The role of the board in risk management the case of the public sector - Gary Martin

and Colette Kane, FCA

Thu, Feb 28, 2013

inShare1
Introduction
Since the onset of the credit crunch of 2007, and the ensuing global financial crisis of 2008,
few topics have been debated as extensively in corporate governance circles as risk
management. As IFAC[1] has pointed out, financial crises of recent years have been
important in a number of ways, in relation to lessons learnt: firstly, they highlighted that in
some organisations, in particular some financial institutions, risk management and internal
control practices were flawed or ineffective; and secondly, the crises highlighted, more
broadly, that many organisations were overly focused on financial reporting controls before
the crises. This report further argues that, as a result, not enough time was devoted to the
areas where risks often materialise other than financial reporting, namely operations and
external circumstances. It is therefore not surprising to see that many of the reports
examining the events of 2007 and 2008 have noted the misdiagnosis, misjudgement or
mismanagement of risk, within corporate governance arrangements, as being central to the
seismic events that shook the corporate world then, and are continuing to impact us now.
The Financial Reporting Council, in 2011, drew attention to the key role played by arguably
the most significant actor in corporate governance, the board, in the risk process[2]. As the
International Corporate Governance Networks (ICGN) Corporate Governance Risk
Oversight Guidelines[3] note, the risk oversight process begins with the board, it being tasked
with the oversight of managements implementation of strategic and operational risk
management.
The central role the board plays in this process was underscored in one of the key
observations from the FRCs 2011 report, when it was noted that the different elements to the
boards responsibilities for risk included: determining the companys approach to risk; setting
its culture; risk identification; monitoring exposure to risk and key risks; oversight of
managements mitigation processes and controls; and ensuring the company has effective
crisis management systems.
This article aims to develop these issues further, particularly with reference to boards in the
public sector.

Risk management and the public sector

HM Treasury[4] has developed an instructive top-level framework for risk management in

the public sector, as adapted from the EFQM Excellence Model. In doing so, it has simplified
the model so as to target its use in a flexible way, thereby enabling the monitoring and
evaluation of performance to be carried out in a systematic and structured way. Noting the
usefulness of this model to allow for the identification, at a high level, of areas of good or
poor performance, and in the establishment of priorities for improvement action, HM
Treasury poses seven questions to be answered with regard to risk management in
departments, these being:
Capabilities
1. Leadership do senior managers and Ministers support and promote risk management?
2. Are people equipped and supported to manage risk well?
3. Is there a clear risk strategy and risk policies?
4. Are there effective arrangements for managing risks with partners?
5. Do the organisations processes incorporate effective risk management?
Risk handling
6. Are risks handled well?
Outcomes
7. Does risk management contribute to achieving outcomes?
Examining how risk management processes are built around these broad principles is the
focus of the next section of the article.

How boards can play a key role in risk management in the public sector
In recent years there has been much focus on establishing risk management processes within
the public sector. Some examples of how Northern Ireland public sector bodies have
implemented risk management processes are included within the Northern Ireland Audit
Office (NIAO) Good Practice in Risk Management[5] publication. However there has also
been an element of confusion as to the role boards should have in respect of risk management
processes and this article aims to point up a number of areas where boards can make a
significant contribution and fulfil key parts of their responsibilities.
What is the role of the board in respect of risk management?
Essentially, as with all other functions, the boards role in respect of risk management should
be strategically focussed. The NIAO publication noted above indicates that the boards role
and responsibilities translates as indicated in the following table:

Risk management in practice - the role of the board

Establishes and oversees risk management procedures

Endorses the risk management strategy/policies
Ensures appropriate monitoring and management of significant risks by management
Challenges risk management to ensure that all key risks have been identified
Is aware of any instances where risks are realised.

Undoubtedly there are many ways the board will aim to fulfil its role and responsibilities in
respect of risk management. Risk will inevitably feature throughout board discussions and the
involvement of the board in risk management will not just be assigned to one agenda item.
However much of risk management is about ensuring people are doing the right things to
minimise risk exposure to the organisation and then it becomes about trust.
This is not just a challenge for boards which have perhaps monthly interaction with the
organisation, but can also be just as much of a challenge for senior managers and executive
directors of complex and large organisations. This article aims to now develop two concepts
that allow boards and senior management gain a greater insight as to how the organisation
and its people incorporate risk management processes into their day to day operations and, in
particular, decision making: establishing risk appetite; and assurance frameworks.
Establishing risk appetite
In a public sector context, risk appetite has been identified as the overall amount of risk
judged to be appropriate for an organisation to tolerate, agreed at board level[6]. Again, the
centrality of the board is reinforced in this definition. Risk appetite is thus central to the risk
management system, this being designed to help manage risk within the risk appetite of the
entity, thereby providing reasonable assurance that the entity will achieve its objectives[7].
The risk appetite of an entity must, however, be viewed in the broader context of other key
risk concepts, these being articulated as[8]:

Risk universe the full range of risks which could impact, positively or negatively,
on the ability of the organisation to achieve its long term objectives;
Risk tolerance the boundaries of risk taking outside of which the organisation is not
prepared to venture in the pursuit of long term objectives; and
Risk appetite the amount of risk an organisation is willing to seek or accept in the
pursuit of its long term objectives.

