• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
pexels-engin-akyurt-1552617.jpg

Objective-led risk management and oversight: extreme organisational agility in action?

February 24, 2021

When we created the Risk Coalition’s guidance, Raising the Bar, we heard that help was needed to apply this across organisations of various types.  My experience suggests it can be used by all.  This example is from the public sector, but could your own organisation need to behave in a similar manner?

I was brought on the board as an experienced chair for the audit committee, but the board quickly realised there was a need for an improved risk focus – in part, as our owning Department said so too!

Not unusually I was asked to expand the audit committee to be ‘Audit & Risk’, although I had found from experience that a ‘Risk then Audit’ agenda is more likely to be forward looking – good risk mitigation could be expected to leave less audit issues in its wake.

Our initial risk setup focus was to be on two main topics:

  1. Creating a risk register, through combining a ‘front line’ view of risks, with the strategic risk perspective of the board – then rating key risks by likelihood and severity

  2. A broad training exercise to encourage staff to help identify, escalate and mitigate risks at every level and through normal management practices.

BUT we struggled to achieve the first, when we realised that the board and its stakeholders lacked agreed clarity of Purpose and Objectives.  How could we create a Key Risk Register without previously agreeing what we were accountable for as a board? 

This question kicked off a board-led strategic planning exercise with stakeholders (including our sponsoring Department, multiple other funding departments and those parties we delivered services to, or we engaged alongside).  Once we had clarified our purpose and objectives, the regenerated Risk & Audit committee started to operate effectively in support of the board, UNTIL…

A new government was elected which had similar ideas regarding local business growth objectives, but very different ideas on how that should be supported by government. It might even be suggested that, because the other lot set up the previous regime, it needed to be replaced with a new one!

A new objective came down from above, which was to close down this operation within six months, including releasing all 2,000 staff, multiple buildings, IT systems, supplier contracts and more – either through finding new homes or ending those relationships with or without smooth landings. 

The Committee had to ‘turn on a six-pence’ and cascade this new objective into a project plan where risks could be identified and mitigated up-front for an assured on-time and on-budget closure of operations and assets.  This was objective-led risk management on steroids!

The externally assigned project manager later reported that this was the very first project where ALL the risks had been identified in advance.  WOW.  At on-time completion we were asked to write a report on how others could achieve the same, but this was little used as it was ‘far too obvious’.  Ouch.

Conclusion: Objective-led risk management is a practical capability that exists and can be agile.

 

Bryan Foss is an experienced NED, FRC advisor and co-author of Risk Guidance; he also mentors high growth technology founders and senior executives of blue-chip companies into their early NED roles

Tags: Bryan Foss
Prev / Next

Blog

Featured
Apr 15, 2025
Vera Cherepanova
The future of ESG: navigating a fragmented landscape
Apr 15, 2025
Vera Cherepanova
Apr 15, 2025
Vera Cherepanova
Mar 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
Mar 6, 2025
Mo Warsame, Gavin Hayes
Mar 6, 2025
Mo Warsame, Gavin Hayes
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson