Just as strategic mindsets can be framed in polarised pairs like Growth Vs Fixed, or Solution Vs Problem Oriented, risk management mindsets can also be described as Blocking or Enabling (see header illustration). While reducing any complex matter to a simple binary choice can lead to distorted thinking, when considering your risk mindset it is helpful to challenge the widely held view that effective risk management is a barrier to achieving your goals.
Best practice risk management involves maintaining three lines of defence to prevent and mitigate risk events:
1st Line – board and management controls such as policies, procedures, delegation limits, etc.
2nd Line – board and management oversight, including reporting relationships, dashboards and standard monitoring reports, supervisory arrangements etc., and
3rd Line – internal audit, which in small non-profit entities are likely to require engagement of specialist advisors to review projects, programs, and operational matters over and above the annual audit of management systems and the organisation’s accounts.
These three lines of defence are often considered impediments to achieving desired outcomes when proposals are brought before the board for deliberation. Board document templates invariably include a section on the risks associated with the proposal or issue at hand, although the risk of inaction is not necessarily assessed. Risk averse boards can see every risk as a potential reason not to undertake an initiative, and so find themselves frustrating members and staff who see a need, and believe the risk of inaction is worse than taking the recommended action.
Seeing the lines of defence as arguments against proceeding with a proposal misconstrues the function of these defences, which instead should be seen as guardrails and guiderails, controlling the likelihood of an adverse event or outcome, and anticipating mitigation measures required in the event an incident does occur. The schematic below compares these two perspectives on use of the three lines of defence, and it may help your Risk Committee and Board to see that applying risk management measures as enablers can enhance the strategic performance of your organisation.