Adapted from Chapter 36

Governing Risk, Not Managing It

The board's job is not to eliminate risk. It is to ensure the company is taking the risks it has chosen to take.

By Peter Burchardt · 8 min read

Every company is, at its substance, a portfolio of risks. The company exists because someone has decided that the expected return on those risks is worth the capital and effort required to bear them. The chief executive's job is to manage the risks; the board's job is to govern them.

Two questions that anchor the work

Are we taking the risks we have chosen to take? and Can we absorb them if they materialise?

These two questions, asked persistently, anchor the board's risk work. The framing distinguishes serious risk governance from the bureaucratic version. The bureaucratic version produces risk registers, heat maps, control matrices, and quarterly updates that the board ratifies. The serious version produces a real understanding of the risks the company is taking.

The architecture

A board's risk-governance architecture has four layers:

The risk-management framework. The institutional documentation that describes how risk is identified, categorised, assessed, monitored, and reported. Reviewed by the board annually, updated as the company's risk profile evolves.

The risk taxonomy. The categories into which the company's risks are organised — strategic, operational, financial, compliance, reputational, technology, human, environmental. What gets categorised gets managed; what is not categorised tends to be missed.

The risk register. The list of principal risks, each characterised by likelihood, impact, mitigations in place, residual risk, and ownership. This is where the risk work often goes wrong: the register becomes a clerical artefact, updated mechanically, that does not drive real discussion.

The reporting and escalation. The cadence at which risks are reported, the criteria for escalating particular risks, the mechanisms by which emerging risks are surfaced.

The discussions that matter

A board doing risk governance well conducts four kinds of discussion:

  • The annual risk-appetite review what kind of company are we, expressed in risk terms?
  • The principal-risks review twice a year or more, engaging with how each risk has evolved
  • The emerging-risks discussion geopolitical developments, regulatory shifts, technology disruption, climate
  • The deep dives two or three times a year, going beyond the standard reporting on a particular risk

    • The architecture is the form. The substance is the discussion that the architecture supports. A board that has the architecture but not the discussion has compliance. A board that has both has governance.

    This article is adapted from The Director's Craft by Peter Burchardt. Read the full chapter in the book →

    ← All insightsGet the sample chapter