Ten questions a board member should ask about risk management
Being a board member of a not-for-profit (NFP) organisation involves being accountable for the governance, ethos and strategic oversight of the organisation. It requires you to ensure the organisation is working effectively to achieve its mission.
On one hand, the board must be aware of the risks to the organisation and ensure they are eliminated where possible, or reduced where they can’t be eliminated. On the other hand, a board unwilling to take any risks at all may find the organisation dwindling over time, unable to keep up with its competitors because its lack of innovation is embedded in the culture.
Writing a risk appetite statement is a useful exercise to help bring the board and the executive into agreement, as it requires you to sift through what you are willing to take a risk on and what you are not. You can return to the document to help you make decisions, having already agreed that you are on the same wavelength regarding your willingness to take risks in the various areas of the organisation.
Your organisation should have a risk management policy.
These related policies will also be useful:
- Cyber Security Policy
- Privacy Policy
- Financial Controls Policy
- Fraud Policy
- Workplace Health & Safety Policy
A risk management register is a useful document to refer to at board meetings or for the Finance, Risk and Audit Committee to take accountability for. It will help you as a board member to ensure risks are documented, mitigated, managed and discussed
Here are 10 critical risk areas that board members should ask about to fulfill their responsibilities:
To know why you should be asking these questions, download the full document.
1. Are we complying with all applicable laws and regulations?
2. How robust are our financial management systems (and what are they)?
3. What are the potential threats to our organisation’s reputation?
4. How effective is our strategy in responding to external environmental changes?
5. Are our governance structures appropriate and effective?
6. What operational risks could significantly affect our ability to operate effectively?
7. How are we managing risks related to our staff and volunteers?
8. How are we protecting the personal and sensitive information we hold?
9. How effective are our fundraising strategies and practices?
10. What is our organisational risk appetite? Are we too risk averse as an organisation, or too ready to take risks?