Risk Management is an integral part of corporate governance.

Sir Michael Quinlan who was PUS at the MoD
‘In matters of military contingency, the expected, precisely because it is expected, is not to be expected. Rationale: What we expect, we plan and provide for; what we plan and provide for, we thereby deter; what we deter does not happen. What does happen is what we did not deter, because we did not plan and provide for it, because we did not expect it.’ 


Harold Macmillan
put it when asked what was most likely to blow his government off course – “Events dear boy, events”.


Every company needs to evaluate risks to deter them, as quoted by Gavin. Beyond evaluating them there needs to be a plan of action and a monitoring thereof to ensure that they are truly deterred.

The biggest issue, as alluded to in the quote above – is the unknown risks. These can only be addressed by “thinking outside the box” and looking at the combination factors of multiple risks occurring simultaneously.

Not everything can be deterred, but the more effort put in, the less likely events will derail the organisation. The unplanned outcome of this success is that over time the executives do not see the value in providing budget to ensure planning up front is done and risks continue to be deterred – risk of complacency.

This is an ongoing process.

It requires addressing at the Board level. We believe that Risk, Internal Audit and Compliance should not exist under one Executive Director – how can one person have a valid debate with themselves on interrelated but different matters. To ensure true, valuable discussion on this matter, a genuine debate is required and challenge delivered by the NED’s and the NED’s are more than adequately satisfied by responses.

In addition, what is also critical is information, that is up to date, timely, covering appropriate risks, presented with content that drills down to the real facts, that is up to date and meaningful to the business.

The Board Evaluation is an excellent way to bring the issue of Risk Management to the attention of the Board members and to ensure the correct budget is thereafter provided and the correct actions are put in place and monitored. It is therefore important to have the correct kind of Board Evaluation that will address the risks within your business. The process also needs to be of value every year, not just the first time.

The comments made in this discussion are as a result of experience we have working with Boards. Budget is all to often not provided to those that need it.

Corners therefore need to be cut and problems do develop.

Most risks arise out of non-compliance or conformance to laid down policies and procedures. 
This is borne out in a survey done by PwC.

Link to a LinkedIn discussion on this topic

Please click here to view the full discussion. (Please note you can only access this if you are an IoD member of this LinkedIn Group).