In advance of CFG's Risk Conference 2021, Ian Hanham, Director of Finance and Information Systems at the Nuffield Foundation, shares how a new approach and assurance map can increase confidence and new insights into the risks being monitored and managed by boards, senior management and audit committees.
In December 2018, the Nuffield Foundation provided a case study for use in an article about governance and risk management. The case study text at that time (so two years ago now) was as follows:
'At the Nuffield Foundation trustees and management have recognised that, for strategic risk management at least, the somewhat formulaic ‘probability’ and ‘impact’ approach can lead to more emphasis on the scoring mechanisms than on the deeper implications of the risks identified.
To avoid this trap we have developed an approach that frames each conversation to consider the gap between our risk appetite and the actual profile of a given risk. This has a number of advantages in comparison to some more widely used approaches, including:
- It recognises that risk assessment is more of a continuum than a precise point on a chart. It allows space to acknowledge the degree of uncertainty in evaluating risks
- At its centre is the knowledge that failing to take sufficient risk can be as much of a problem as failing to mitigate against downside risks
- As the primary question is ‘where are we furthest from our aspiration in terms of risk appetite?’, the discussions naturally become action-oriented and forward-looking.
While it is still early days of our deploying this approach, we believe it is offering a more fruitful focus on strategic risk management than is stimulated by conventional risk frameworks.'
The BDO article’s main conclusion was:
'In the 21st century and with the pace of change happening around us all, risk management must be a continual process to remain effective. Day to day activities will result in new risks and existing risks will become more or less significant - often over relatively short periods of time. An effective Board will therefore, in the context of a well established risk management framework, consider, review and monitor risks regularly to ensure they are able to respond effectively and remain focussed on delivering its objectives.'
Two years on, we continue to believe that we have an interestingly different approach to framing the strategic risk conversation. What we currently lack is an effective mechanism to test our risk assessments and to gain objective insights. We are therefore in the process of developing a framework against which we will commission independent assurance reviews; this will allow the Executive and the Audit and Risk Committee to test and challenge our assumptions.
In January, we will use the CFG Risk event and forum to ‘test drive’ our proposed approach and to use the experience and observations of peers to fine-tune the proposal that we will take to our Audit & Risk Committee in April. We look forward to seeing you there!
Speaker biography
Ian Hanham is the Director of Finance and Information Systems at the Nuffield Foundation. He has worked in the not for profit sector since 2007, in a range of roles covering Finance, governance and broader operational management functions with the British Red Cross, EveryChild, WaterAid and the Workers Educational Association.
Prior to this he worked in the international oil and gas sector - at a best guess he started managing risk registers in 1997; he started trying to encourage colleagues not to get so obsessed with the risk ‘score’ and to focus instead on how to meaningfully manage the risks effectively shortly after that.
Alongside the day job he is the Chair of ECPAT UK, the Treasurer of Family for Every Child and is a trustee of Kindled Spirit.