Risk management is critical to business success and a key responsibility of all boards. At a governance level risk management sits alongside strategy, and boards are responsible for ensuring the organisation has an effective risk management programme.

In this section:

  • Risk oversight and strategy
  • Technology governance
  • Health and safety
  • Preparing for the unexpected

Risk oversight and strategy

Boards largely concern themselves with strategic risk ie those risks that will impact on the achievement of organisational objectives, but board oversight of risk management should also include ensuring that there is an effective risk management programme in place to identify, assess, manage/mitigate, monitor, review and report on all organisational risks including financial risks, IT risks, people risks, operational risks, physical hazards, and environment risks – in fact all risks that impact on an organisation’s ability to function.

The International Standard, Risk management: Principles and Guidelines, (ISO 31000), (available from Standards New Zealand), provides principles and generic guidelines on risk management. The standard can be applied to a wide range of organisations, and activities, including strategic planning and decision-making, operations, processes, functions, projects, products, services and assets.

The IoD, in partnership with the Marsh, released their third Directors’ Risk Survey Report 2016 in February 2017. The survey received 415 responses from directors across New Zealand regarding a wide range of risk issues from directors’ liability through to their boards' involvement in risk.

The “What Directors Think 2015” Survey from NYSE highlights the challenge for directors in understanding multiple forms of risk. There is a particular focus in this report on cyber-risk – 23% of respondents were not confident their boards were adequately covering cyber-risk and only 15% were confident.

Nouriel Roubini, the New York University economist who foresaw the housing bubble that triggered the financial crisis, has published a report highlighting what he sees as five key economic dangers for 2015 and beyond.

The Deloitte Report Risk Intelligent Governance: a Practical Guide For Boards, is a useful, director specific guide, written from the perspective that risk governance and value creation are inseparable." 

Deloitte produced a paper in the same series entitled “Risk Intelligent Governance: Lessons from State-of-the-Art Board Practices”, along with a broader range of Risk Intelligence White Papers which merit awareness.

Also available is Deloitte’s 'Risk Committee Resource Guide' online, which is an excellent tool detailing board responsibilities and providing simple guidance for Risk Committees.

The Institute of Risk Management is the UK’s leading professional body for risk management and has excellent resources on its website.

RiskNZ (formerly The New Zealand Society for Risk Management), is a membership organisation, which was formed in the year 2000 to foster understanding and enhance risk management skills across industry, government and academia. Their website has risk management information, including events and networks.

Technology governance

Information technology (IT) is critically important for most organisations, including as an enabler of communications, business efficiency and information storage. Governing technology investment, risks and opportunities is an increasingly important part of a board’s digital leadership role. The board’s fiduciary duty of care to protect the company’s assets includes protecting information and other digital assets.

We have compiled a comprehensive range of technology related governance resources here.

Health and safety

Health and safety should be part of everyday business; it simply makes good business sense. Directors need to be proactive, to understand health and safety culture and risks, be informed and ensure the company meets its obligations. It’s important to really get to know the business and understand where the risks are.

As above, we have compiled a comprehensive range of health and safety related governance resources here.

Preparing for the unexpected
Having a plan in place to respond to unexpected events is a critical part of doing business.  Boards are responsible for ensuring management has developed and implemented appropriate crisis management plans and monitoring such plans over time.

Questions for boards

  • Does the organisation have a crisis management plan?
  • Does this include a robust communications plan with staff and key stakeholders?
  • Does this ensure access to critical resources (operational, financial, human and technological resources)?
  • Does this deal with the organisation’s key risks and vulnerabilities?
  • Does this address health and safety, eg of staff working remotely?
  • What are the roles and responsibilities of the board/directors in crises?
  • Is the board/executive team ready/capable to deal with a crisis?
  • Is an independent review of the crisis plan needed?

The following resources for boards and SMEs will assist you in crisis readiness discussions.

A Crisis of Confidence - Deloitte
Sets out the board’s role in crisis management and provides practical tips for boards, during after a crisis (see pp 13-15). Read article

The Board's role in Crisis Management - Osler
Discusses the role of the board in crisis preparation, crisis management plans and key challenges in dealing with a crisis. Read article

Striving Through - Resilient Organisations
Lists tips, tactics and plans for managing through a crisis. Read article

Shut Happens -  Resilient Organisations 
Has simple steps organisations can take to deal with disruption and adversity. Read article

It's easy - get prepared for an emergency - Civil Defence
Designed for businesses and community organisations. Read article