Please enable JavaScript.
Coggle requires JavaScript to display documents.
Common failures of boards - Coggle Diagram
Common failures of boards
Failure to take responsibility for risk at board level
Many boards outside regulated companies still see risk as something that they delegate to management with little or no real oversight from the board
This is often because the board members do not have the capacity to challenge management on the risks associated with the submissions they are receiving or on the operational risks of the business
The boards are then caught out when a crisis occurs having to be reactive rather than having been proactive in managing the risk
The CS can support the board to avoid this mistake by identifying the capacity gaps and discussing with the chair training opportunities to help fill them
It could also be that a board memeber with experience in risk could be appointed to help strengthen the board's capacity in this area
Strengthening the board through indpendent advice for certain potential risk advice is another action that could be taken
Failure to see the importance of risk to the organisation as a whole
Even when boards do take an interest in risk, they often delegate it to a board committee such as the audit committee or a risk committee
The whole board does not see the importance of risk to the organisation, they only receive soundbites
The board is also not sending the message to management that managing risk is important
The CS can ensure that all proposals to the board contain a section on the risks associated with the proposal and those associated with not approving the proposal
These risks should be discussed by the board nd the CS should ensure that these discussions are minuted
They should also ensure that the board has a regular agenda item to discuss risk
Failure to capture the major risks of the organisation
The review of the risk register, if one is even presented at board level, can be a mechanical rather than a qualitative discussion on the real risks for the buisness
The major risks faced by the organisation are often missed by this exercise
The CS can help the board avoid this mistake by suggesting to the chair that he ask the CEO 'What is currently keeping them awake at night?' - this gives recognition to the fact that risks can continually change
They are not always static
The chair could also ask board members to brainstorm what risks they think are relevant to the organisation and compare them to those in the risk register.
The board could also ask for a consultant to advise them on the major risks the organisation may be facing
Failure to consider the integrated nature of risk
Some boards fail to understand how a potential risk affects the operations of the organisation as a whoel
They split risk up into silos
Financial risks are dealt with by the finance department, HR risks by HR and legal risks by the legal department
The board makes deicisions silo by silo rather than treating risk as being inter-related across the whole business
A risk in one part of the business could be an opportunity elsewhere or mitigating a risk in a certain way in one part of the business could create a far bigger risk elsewhere
Risk needs to be integrated into the organisation's strategic planning processes and decision making
The CS can help the board avoid this mistake by highlighting the connections between different proposals and departments
Part of the role fo the CS is to be the conduit for all information flowing to the board
By reading and listening to what management is proposing, they should be in a position to advice the board on the integrated risk picture
Failure to put the appropriate control or other mitigants for risk
This is often a by-product of the board failing to understand the true nature of risk in their organisation
The CS can help the board avoid this failure by ensuring that both they and the board are exposed to information on the types of risks that may affect the business
These risks change as the environment within which the organisation operates changes
Recent risks organisations are having to come to terms iwht are those related to data protection, cyberattacks, Brexit and climate change
The impact of each will vary depending on the business of the organisation
Exposure can be gained through training and seeking the advice of experts in the field
The CS should ensure that time is allocated within the board's agenda for these types of discussions
These could beheld during a board meeting or at a separate information session for the board and management
The CS could also work with the internal audit function to help the board identify whether the appropriate internal controls and mitigants are in place
Internal audit should check whether the 3 types of controls are in place
Internal audit should carry out an annual assessment of the adequacy of the risk management and internal control systems within the organisation - this should create a wealth of information for the board to work with on improving both systems
Failure to manage reputational risk
Can be one of the most damaging risks for an organisation and requires careful management
A reputation takes years to build but can be damaged in a second
Boards should discuss the repuational impact and potential risks to their reputation of the decisions they make
The CS can assist the board by making sure information can support these discussions is made available to the board
Boards should engage with major shareholders and other stakeholders to get feedback on actions the board is planning to take
Management should support this through surveys and impact studies and the CS should be prompting management where this information is lacking within a proposal
Failure by the board to map out clearly who has responsibility for what at different levels of the organisation
For individuals or bodies within the organisation to be held accountant, it is important for their roles to be clearly defined
By carrying out this exercise, gaps in responsibility can be identified and resolved
For successful risk management there needs to be a combination of strong oversight by the board and assessment, management and monitoring by management
This can only occur if everyone within the organisation plays their part, they can only do this if they know what is expected of them
All employees should be aware that they have a responsibility for risk management
Processes should be in place where different departments discuss their risk and interrelated nature of them across the business on a regular basis. This process should be set out in a risk manual which should be approved by the board
The CS can assist the board and management by ensuring that a risk manual is put in place and that the process it describes is actually implemened within the organisation
Feedback on its implementation should be provided to the board and the CS can ensure that time is made aviabale on the board's agenda for this to occur
The risk manual should also be reviewed at least annually
Failure to consider, decide or articulate effectively the risk appetite for the organisation
The expectations of shareholders and other stakeholders such as employees, customers and suppliers should be taken into consideration when making decisions about risk appetite
Even where risk appetite is considered by the board, there is often no following through as far as other policies and procedures are concerned to ensure that they encourage behaviours in line with the risk appetite. Eg are the remuneration and reward practices within the organisation supporting the risk appetite
The CS should ensure that discussions about risk appetite are on the board's agenda and should advise the board to consider the impact on risk appetite of any policy and procedural changes that are submitted to them for approval
The CS should also advise the board to seek assurance from internal audit that the risk appetite of the organisation is reflective of the levels agreed by the board
The CS should watch out for examples where policies and procedures may be creating a different outcome as far as risk appetite is concerned than was anticipated by the board when introducing them and advise the board/management accoridngly
Failure to obtain and share timely and good quality information
This can lead to heightened risk within an organisation
This is an important part of the CS role as the position has responsibility for ensuring that the board receives all the relevant information for effective decision making and then communicates to management and other stakeholders the decisions made by the board
The CS should ensure that they have the processes, networks and resources to ensure this happens. Examples of these are
Build relationships with members of the management team and staff in key positions to enable the company secretary to build a network to help them understand the nature of the business and obtain information about the business and particular projects
Read and query where information is not clear in submissions to the board. The CS should not be afraid to challenge management on the submissions and ask for additional information if this would assist the board in its decision making
Supplement information during the board discussions if this would assist the decision making process. This should always be done through the chair and wherever possible with knowledge of management
Have a policy that board decisions are communicated from the CS prior to implementations so that there are no misunderstandings as to what the board has decided