Directors care about risk because if things go wrong, the consequences can be dramatic and long-lasting. Just think about the impact of the Australian census website crashing on census night, and the fallout from VW’s emission failure.
All organisations share some risks in common, such as people, safety, financial, and reputation, but some risks, such as cyber risk, are more industry-specific. A very broad definition is that risk is the ‘effect of uncertainty on objectives’.
As Philip E.J. Green says in Enterprise Risk Management: A Common Framework for the Entire Organization (Elsevier Inc., 2016): ‘The word contains two key ideas: uncertainty and outcomes. In common usage, people associate risk with negative outcomes more than with positive ones, but usually both are present. The idea of outcomes can be broadened to think of goals or objectives. A jaywalker may have two objectives: to save time instead of waiting for a green traffic light, and to cross the street without being hit by a car. There is uncertainty about whether he can jaywalk and meet those objectives. The first objective relates to a positive outcome (saved time), the second to a negative outcome (injury).’
Risk has become a highly specialised field and has developed its own jargon, with terms such as risk appetite, risk tolerance and risk matrices. (A brief glossary is at the end.)
Provide commentary on risk
When writers are writing about risk within a board paper, they will often consult with risk experts, who help them develop complex heat maps or matrices. What they sometimes forget is that they are writing to a diverse board who are not all risk experts.
Nor will everyone relate to information presented visually. Writers need to be able to write about risk concisely in plain language. They don’t need to repeat all the information in the visual in words, but they do need to provide some high-level commentary. What is this risk, why does it matter and what are we doing about it?
Risks must be openly and honestly dealt with
It sounds obvious to say that risks must be honestly and transparently dealt with, but too often that is not the case. Some risk statements I’ve read in board papers sound more like marketing statements, or are so vague they are useless.
Risks must be addressed in the summary
If a risk is a serious concern it must be flagged in the summary. Not much detail needs to be provided there, but it ensures that directors will read the paper thinking about that particular risk and how it will be monitored and managed.
Risks must be integrated within the paper
Many templates have a separate ‘risk’ heading to make writers focus on risk. However, this heading can be problematic if writers take a ‘silo’ approach to risk and don’t integrate the discussion of risks into their reasoning for the proposal.
One way of dealing with this is to use cross-referencing, or alternatively to use this section to demonstrate how the risks relate to the organisation’s risk framework.
Risk matrices must be commented on
We all know that some people like the visuals, and other people prefer words. I am a words person and don’t find risk matrices easy to read even when they use colours to alert me to the magnitude of certain risks.
In a board paper, I expect a writer to pick out one or two key risks, explain why they matter, and how they will be dealt with. I sometimes fear that the large amount of information provided in a matrix camouflages important concerns.
Let common sense rule
Writing about risk is complex, but sometimes I think writers overcomplicate matters and forget that common sense and basic questions are often the best place to start.
There’s nothing wrong with the ‘What if’ question as a starting point.
Common terms used about risk
Like all specialties, risk has a language of its own. Some of the terms you will hear frequently are:
- Risk appetite (also called ‘risk attitude’): the amount and type of risk that an organisation is prepared to take in order to meet its strategic objectives.
- Risk management framework: set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management.
- Risk management policy: outlines an organisation’s commitment to risk management and clarifies its general direction or intention.
- Risk matrix: table used in risk analysis to show the likelihood and impact of risks. (View an example here.)