This next step is very important to reinforce strong risk culture within the organisation. ISO31000:2018 states “Oversight bodies are often expected or required to:

— ensure that risks are adequately considered when setting the organization’s objectives;

— understand the principal risks facing the organization in pursuit of its objectives;

— ensure that systems to manage such risks are implemented and operating effectively;

— ensure that such risks are appropriate in the context of the organization’s objectives;

— ensure that information about such risks and their management is properly communicated.”

There are various ways of including risk discussion on the Board’s agenda, however we believe that it is more effective to spend fifteen minutes on risk matters during every significant decision than an hour once a quarter or a day once a year.

It is recommended to discuss risks associated with each decision instead of having risk management as a separate agenda item. After all items on Board’s agenda are risk items.

For example, the Board may want to discuss risks associated with the quarterly budget when discussing the actual budget, or discuss project risks when approving project financing, as opposed to discussing the top ten corporate risks at the end of the meeting when all decisions have already been made.  

The risk manager should, along with the Board secretary, make the necessary amendments to the presentation templates to include a section on risks for every significant decision. The risk manager, in conjunction with the internal audit, should also ensure that the risk information provided to the Board by the management is complete, accurate and consistent. To improve the quality of such information, risk managers may wish to consider staff training or personally quality check the information before it goes to the Board. 

Some Boards may create a separate Risk Committee or expand the scope of the Audit Committee to review matters related to risks. Our experience, when talking to different risk managers during the interviews, shows that this may be more fashionable than practical, since most decisions are taken long before the information is formally presented to the Board of Directors. Several people interviewed mentioned that it makes more practical sense to have a management level risk committee instead.

Nevertheless, the Board level risk committee can play an important oversight role and have a very positive impact on the overall risk culture within the organisation. Sometimes this is called “security theatre”.