In considering the latter issue, risk appetite, in a public sector context, HM Treasury[9] notes
in particular that the board will have an appetite for some types of risk and an aversion for
others. This report goes on to point out, however, that decisions depend on: context; the
nature of potential losses or gains; and the extent to which information is complete, reliable
and relevant. This contextual emphasis of risk appetite forms the basis of the next section of
the article, i.e. how risks are assessed through assurance frameworks.
Assurance Frameworks

When organisations are considering possible risks, it is inevitable this discussion will
examine the existing and maybe additional controls which will be important to minimise the
realisation of the risk. All too often there is an assumption that the controls are there and are
operating effectively without due consideration as to the validity of such an assumption.
Assurance frameworks are therefore evolving as a mechanism for providing comfort to board
members and senior management as to the strength of the organisations controls.
To begin the process of establishing an assurance framework, organisations need to examine
the risks identified and the many controls which are considered to reduce the possibility of
that risk happening and isolate the key controls the organisation truly relies upon.
In its simplest form the assurance framework will take each risk and for each key control
identify the documentary proof that the control is operating effectively. This documentary
proof might be a report from a senior manager, a recent positive opinion from internal audit
or a regulators accreditation. The process of carrying out such an exercise will also identify
where there are gaps in assurance and could be useful to plan the work or internal audit or
other actions which are required. An example of how an assurance framework operates is
detailed below.

Assurance Framework
Risk

Control Identified

Business unable to
operate when IT
system fails. Loss of
data.

Contingency plan
includes back up
facilities.

Documentation

Additional actions
required
Full test of
A number of
contingency plan
recommendations from
November 2012.
test need to included in
Report on plan
revised plan. New plan
presented to December due for completion
board meeting.
February 2013 and
retest planned March
2013.

The assurance framework will be extremely valuable to the board but does not have to be
brought to each meeting. The framework should be kept up to date and where a new risk
emerges the board may wish to examine the framework for that new risk only.

Conclusion
As Caldwell (2012) points out[10], a successful board risk oversight process requires the
presence of three distinct components: board confidence in management; access to relevant
and reliable information (such as the frameworks alluded to earlier); and effective functioning
of the board overall. This report further contends that board focus is best achieved through
the rigorous discussion of limits and willingness to accept risk in pursuit of defined returns.
In a public sector context, however, the outcomes of decisions must take account of a wide

array of stakeholders, beyond the primary focus of shareholder interest prevalent in the
private sector, adding to complexity levels for public sector organisations and the outcomes
they are striving to achieve and, as HM Treasury argues[11], outcomes inevitably impact
on: the organisation: its performance; and its reputation.
The complex environment public sector organisations face need not, however, result in ever
more complex calibrations of risk management response. In a recent paper published by the
Bank of England[12] on the complexity of modern finance and the regulatory response to it,
the following conclusion is reached:
Modern finance is complex, perhaps too complex. Regulation of modern finance is complex,
almost certainly too complex.As you do not fight fire with fire, you do not fight complexity
with complexity. Because complexity creates uncertainty, not risk, it requires a regulatory
response grounded in simplicity, not complexity.
At a corporate level, in assessing how we govern and manage risk, we could do well in
adopting a similar keep it simple approach, regardless of the apparent complexity faced.

[1] IFAC (2012), Evaluating and Improving Internal Control in Organizations, New York: IFAC.
[2] FRC (2011), Boards and Risk: A summary of discussions with companies, investors and advisers, London:
FRC.

[3] ICGN (2010), ICGN Corporate Risk Oversight Guidelines, London: ICGN.
[4] HM Treasury (2009), Risk Management assessment framework: a tool for departments, London: HM
Treasury.

[5] Northern Ireland Audit Office (2011) Good Practice in Risk Management, Belfast: NIAO. www.niao.gov.uk
[6] HM Treasury (2004), The Orange Book, London: HM Treasury.
[7] IFAC (2011), Global Survey on Risk Management and Internal Control: Results, Analysis, and Proposed
Next Steps, New York: IFAC.

[8] Institute of Risk Management (2011), Risk Appetite & Tolerance Guidance Paper, London: IRM.
[9] HM Treasury (2006), Thinking about your risk: Setting and communicating your risk appetite, London: HM
Treasury.

[10] Caldwell, J.E. (2012), A Framework for Board Oversight of Enterprise Risk, Toronto: Chartered
Accountants of Canada.

[11] HM Treasury (2006), Thinking about your risk: Setting and communicating your risk appetite, London:
HM Treasury.

[12] Haldane, A. and Madouros, V. (2012), The Dog and the Frisbee, London: Bank of England.

Gary Martin is a Senior Lecturer in Accounting at the University of Ulster. Collette Kane,
FCA is a Director of the Northern Ireland Audit Office

00001
- See more at: http://www.charteredaccountants.ie/en/Members/Technical/CorporateGovernance/Corporate-Governance-Articles/The-role-of-the-board-in-risk-management--the-case-of-the-public-sector---Gary-Martin-and-Colette-Kane-FCA-/#sthash.9eI7HU9p.dpuf