an ongoing priority.  You could say that each board and staff member has a part to play.  Establishing a culture which emphasizes that each carries some responsibility will pay dividends in reducing the overall risk to the organization.   

Sound overwhelming?  Take courage.  Facing the risk is a whole lot better than sticking our heads in the sand.  Ernst & Young’s 2004 European Survey of Risk Management Practices revealed “the emergence of some pleasant side benefits to risk assessment and protection of the value of the organization and its reputation; the additional benefits were optimization of operational efficiency and improvement of decision making processes.” 

Click here for copyright permissions!