[400 words, edited, originally published 2018-11-24]
What is the role of the Board of Directors with regard to Enterprise Risk Management? I addressed the Board members of Island Health, our local health authority, in the fall of 2018 to answer this question.
The Board had already been given advice by the Healthcare Insurance Reciprocal of Canada. HIROC characterizes health authorities as “high reliability” organizations, meaning that any particular local failure can have larger catastrophic effects. I offered specific advice regarding the Board’s oversight role.
We know that the Board in any organization is not usually involved in risk identification exercises. That said, I see from workshop students’ responses in recent years that sometimes the Board will participate in a risk ID session applied to the strategic plan. I would definitely recommend that.
If the Board confines itself to oversight of ERM, I suggest the following Board duties:
1. Review the rigour, quality and efficacy of the enterprise risk management regime itself.
This means to question how risk is conceptualized, how risk assessments are carried out, and whether the methods rise above a merely ad hoc or informal approach.
2. Review the results of the risk assessment process, as applied to strategic and operational plans.
What risks that were identified?; what mitigation actions were created?; what were the outcomes? What risks matured that we failed to identify? Finally, what conclusions can we draw to improve the risk process?
3. Ask critical questions regarding any element of the risk management practice, and make suggestions to advise and guide the executive.
A Board member may not be an expert in risk methods, but will have awesome depth of experience elsewhere, and will have eyes on the horizon in the broader strategic landscape. Each Board member formulates questions and criticism by drawing upon his or her unique individual background and expertise.
This allows for a multi-faceted and probing review, resulting in clarification of the organization’s strategic direction, goals, values (especially how they are enacted) — and risk profile.
Now the Board member may be independent, or legitimately have only a relative degree of independence. By contrast, we would expect audit to maintain impartiality in its review of the risk management process (by not being participants therein).
Eventually, the risk culture should mature so that a common understanding is developed among management, staff, and the board itself of how corporate values and risk ownership are understood and put into operation.